Fail2ban Setup - nginx and firewalld
Created by: Lester Caine, Last modification: 6 May 2026
Installation
bash zypper install fail2ban
Key config files in webstack
/etc/webstack/fail2ban/
├── jail.conf ← modified: banaction = firewallcmd-rich-rules
├── jail.local ← minimal overrides
├── jail.d/
│ ├── nginx-srv9.conf
│ └── nginx-srv10.conf
└── filter.d/
└── nginx-404.conf
The critical jail.conf fix
Default uses iptables which conflicts with firewalld — must change directly in jail.conf:
ini banaction = firewallcmd-rich-rules banaction_allports = firewallcmd-allports
Note: jail.local override does NOT work for banaction — must edit jail.conf directly and track in webstack!
Custom nginx-404 filter
ini [Definition] failregex = ^ .* "(GET|POST|HEAD).*" 404 ignoreregex = .css|.js|.png|.ico|.gif
jail.d config
ini [nginx-botsearch] enabled = true port = http,https filter = nginx-botsearch logpath = /var/log/nginx/*/access.log maxretry = 5 findtime = 60 bantime = 3600 [nginx-404] enabled = true port = http,https filter = nginx-404 logpath = /var/log/nginx/*/access.log maxretry = 10 findtime = 60 bantime = 3600 [DEFAULT] destemail = support@rainbowdigitalmedia.uk sender = fail2ban@rdm1.uk mta = sendmail action = %(action_mwl)s
Enable and start
bash systemctl enable fail2ban systemctl start fail2ban
Daily checks
bash # Status of all jails fail2ban-client status # Specific jail status and banned IPs fail2ban-client status nginx-404 fail2ban-client status nginx-botsearch # Check firewalld has the rules firewall-cmd --list-rich-rules # Manual ban/unban for testing fail2ban-client set nginx-404 banip 1.2.3.4 fail2ban-client set nginx-404 unbanip 1.2.3.4 # Live log watching tail -f /var/log/fail2ban.log
Troubleshooting
- Bans logged but IPs still connecting → banaction wrong, check jail.conf not using iptables
- jail.local overrides not working → edit jail.conf directly, copy to webstack
- Filter not found error → check /etc/fail2ban/filter.d/ for exact filename, no comma separated lists
- No emails → check sendmail path, if cron emails work fail2ban emails will too
- Already banned but still hitting → firewalld not getting the rules, check banaction
Citation
Developed with [Claude AI](https://claude.ai) assistance - Anthropic - May 2026