# NGINX

We can use Fail2ban to

<div class="page-content" id="bkmrk-block-too-many-http-"><div dir="auto">1. Block too many HTTP Authentication attempts
2. Prevent clients from searching for scripts
3. Stop malicious requests from bots
4. Ban clients trying to use NGINX as an open proxy

</div></div><span style="text-decoration: underline;">**1. Block too many HTTP Authentication attempts**</span>

Create the file `/etc/fail2ban/jail.d/nginx-http.local`. Add the following content:

```bash
[nginx-http-auth]

enabled  = true
filter   = nginx-http-auth
port     = http,https
logpath  = /var/log/nginx/error.log
```

Keep in mind, that you change the error log, for every site you use. E.G., you only want to monitor failed authentication attempts for your custom log path, `error-bookstack.log`.

<span style="text-decoration: underline;">**2. Prevent clients from searching for scripts**</span>

<p class="callout warning">Only use this function, if you have no scripts and no PHP on your Website!</p>

Create the file `/etc/fail2ban/jail.d/nginx-noscript.local`. Add the following content:

```bash
[nginx-noscript]

enabled  = true
port     = http,https
filter   = nginx-noscript
logpath  = /var/log/nginx/access.log
maxretry = 6
```

Again, you might want to/have to change the log path.

<span style="text-decoration: underline;">**3. Stop malicious requests from Bots**</span>

Create the file `/etc/fail2ban/jail.d/nginx-nobots.local`. Add the following content:

```bash
[nginx-badbots]

enabled  = true
port     = http,https
filter   = nginx-badbots
logpath  = /var/log/nginx/access.log
maxretry = 2
```

Again, you might want to/have to change the log path.

<span style="text-decoration: underline;">**4.Ban clients trying to use NGINX as open proxy**</span>

Create the file `/etc/fail2ban/jail.d/nginx-noproxy.local`. Add the following content:

```bash
[nginx-noproxy]

enabled  = true
port     = http,https
filter   = nginx-noproxy
logpath  = /var/log/nginx/access.log
maxretry = 2
```

In this case, you should actually leave it at the global access logfile.

Start and reload SSHD, and then add your jail

```bash
sudo fail2ban-client start
sudo fail2ban-client reload
sudo fail2ban-client add <yournginxjail>
```

<div class="page-content" id="bkmrk-"><div class="text-muted text-small"><div class="entity-meta"></div></div></div>