fail2ban docs
parent
7a7e7ca359
commit
f397456703
|
@ -345,6 +345,7 @@ to maintain the client connection and the connection to ntfy.
|
||||||
worker_connections 40500;
|
worker_connections 40500;
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
=== "/etc/systemd/system/nginx.service.d/override.conf"
|
=== "/etc/systemd/system/nginx.service.d/override.conf"
|
||||||
```
|
```
|
||||||
# Allow 40,000 proxy connections (2x of the desired ntfy connection count;
|
# Allow 40,000 proxy connections (2x of the desired ntfy connection count;
|
||||||
|
@ -353,6 +354,50 @@ to maintain the client connection and the connection to ntfy.
|
||||||
LimitNOFILE=40500
|
LimitNOFILE=40500
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Banning bad actors (fail2ban)
|
||||||
|
If you put stuff on the Internet, bad actors will try to break them or break in. [fail2ban](https://www.fail2ban.org/)
|
||||||
|
and nginx's [ngx_http_limit_req_module module](http://nginx.org/en/docs/http/ngx_http_limit_req_module.html) can be used
|
||||||
|
to ban client IPs if they misbehave. This is on top of the [rate limiting](#rate-limiting) inside the ntfy server.
|
||||||
|
|
||||||
|
Here's an example for how ntfy.sh is configured, following the instructions from two tutorials ([here](https://easyengine.io/tutorials/nginx/fail2ban/)
|
||||||
|
and [here](https://easyengine.io/tutorials/nginx/block-wp-login-php-bruteforce-attack/)):
|
||||||
|
|
||||||
|
=== "/etc/nginx/nginx.conf"
|
||||||
|
```
|
||||||
|
http {
|
||||||
|
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
=== "/etc/nginx/sites-enabled/ntfy.sh"
|
||||||
|
```
|
||||||
|
# For each server/location block
|
||||||
|
server {
|
||||||
|
location / {
|
||||||
|
limit_req zone=one burst=1000 nodelay;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
=== "/etc/fail2ban/filter.d/nginx-req-limit.conf"
|
||||||
|
```
|
||||||
|
[Definition]
|
||||||
|
failregex = limiting requests, excess:.* by zone.*client: <HOST>
|
||||||
|
ignoreregex =
|
||||||
|
```
|
||||||
|
|
||||||
|
=== "/etc/fail2ban/jail.local"
|
||||||
|
```
|
||||||
|
[nginx-req-limit]
|
||||||
|
enabled = true
|
||||||
|
filter = nginx-req-limit
|
||||||
|
action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
|
||||||
|
logpath = /var/log/nginx/error.log
|
||||||
|
findtime = 600
|
||||||
|
bantime = 7200
|
||||||
|
maxretry = 10
|
||||||
|
```
|
||||||
|
|
||||||
## Config options
|
## Config options
|
||||||
Each config option can be set in the config file `/etc/ntfy/server.yml` (e.g. `listen-http: :80`) or as a
|
Each config option can be set in the config file `/etc/ntfy/server.yml` (e.g. `listen-http: :80`) or as a
|
||||||
CLI option (e.g. `--listen-http :80`. Here's a list of all available options. Alternatively, you can set an environment
|
CLI option (e.g. `--listen-http :80`. Here's a list of all available options. Alternatively, you can set an environment
|
||||||
|
|
Loading…
Reference in New Issue