From f397456703e93c4837695ebfbb196c9e3e6b2b87 Mon Sep 17 00:00:00 2001 From: Philipp Heckel Date: Thu, 6 Jan 2022 15:03:07 +0100 Subject: [PATCH] fail2ban docs --- docs/config.md | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/docs/config.md b/docs/config.md index 90e63e19..5316d01f 100644 --- a/docs/config.md +++ b/docs/config.md @@ -345,6 +345,7 @@ to maintain the client connection and the connection to ntfy. worker_connections 40500; } ``` + === "/etc/systemd/system/nginx.service.d/override.conf" ``` # Allow 40,000 proxy connections (2x of the desired ntfy connection count; @@ -353,6 +354,50 @@ to maintain the client connection and the connection to ntfy. LimitNOFILE=40500 ``` +### Banning bad actors (fail2ban) +If you put stuff on the Internet, bad actors will try to break them or break in. [fail2ban](https://www.fail2ban.org/) +and nginx's [ngx_http_limit_req_module module](http://nginx.org/en/docs/http/ngx_http_limit_req_module.html) can be used +to ban client IPs if they misbehave. This is on top of the [rate limiting](#rate-limiting) inside the ntfy server. + +Here's an example for how ntfy.sh is configured, following the instructions from two tutorials ([here](https://easyengine.io/tutorials/nginx/fail2ban/) +and [here](https://easyengine.io/tutorials/nginx/block-wp-login-php-bruteforce-attack/)): + +=== "/etc/nginx/nginx.conf" + ``` + http { + limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; + } + ``` + +=== "/etc/nginx/sites-enabled/ntfy.sh" + ``` + # For each server/location block + server { + location / { + limit_req zone=one burst=1000 nodelay; + } + } + ``` + +=== "/etc/fail2ban/filter.d/nginx-req-limit.conf" + ``` + [Definition] + failregex = limiting requests, excess:.* by zone.*client: + ignoreregex = + ``` + +=== "/etc/fail2ban/jail.local" + ``` + [nginx-req-limit] + enabled = true + filter = nginx-req-limit + action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp] + logpath = /var/log/nginx/error.log + findtime = 600 + bantime = 7200 + maxretry = 10 + ``` + ## Config options Each config option can be set in the config file `/etc/ntfy/server.yml` (e.g. `listen-http: :80`) or as a CLI option (e.g. `--listen-http :80`. Here's a list of all available options. Alternatively, you can set an environment