Extra Filter Security with Fail2Ban

This guide explains the Nginx filters and blocks implemented to secure sensitive files, block automated scans, and prevent unauthorized access to critical web application resources.

1. Relevant Jails and Filters

The filters and jails used are configured to detect and block automated attacks and scans on the server. All attempts are logged, and suspicious connections are immediately terminated.

Examples of implemented filters:

• Blocking scans of .env, .htaccess, and .git/config files.

• Blocking access to critical Laravel directories and files (artisan, vendor/, storage/, bootstrap/, config/).

• Blocking configuration and build files for Next.js, Nuxt, Vue, and other frameworks (next.config.js, .nuxt/, tsconfig.json, vite.config.js, etc.).

• Detecting and blocking bots, crawlers, and scraping tools (python, wget, curl).

All attempts are logged in a separate file: /var/log/nginx/blocked_suspicious.log.

2. Nginx Security Block for Sensitive Files and Scans

The following Nginx fragment blocks access to sensitive files and automated scans:

# Block scans and access to sensitive files for Laravel, Next.js, React, Vue, WordPress, etc.
location ~* ^/(wp-admin|wordpress|wp-login\.php|xmlrpc\.php|\.env|\.git/config|\.htaccess|\.htpasswd|\.bak|\.old|backup/|artisan|vendor/|storage/|bootstrap/|config/|package\.json|package-lock\.json|yarn\.lock|next\.config\.js|nuxt\.config\.js|tsconfig\.json|vue\.config\.js|server\.js|app\.js|\.next/|\.nuxt/|Dockerfile|docker-compose\.yml|webpack\.config\.js|vite\.config\.js|gulpfile\.js|setup-config\.php) {

    # Log all attempts in a separate log file
    access_log /var/log/nginx/blocked_suspicious.log main;

    # If it's a bot/crawler → drop the connection immediately
    if ($http_user_agent ~* "(bot|crawler|spider|python|wget|curl)") {
        return 444;
    }

    # For everything else → still return 444 (connection closed)
    return 444;
}

Purpose of this block:

1. Prevents direct access to configuration files and sensitive files.

2. Closes the connection for automated bots and crawlers.

3. Logs all attempts for analysis and auditing.

3. Separate Logs for Blocked Attempts

All unauthorized access attempts are logged separately to avoid cluttering the standard access.log and allow for quick analysis:

/var/log/nginx/blocked_suspicious.log

Example log entries:

104.23.223.113 - - [03/Sep/2025:20:33:28 +0200] "GET /wordpress/wp-admin/setup-config.php HTTP/2.0" 404 36 "-" "Mozilla/5.0 ..."
146.70.188.225 - - [03/Sep/2025:20:40:18 +0200] "GET /.git/config HTTP/1.1" 301 162 "-" "Mozilla/5.0 ..."

These logs help identify the source of scans and brute-force attacks targeting sensitive web files.

4. Log Rotation for Blocked Suspicious Log

To prevent the /var/log/nginx/blocked_suspicious.log from growing indefinitely, a logrotate configuration can be added:

/etc/logrotate.d/nginx-blocked

/var/log/nginx/blocked_suspicious.log {
    daily
    rotate 14
    compress
    missingok
    notifempty
    create 640 nginx adm
    sharedscripts
    postrotate
        [ -s /run/nginx.pid ] && kill -USR1 `cat /run/nginx.pid`
    endscript
}

Explanation:

• daily → Rotate logs every day.

• rotate 14 → Keep 14 old logs before deleting.

• compress → Compress rotated logs to save space.

• missingok → Ignore if log file is missing.

• notifempty → Skip rotation if log is empty.

• create 640 nginx adm → Create a new log with proper permissions.

• postrotate → Signal Nginx to reopen logs after rotation.

5. General Security Recommendations

• Ensure all web applications (Laravel, Next.js, React, Vue, WordPress) are updated to the latest versions.

• Keep strict file and directory permissions (644 for files, 755 for directories).

• Block access to critical directories with .htaccess or additional Nginx rules.

• Continuously monitor the blocked_suspicious.log file to detect attack patterns.