How to Secure Nginx Server with Fail2Ban on Ubuntu Server

Ensuring the security of your web server is crucial to protect against unauthorized access and cyber threats. This step-by-step guide will walk you through how to secure Nginx server with Fail2Ban on Ubuntu Server, implementing robust defense mechanisms.

Fail2Ban is a powerful log-monitoring tool that helps prevent brute-force attacks by scanning system logs and blocking suspicious IP addresses. While it is widely known for securing SSH, it also extends its protection to other services, including Nginx, by mitigating unauthorized login attempts and malicious activities.

Before installing and configuring Fail2Ban, it is essential to ensure your Ubuntu server is fully updated. Keeping your system up to date strengthens its security posture and minimizes vulnerabilities. Once updated, you’ll proceed with configuring Fail2Ban to effectively safeguard your Nginx server from potential threats.

Before delving into the installation of Fail2Ban, it is imperative to prioritize server updates. Ensuring that your server is up to date is a foundational step in fortifying its overall security posture. This proactive measure lays the groundwork for a robust defense against potential vulnerabilities and sets the stage for a comprehensive Fail2Ban configuration that goes beyond safeguarding against SSH attacks. Let’s commence this process by confirming the server’s up-to-date status.

sudo apt-get update && apt-get upgrade –y

Before proceeding with Fail2Ban installation, it’s crucial to confirm the presence of the Nginx server on your system. If Nginx is not installed, you can remedy this by utilizing the following command:

sudo apt install nginx

This set of commands ensures that your system is updated with the latest package information and subsequently installs Nginx if it’s not already present. Once Nginx is successfully installed, you can proceed with configuring Fail2Ban to enhance the security of your server.

How to Secure Nginx Server with Fail2Ban on Ubuntu: Steps

Installing Fail2Ban is a crucial step in fortifying the security of your Nginx server, especially if you have a running Nginx server with password authentication enabled. To initiate the Fail2Ban installation process, execute the following command:

sudo apt-get install fail2ban

Before proceeding with the installation, ensure that you have SSH access to the server and that UFW (Uncomplicated Firewall) is enabled. You can enable UFW and allow SSH connections with the following commands:

sudo ufw enable

sudo ufw allow ssh

These commands enable the firewall and permit SSH connections, establishing a secure foundation for Fail2Ban to effectively monitor and protect your Nginx server against potential security threats.

Fail2Ban is configured to read its settings in a hierarchical manner, prioritizing .local files over .conf files. This design allows for customized configurations in .local files while preserving the integrity of .conf files.

To begin configuring Fail2Ban, navigate to the /etc/fail2ban directory, where all the configuration files are stored. This is the central location where adjustments to the settings can be made, ensuring that the .local files take precedence over their .conf counterparts.

cd /etc/fail2ban

Once in this directory, you can tailor the Fail2Ban configuration according to your specific requirements, utilizing the .local files for any customizations while keeping the core settings intact in the .conf files. This approach facilitates a modular and adaptable configuration process, allowing you to fine-tune Fail2Ban to suit the security needs of your Nginx server.

cd /etc/fail2ban

Now, copy fail2ban.conffail2ban.local:

cp fail2ban.conf fail2ban.local

To customize Fail2Ban’s logging configuration, open the fail2ban.local file using your preferred text editor. This file is instrumental in specifying how Fail2Ban logs its actions, utilizing a socket for communication with the daemon. Within fail2ban.local, you can adjust the following parameters:

• loglevel: Determines the level of detail in Fail2Ban’s logs, with options ranging from 1 (error), 2 (warn), 3 (info), to 4 (debug).
• logtarget: Specifies the destination for logging actions, allowing you to store logs in a specific file. The default value is /var/log/fail2ban.log, but you can modify it to output to STDOUT, STDERR, SYSLOG for message-based logging, or FILE for outputting to a file.
• socket: Specifies the location of the socket file.
• pidfile: Specifies the location of the PID (Process ID) file.

Here is an example of how you might configure these settings:

[Definition]
loglevel = 3
logtarget = /var/log/fail2ban.log
socket = /var/run/fail2ban/fail2ban.sock
pidfile = /var/run/fail2ban/fail2ban.pid

After adjusting these configurations, save the fail2ban.local file.

For basic jail configuration, navigate to the /etc/fail2ban directory and copy the jail.conf file to jail.local:

cd /etc/fail2ban
cp jail.conf jail.local

This creates a jail.local file where you can make specific configurations for your jails. Open jail.local with a text editor to customize settings such as banning durations, maximum retry attempts, and ignore IP addresses, tailoring Fail2Ban’s protection mechanisms to suit your Nginx server’s security requirements.

