Can you please share (if you want) the content of your: /etc/fail2ban/jail.local Thanks !!!
Its this: Code: [pingback] enabled = true port = http,https filter = pingback logpath = /var/log/nginx/access.log backend = polling journalmatch = maxretry = 1 findtime = 1 bantime = 86400 action = iptables-allports
So i just edit the : Code: /etc/fail2ban/jail.local and add inside: Code: [Definition] failregex = ^<HOST> -.*WordPress.*/ Jail: [pingback] enabled = true port = http,https filter = pingback logpath = /var/log/nginx/access.log backend = polling journalmatch = maxretry = 1 findtime = 1 bantime = 86400 action = iptables-allports restart fail2ban and try it?
Nop. Inside filter.d folder you create a file with the name pingback.conf Inside that file you paste: Code: [Definition] failregex = ^<HOST> -.*WordPress.*/ Then in file jail.local you add: Code: [pingback] enabled = true port = http,https filter = pingback logpath = /var/log/nginx/access.log backend = polling journalmatch = maxretry = 1 findtime = 1 bantime = 86400 action = iptables-allports Restart fail2ban. Then run: fail2ban-client status It should return the new jail.
Do you use any other rules there as: Code: [sshd] enabled = true or any other in general that will help to block system attacks or in general some booter attacks?
not needed for sshd as CSF Firewall's LFD (Login Failure Daemon) takes care of that CSF Firewall - CentminMod.com LEMP Nginx web stack for CentOS Code (Text): tail -3 /var/log/lfd.log Sep 6 08:28:05 hostname lfd[28424]: (sshd) Failed SSH login from 91.200.12.122 (UA/Ukraine/dedic805.hidehost.net): 5 in the last 3600 secs - *Blocked in csf* [LF_SSHD] Sep 6 12:55:47 hostname lfd[17684]: (sshd) Failed SSH login from 185.110.132.89 (RU/Russian Federation/-): 5 in the last 3600 secs - *Blocked in csf* [LF_SSHD] Sep 6 13:06:27 hostname lfd[20234]: 185.56.82.22 (NL/Netherlands/-), 5 distributed sshd attacks on account [root] in the last 3600 secs - *Blocked in csf* [LF_DISTATTACK]
I don't use CSF, so i use the rule to ban ips that failed to login. I also use a rule for those people that press F5 continually in our site, leading the load to rise. It will ban the IP for 15 minutes anyone that remembers to do that. I can do this, while excluding some folders. This is something CSF cannot do.
Exactly, i need that for IPS 4.1. To exclude the folder from where js and css are loaded. I believe Xenforo must be something similar.
For booters i only use that one. Every booter that i've seen, the only strong attack they have for Layer 7 is the xml-rpc. This rule protects against that with the help of nginx returning a 444 to them. The other type of attacks are Layer 4, and no software on your server can do something against that. Only a dedicated anti-ddos. If you are with OVH, they are really good against Layer 4 attacks.
So you use also an Nginx rule for that? Code: if ($http_user_agent ~* "PHP|curl|Wget|HTTrack|Nmap|Verifying|PingBack|Pingdom|Joomla|Wordpress") { return 444; } I think that can be done also with the block file of Centminmod: Code: if ($http_user_agent ~ "Wordpress") { set $block_user_agents 1; } Do i have to enable it when i am under attack or is it automated?
Centminmod already have that protection included. Yep, OVH anti-ddos is automated. Many booters even have a dedicated method against OVH, and most of the times it does not work anyway. You can see from there how much OVH is good and they need to create special methods against it.
Just notice that you use: Code: logpath = /var/log/nginx/access.log Is that ok or i must use: Code: /home/nginx/domains/mydomain.com/log/access.log confused
I was thinking to enable email alerts for this but if fail2ban ban 5.000 ip's i will get 5.000 emails? How do you handle this?
Ok, thanks, with IPS 4.x as well ? If its all working well for you and you have finished tinkering let us know your final configs (if different fro above)