Differences

This shows you the differences between two versions of the page.

--- linux:apps:fail2ban [2023/09/07 18:08] – [MAIL] oscar
+++ linux:apps:fail2ban [2024/12/28 08:18] (current) – [/etc/fail2ban/filter.d/nginx-x00.conf] oscar
@@ Line 505: / Line 505: @@
 [Definition]
-failregex = ^{"log":"<HOST> .* .*\\x.*$
+# Blocking repeated 404|444|403|400
+# This will also match requests that are entirely empty
+failregex = ^<HOST>.*"(GET|POST|HEAD).*" (404|444|403|400) .*$
-ignoreregex =
+datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)?
+              ^[^\[]*\[({DATE})
+              {^LN-BEG}
+journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx
 </code>
@@ Line 554: / Line 560: @@
 ===== MAIL =====
+==== /lib/systemd/system/fail2ban.service ====
+Fail2ban depends on the log files of postfix, dovecot and rspamd. It should only be started after these services. To achieve this add these services into:
+<code>
+# nano /lib/systemd/system/fail2ban.service
+-------------------------------------------
+[Unit]
+...
+After=network.target iptables.service firewalld.service ip6tables.service ipset.service nftables.service dovecot.service postfix.service rspamd.service
+</code>
+==== Config ====
 We enables the following 3 default Debian fail2ban installation jails for our mail server:
   * **dovecot.conf**: ilter Dovecot authentication and pop3/imap server