To implement IP whitelisting in Fail2Ban, you can add specific IP addresses to the ignoreip line in the jail.local file. This allows Fail2Ban to exclude certain IP addresses from being subjected to bans. If you work from a single IP address, it can be advantageous to add it to the ignore list. Importantly, the ignoreip line does not ban localhost by default.

Here’s an example of how to add an IP address to the ignore list in the jail.local file:

[DEFAULT]
ignoreip = 192.168.1.1

Replace 192.168.1.1 with the IP address you want to whitelist. You can also add multiple IP addresses by separating them with spaces:

[DEFAULT]
ignoreip = 192.168.1.1 10.0.0.1

After making these changes, save the jail.local file. This ensures that the specified IP addresses are exempted from Fail2Ban’s banning mechanism, providing a means of whitelisting for trusted sources or your specific working IP address.

sudo vim /etc/fail2ban/jail.local

[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.

ignoreip = 127.0.0.1/8 123.45.67.89
 
Ban Time and Retry Amount
You can set the bantime, findtime and maxretry to make your security level even stronger.
# "bantime" is the number of seconds that a host is banned.
bantime  = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
maxretry = 3

To fine-tune Fail2Ban’s banning behavior and implement email alerts, you can adjust several key parameters in the jail.local file:

bantime: Specifies the length of time in seconds for which an IP is banned. The default time is 600 seconds (10 minutes). Setting a negative number results in an immediate ban.

[DEFAULT]
bantime = 600

findtime: Determines the length of time between login attempts before a ban is triggered. The default is 600 seconds.

[DEFAULT]
findtime = 600

• maxretry: Sets the maximum number of attempts allowed from a single IP address before a ban is applied. The default is 3.

[DEFAULT]
maxretry = 3

To configure email alerts, modify the following settings:

destemail: Specify the email address where you want to receive email alerts.

[DEFAULT]
destemail = your_email@example.com

sendername: Set the name under which the email will be displayed.

[DEFAULT]
sendername = Fail2Ban Alerts

sender: Provide the email address from which Fail2Ban will send emails.

[DEFAULT]
sender = fail2ban@example.com

By adjusting these parameters, you tailor Fail2Ban to your specific requirements, defining ban durations, thresholds for login attempts, and email alert preferences. This level of customization enhances the adaptability of Fail2Ban to suit the security needs of your Nginx server.

Jail Configuration

jail.local contains many jail configurations for services like SSH. Enter the following command to adjust the configuration:

sudo vim /etc/fail2ban/jail.local

[ssh]
enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6

When activating this filter, Fail2Ban actively monitors the auth.log and takes action to block an IP address from accessing the SSH port after encountering six infractions from a single IP address.

Here’s an explanation of the relevant parameters for this filter configuration:

enabled: Specifies whether the filter is active (turned on) or inactive (turned off).

[sshd]
enabled = true

port: Indicates the port that Fail2Ban should reference for services. In this case, it would typically be the SSH port (default is 22).

[sshd]
port = ssh

filter: Identifies the file, located in /etc/fail2ban/filter.d, that contains the failregex information. This information is crucial for parsing log files effectively.

[sshd]
filter = sshd

logpath: Specifies the location of the logs for the targeted services.

[sshd]
logpath = /var/log/auth.log

maxretry: Sets the threshold for the number of retries allowed before initiating a ban.

[sshd]
maxretry = 6

By configuring these parameters within the Fail2Ban filter, you define the conditions under which Fail2Ban intervenes, blocking IP addresses attempting unauthorized access to the SSH port after reaching the specified threshold of six infractions. This tailored approach enhances the security posture of your system by actively mitigating potential threats.

To create an effective regex pattern for identifying failed login attempts on your website, follow these steps:

1. Navigate to the Log File:

Identify the location of your website’s log file containing failed login attempts. In this example, we’ll use /var/www/example.com/logs/access.log.

cd /var/www/example.com/logs/

2. View Log Entries:

To inspect the log entries and understand the format, use a command like cat or tail:

cat access.log

This will display the log entries, giving you insight into the structure of the data.

3. Craft the Regex Pattern:

Based on the log entry format, create a regex pattern. For instance, if the log entry looks like the following:

123.45.67.89 - - [01/Oct/2015:12:46:34 -0400] "POST /wp-login.php HTTP/1.1" 200 1906 "http://example.com/wp-login.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0"

A possible regex pattern could be:

   ^(\S+) .*POST.*wp-login\.php.* 200

Make sure to adapt the regex to match the specific details and structure of your log entries.

