This is a follow up to my previous post https://community.wordops.net/d/2203-changing-deny-all-to-nginx-444-drop-connection/3
To summarise that; I was struggling with a huge number of nginx forbidden errors as bots trawl my server and couldn't work out why they were not being blocked. After a deal of digging I discovered that fail2ban was not scanning my individual site logs. Looking at the fail2ban jail.d/custom.conf file the setting for nginx-forbidden looks like this:
[nginx-forbidden]
enabled = true
filter = nginx-forbidden
action = iptables-multiport[name="nginx-forbidden", port="http,https"]
logpath = /var/log/nginx/*error*.log
That seems sensible, but after some research I added this line:
backend = auto
and the whole shebang burst into life, heaps of NOTICE: ban entries in the fail2ban log, and loads of IPs being added to the iptables (I also implemented harsher triggers for maxretry and findtime at the same time).
I have no idea why that was necessary as my server has a completely standard wo built setup with the site log files where it intends them to be.
So this is a heads-up to everyone to check that your fail2ban [nginx-forbidden] rule is being applied on your server, a call out for people to confirm it's an issue for them or (alternatively) they don't have the same problem (in which case I'll try to work out what's different on my machine).
If this is confirmed as an issue I'll log an entry in git to implement the extra setting in the template file.
