Enable Brute Force Protection nginx Reverse Proxy Linux

by
Reddit

nginx-squareEnable brute force protection for nginx reverse proxy on Linux to prevent hacking or unauthorized access to your services. Brute force protection is a technique hackers user to try many usernames and passwords hoping to get the right combination for access.

A simple way to prevent these reverse proxy brute force attacks is to ban IP addresses from users who enter an incorrect password 3 times. This tutorial will show you how to enable basic HTTP authentication for nginx reverse proxies and enable brute force protection using fail2ban. This guide was tested on Debian and Ubuntu but is easily adaptable to other distros like CentOS, Fedora and so on.

If you are using a reverse proxy for services like CouchPotato, SickRage, Sonarr, and others you can effectively turn off the authentication for the individual services and use one universal login to access them all.

Enable Brute Force Protection nginx Reverse Proxy Linux

This system will use basic HTTP authentication for nginx reverse proxies and will log failed attempts to a log file. Fail2ban will look at these log files and scan for failed login attempts and will ban IP addresses using iptables for a specific length of time.

Enable nginx User Authentication

Enable http access module by installing Apache2 utilities (source)

sudo apt-get install apache2-utils

Create password file for the user e.g. htpcguides that will be md5 hashed into the /etc/nginx/.htpasswd file

sudo htpasswd -c /etc/nginx/.htpasswd htpcguides

Prompt will happen where you enter the password and it will be hashed in the .htpasswd file

New password:
Re-type new password:
Adding password for user htpcguides

Add this in your location block or server block for your nginx reverse proxy virtual host (e.g. /etc/nginx/sites-enabled/reverse)

A full version of a working virtual host is below

auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;

You will also need to make sure you specify a log file, this is necessary because fail2ban will analyze it and block failed login attempts

Add this in the server block – this will be scanned by fail2ban to block the IP addresses making failed login attempts

error_log    /var/log/nginx/htpcguides.com.error.log;

So your whole nginx reverse proxy virtual host with basic HTTP authentication may look something like this

server {
    listen 80;
    server_name htpcguides.crabdance.com 192.168.40.105;
    listen 443 ssl;
    ssl_certificate /etc/nginx/ssl/nginx.crt;
    ssl_certificate_key /etc/nginx/ssl/nginx.key;
    error_log    /var/log/nginx/htpcguides.com.error.log;

    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/.htpasswd;

location /web {
    proxy_pass http://127.0.0.1:32400;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

You can test the nginx vhost configuration works

sudo nginx -t

Enable nginx Brute Force Protection

This is adapted from the excellent ServerVault answer found here

You basically use fail2ban to scan the nginx log files for failed login attempts and ban that IP address

Install fail2ban

sudo apt-get install fail2ban -y

Create fail2ban filter for nginx reverse proxy protection

nano /etc/fail2ban/filter.d/nginx-auth.conf

Add this to it for the nginx log regex scanning

[Definition]
failregex = no user/password was provided for basic authentication.*client: <HOST>
 user .* was not found in.*client: <HOST>
 user .* password mismatch.*client: <HOST>

ignoreregex = </host></host></host>

Ctrl+X, Y and Enter to save

Create the fail2ban jail configuration which contains the path to the nginx log file and how long to ban offenders for

mkdir -p /etc/fail2ban/jail.d
nano /etc/fail2ban/jail.d/nginx-auth.conf

Add this, use port 443 if using ssl only

ban time is in seconds, so this is for 1 minute after 3 failed attempts

logpath should match what you have in your nginx virtual host, wildcard * can be used to parse multiple log files

[nginx-auth]
enabled = true
filter = nginx-auth
port = http,https
logpath = /var/log/nginx*/*error*.log
bantime = 600
maxretry = 3

Ctrl+X, Y and Enter to save

Test the regex on the actual nginx log file, fail2ban scans the log file and tries to match your regex pattern

You will need to have a login failure logged for your reverse proxy in order for this test to work

fail2ban-regex /var/log/nginx/htpcguides.com.error.log /etc/fail2ban/filter.d/nginx-auth.conf

Restart the fail2ban service

sudo service fail2ban restart

Checking iptable bans on the reverse proxy server running fail2ban

iptables -L INPUT -v -n

Now you can access your nginx reverse proxy services like Sonarr, SickRage, CouchPotato, Headphones and more with some added security from brute force protection using fail2ban.