4. Test the Regex:

It’s advisable to test the regex against your log entries to ensure accuracy. You can use tools like grep or online regex testers.

grep -E '^(\S+) .*POST.*wp-login\.php.* 200' access.log

Adjust the regex if needed based on the results of your tests.

You only need to track up to 200.

123.45.67.89 - - [01/Oct/2015:12:46:34 -0400] "POST /wp-login.php HTTP/1.1" 200

The IP address from where the failed login attempt originated will be defined as a .

  - - \[

The use of the backslash ” \ ” before the open square bracket ” [ ” serves to indicate that the square bracket is to be interpreted literally.

To establish the date of the incorrect login attempt, we can represent it as a grouped expression. In this instance, “01” can be expressed as (\d{2}). The parentheses “()” serve to group the expression, where \d seeks a numeric digit, and {2} specifies two consecutive digits, representing the day of the month.

Consequently, your expression should now appear as follows:

 - - \[(\d{2})

After completing the previous steps, proceed by introducing a forward slash, “/”, followed by \w{3}. This expression signifies a sequence of three alphanumeric characters, encompassing both uppercase and lowercase letters (i.e., A-Z, 0-9).

As a result, your composite expression should now resemble the following:

 - - \[(\d{2})/\w{3}/

Now we need to write a section for the year.

 - - \[(\d{2})/\w{3}/\d{4}:

Continuing with the pattern, we now need to represent a series of two-digit numbers for the time. This can be achieved with the expression:

 - - \[(\d{2})/\w{3}/\d{4}:\1:\1:\1

Which can also be written as:

 - - \[\d{2}/\w{3}/\d{4}:\d{2}:\d{2}:\d{2}

Following the pattern described, the -0400 segment can be represented similarly to the year, with the addition of the literal \d{4}. The updated configuration should include the square brackets, resulting in a comprehensive pattern like this:

 - - \[(\d{2})/\w{3}/\d{4}:\1:\1:\1 -\d{4}\] "POST /wp-login.php HTTP/1.1" 200

Which can also be written as:

 - - \[\d{2}/\w{3}/\d{4}:\d{2}:\d{2}:\d{2} -\d{4}\] "POST /wp-login.php HTTP/1.1" 200

Now we need to learn how to use Failregex.

Using the Failregex

The failregex is a critical part of Fail2Ban configuration. It’s a regular expression (regex) pattern used by Fail2Ban to identify failed login attempts or other undesirable events in log files. When a log entry matches the failregex, Fail2Ban takes action, such as banning the associated IP address.

Once you have created failregex, the next step is to integrate it into a filter. To do this, navigate to the filter.d directory within Fail2Ban. You can use the following command:

cd /etc/fail2ban/filter.d

Now, create a file named wordpress.conf and add the following:

#fail2ban WordPress filter
[Definition]
failregex =  - - \[(\d{2})/\w{3}/\d{4}:\1:\1:\1 -\d{4}\] "POST /wp-login.php HTTP/1.1" 200

Now, save and quit.

Within the jail.local configuration file, introduce a dedicated section for WordPress by enabling the necessary filters and specifying the log location.

[wordpress]
enabled  = true
filter   = wordpress
logpath  = /var/www/html/andromeda/logs/access.log

After making the changes, save and exit the jail.local configuration file. To implement the modifications, restart the Fail2Ban service.

sudo service fail2ban restart

Congratulations! You have successfully secured your Nginx Server with Fail2Ban on Ubuntu 18.04 LTE. For additional information on Fail2Ban, consult the Fail2Ban Documentation for more in-depth details and options.

Conclusion

In conclusion, fortifying your Nginx server against potential security threats is a crucial step in maintaining a secure web environment. This guide has walked you through the process of enhancing your server’s security with Fail2Ban on Ubuntu Server 18.04 LTE.

By leveraging Fail2Ban, you’ve implemented an intelligent log-parsing daemon that actively monitors system logs, detecting and responding to unauthorized access attempts. Through the creation of custom filters and regex patterns, you’ve fine-tuned Fail2Ban to identify and block specific security threats, such as failed login attempts.

This proactive approach to security, coupled with careful configuration adjustments in the jail.local file, ensures that your Nginx server is resilient against common attack vectors. By following these steps and continuously staying informed about security best practices, you’ve taken significant strides towards safeguarding your Nginx server and, consequently, your web applications and data.

For further details and options, you can refer to the comprehensive Fail2Ban documentation, providing a wealth of information to enhance your understanding of this robust security tool. With these measures in place, you’ve successfully fortified your Nginx server against potential threats, contributing to a more secure and resilient web hosting environment.