Nginx + Fail2ban Blocking IP behind AWS Load Balancer

You know there is this problem, if you have some web servers behind an Amazon ELB it’s hard to block some malicious hosts. Why is it hard? Well, first of all, on the ELB you can use only security groups to allow/block IP/nets, BUT AWS Security Group doesn’t permit you to block something but only to allow, so it’s impossible blocking an IP at the source (ELB).

Wait, I mean, it could be possible while you add an instance as Firewall before the ELB, but this is going to be complex to add and manage and it could be hard to find the ip to ban because you haven’t the nginx logs because the host doesn’t reach it yet. So you should bring up an Nginx on the Firewall to proxy every requests to the ELB and then you could use Fail2ban directly there.

But again, this isn’t a fast solution and I think you could like this one much more.

Forget firewalling the ELB and concentrate on the web servers (normally in autoscaling if behind an ELB). Install fail2ban on each web server (or on the AMI to have it in each autosclale server).

When you have fail2ban installed, configure it to catch and ban your malicious hosts, you can find useful information how to block hosts with fail2ban in this post I wrote months ago.

Now, if you try to start it and wait the attackers coming, you should find blocked IP with “iptables -L“, but:

“hey WTF! The ip is blocked but I’m still receiving a lot of packets from that host!”

Yes dude, this happens because fail2ban block the host IP but you are receiving the packets from the ELB IP, so blocking the real host IP is completely useless.

So what can I do? Here is the cool part, you can’t still block/drop/reject those packets but you can deny the IP to do the attack simply returning it a 403 Forbidden for each url it tries.

First of all you need to add these two lines to your Nginx.conf on the http section:

    real_ip_header     X-Forwarded-For;


This will tell Nginx to use the real host IP instead the proxied from the ELB so you can block that instead blocking all the ELB (that’s not good at all…)

Then use a simple script to automatically add/remove the deny lines you need, I did this:

1- On my virtual host config I added an include like this:

location / {

   include /etc/nginx/conf.d/deny-hosts;


2- On my fail2ban default action I added an external script to write and remove the lines needed to deny-hosts file. Find the file /etc/fail2ban/action.d/iptables-multiport.conf and add the lines to ban/unban actions

actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
            /etc/fail2ban/ ban <ip>

actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
              /etc/fail2ban/ unban <ip>

And here is the simple script:


if [ $# -eq 0 ]
    echo "No arguments supplied"

# In any case remove the ip this is useful to prevent dups
sed -i "/deny $2;/d" /etc/nginx/conf.d/deny-hosts

# If action is ban add ip to deny-hosts file
if [ $1 == "ban" ] 
   echo "deny $2;" >> /etc/nginx/conf.d/deny-hosts

# Reload Nginx Config to get banned IP
/usr/sbin/service nginx reload

Now, every time fail2ban will find an IP to ban it will use the script to add the host to be banned and reload nginx. The host will receive a 403 Forbidden for each URL it tries untill the unban action start removing the deny lines and reloading Nginx.

Hope you find this useful!

Tags: , , , , , , , ,

Post simili:

Bitcoin mining Antminer U2 Overclocked to 2.4GH/s

Just bought a couple of these USB erupter for a very small amount of money (check it on Amazon). The Antminer U2 are sold for a 2GH/s power mining but I just discovered that, with an adeguate extra cooling system, it’s very simple and efficient to overclock them to 2.4GH/s. I’m using MinePeon to manage […]

Stop/Block Apache/Nginx hack attempts with fail2ban

Here is a useful quick post to stop hack attempts to your WordPress web server like wp-login brute force and xmlrpc exploits attacks. First of all, install the package “fail2ban“: sudo apt-get install fail2ban Then add these two rules to your jail file on /etc/fail2ban/jail.conf Please change the logpath according to your web servers access […]

Trovare corsi online è un nuovo portale per la ricerca di corsi in Italia, grazie al suo database che si arricchisce ogni giorno, è infatti possibile trovare il migliore corso per i nostri interessi che sia pubblico, privato, gratuito o meno. La ricerca permette di classificare i corsi sia per località (città o regione italiana) sia per […]

Magento How to convert text attribute to dropdown attribute

If you are using Magento as ecommerce framework you could be interested on how to change an attribute type. The main answer is: you can’t! Indeed, you have to create a new one because you can’t change the attribute types (nether the code name and many other things), so the best solution for me was […]

Più sottili e più potenti I notebook Dell dal 1989 a oggi

Vuoi un notebook che sia ultra-portatile e ultra-potente? Ecco come i computer portatili Dell sono diventanti sempre più sottili e potenti nel corso degli anni: 316LT Tra i primi sul mercato, il Dell 316LT venne considerato un computer all’avanguardia quando fu presentato per la prima volta al pubblico. Nonostante vantasse la migliore tecnologia disponibile all’epoca, […]

Strumenti SEO per il webmaster

Parliamo un po’ di SEO (Search Engine Optimization) ovvero l’arte (se così si può chiamare) di ottimizzare le pagine di un sito per scalare il ranking nei risultati dei motori di ricerca. Se il vostro sito parla per esempio di “vendita di automobili” sarete sicuramente interessati ad averlo tra i primi risultati di ricerca quando […]

Magento: how to create a super fast catalog export for Google Merchant

So you need a script to export your catalog products into a CSV file to import it on Google Merchant. There is a lot of scripts on the net to do this, but the problem with these scripts is, as usual, speed performance. If you have a big/huge catalog you will experience issue on speed, […]

Il bello di Groupon: Promozioni, sconti e acquisti in sicurezza

Oggi vi parlo ancora del sito web Groupon, non posso farne a meno visto le promozioni che ho qua davanti a me, sono sul loro sito or ora e sono indeciso se andare a cena fuori con la mia ragazza o regalarmi un fantastico barbecue (che poi la cena ce la facciamo a casa). Consulto […]

Dealcollector un sito per tutte le offerte di Groupon, Groupalia e molti altri

Come molti avete forse sentito parlare del boom dei cosidetti coupon? Il grande successo di questo tipo di offerte è stato possibile con la generalizzazione dei meccanismi di gruppi d’acquisto colletivo. Con questi meccanismi puoi ottenere dei discount fino a 70% ! Se il sito americano Groupon è il più famoso, non è l’unico ed esista […]

External Hard Drives for DISH DVR