Today I glanced at my server's CPU graph and saw this odd bump! For several hours the CPU was higher than usual. Hm!
I scrolled down and saw that the bandwidth was elevated during this period too!
So I figured something was continually hitting my server. Looking at
/var/log/nginx/access.log I saw a lot of entries like this:
Over 240k attempts from the same IP scanning for commonly-available paths in web applications resulting in 404 responses. Well that's no good! It didn't seem to be causing major problems but I don't want that happening on my server.
But there is good news! There's a wonderful piece of software called fail2ban that can ban IPs that repeatedly try things and fail on your server. The most common is bots that try to log in to your server via SSH (check
/var/log/auth.log if you want to see it yourself). By default, fail2ban bans these SSH bots after several failed attempts in a certain time window (all these settings are configurable so you don't accidentally ban yourself if you mess up a password or something).
If you don't have fail2ban installed on your server, install it right now. Your server will instantly get just that much more secure just from the SSH protection alone.
But I wanted to ban bots that created too many 404s on my server. So I made a
/etc/fail2ban/jail.local file with the following rules:
[sshd] enabled = true maxretry = 5 bantime = 10m [nginx-web-vulnerability-bot] enabled = true filter = nginx-web-vulnerability-bot action = iptables-multiport[name=HTTP, port="http,https", protocol=tcp] logpath = /var/log/nginx/access.log findtime = 1m maxretry = 10 bantime = 1d
And I also made a
[Definition] failregex = ^<HOST> -.*\s404\s.* ignoreregex = ^<HOST> -.*favicon\.ico.*
Together, these two files will ban IPs for a day that make more than ten 404 requests in the last minute. Just run
fail2ban-client reload after you've created the files and they will be automatically discovered.
ignoreregex part is to make sure I don't ban actual users whose browsers automatically request
favicon.ico on every page load since I don't have one at the moment.)
So far no bots have been banned on my server because I just did this but I did test it out on the existing logs.
I thought I'd share this little tidbit for your to copy and paste to your own server since there's a lot to think about as an indie hacker. I hope you find this useful! And if you have any other solutions or ways to improve mine, please let me know in the comments!
I got some of my information about fail2ban configuration from this article.