Difference between revisions of "NginX"

From Fail2ban
Jump to: navigation, search
(Added two more logfile examples)
(Added regex for file not found)
Line 24: Line 24:
 
<div style="padding: 1em;border: 1px dashed #2f6fab;color: black;background-color: #f9f9f9;line-height: 1.1em;">
 
<div style="padding: 1em;border: 1px dashed #2f6fab;color: black;background-color: #f9f9f9;line-height: 1.1em;">
 
* user .* was not found in .*, client: <HOST>
 
* user .* was not found in .*, client: <HOST>
 +
</div>
 +
 +
File not found / failed messages (Here you can use apache_noscript.conf as described here:
 +
 +
[[Apache]]
 +
 +
and use
 +
 +
<div style="padding: 1em;border: 1px dashed #2f6fab;color: black;background-color: #f9f9f9;line-height: 1.1em;">
 +
* .*/(foo|bar|xyz)" (is not found|failed) \(2: No such file or directory\), client: <HOST>
 +
</div>
 +
 +
instead of:
 +
 +
<div style="padding: 1em;border: 1px dashed #2f6fab;color: black;background-color: #f9f9f9;line-height: 1.1em;">
 +
* [[]client <HOST>[]] (File does not exist|script not found or unable to stat): .*/(foo|bar|xyz)
 
</div>
 
</div>
  

Revision as of 13:44, 8 April 2012

NginX HTTP Server nginx [engine x] is a HTTP and reverse proxy server, as well as a mail proxy server written by Igor Sysoev. It has been running for more than five years on many heavily loaded Russian sites including Rambler (RamblerMedia.com). According to Netcraft nginx served or proxied 4.70% busiest sites in April 2010

From nginx.org


  • 2012/04/07 08:27:31 [error] 13409#0: *373855 "/var/www/index.html" is not found (2: No such file or directory), client: 123.123.123.123, server: www.test.com, request: "GET /index.html HTTP/1.0", host: "www.test.com", referrer: "http://www.test2.com"
  • 2011/07/16 10:27:48 [error] 5508#0: *223811 open() "/var/www/test.jpg" failed (2: No such file or directory), client: 123.123.123.123, server: www.test.com, request: "GET /test.jpg HTTP/1.1", host: "www.test.com", referrer: "http://www.test2.com"
  • 2011/07/16 12:00:37 [error] 5508#0: *234170 user "test" was not found in "/var/www/.htpasswd", client: 123.123.123.123, server: www.test.com, request: "GET / HTTP/1.1", host: "www.test.com"
  • 2011/07/16 12:01:15 [error] 5508#0: *234170 user "test": password mismatch, client: 123.123.123.123, server: www.test.com, request: "GET / HTTP/1.1", host: "www.test.com"


Failregex

The regular expressions below are proposed failregex for this software. Multiple regular expressions for failregex will only work with a version of Fail2ban greater than or equal to 0.7.6.

The tag <HOST> in the regular expressions below is just an alias for (?:::f{4,6}:)?(?P<host>\S+). The replacement is done automatically by Fail2ban when adding the regular expression. At the moment, exactly one named group host or <HOST> tag must be present in each regular expression.

Please, before editing this section, propose your changes in the discussion page first.

Authentication failure

  • user .* password mismatch, client: <HOST>

User not found

  • user .* was not found in .*, client: <HOST>

File not found / failed messages (Here you can use apache_noscript.conf as described here:

Apache

and use

  • .*/(foo|bar|xyz)" (is not found|failed) \(2: No such file or directory\), client: <HOST>

instead of:

  • [[]client <HOST>[]] (File does not exist|script not found or unable to stat): .*/(foo|bar|xyz)

PHP

There are many ways to include php into nginx, the most common way is to use spawncgi from lighttpd or php-fpm. NginX with php-fpm doesn't log failed requests for missing .php files, but i'm testing some stuff to get logs like the "normal" php to use a similar failregex like in Apache

Additionaly, Suhosin can be installed and the Rule from Fail2ban:Community_Portal#suhosin works without a problem.