Bruteforce attacks have become a nightmare for all website owners.

And to secure their websites, they set strong username and password. Is it sufficient?

Well, this keeps your account safe. But, there’s another side as well. Bruteforce attacks consume many server resources and bandwidth that slow down your websites.

Fortunately, server owners can use Nginx as a reverse proxy and rate limit traffic to mitigate bruteforce attacks.

As part of our Server Management Services, we help server owners set up Nginx as reverse proxy and enable bruteforce protection to secure their servers.

Today, let’s discuss how to enable Nginx brute protection.

Nginx brute force protection – 2 proven methods

Now let’s see how our Server Administration Team enables Nginx brute force protection.

1) Enable Rate Limit in Nginx

Rate limiting is one of the best ways to slow down bruteforce attacks.

It allows you to limit the number of HTTP requests(GET and POST) that can be made by the user within a certain period. Moreover, it can deny requests beyond a specific threshold.

Our Server Experts always enable Nginx rate limit feature during server hardening.

Most importantly, we tweak the limit_req_zone parameter in the Nginx configuration file “/etc/nginx/nginx.conf“, to rate limit the requests.

For instance, see the below code.

limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;

This adds a zone called one, that can hold up to 160,000(as 1m =16,000 IPs) unique IP addresses, and the 1r/s parameter means that only one request is allowed per second.

Similarly, we can rate limit the connections to a particular file with limit_req parameter.

For example, we add the following code in nginx to protect WordPress from bruteforce attacks.

location = /wp-login.php {
limit_req  zone=one burst=5 nodelay;
}

This allows 5 requests in 5 seconds. And, if this exceeds, Nginx returns a 503 Service Temporarily Available error until the request rate is reduced.

Moreover, our Support Experts use limit_conn_zone and limit_conn directives to limit the number of connections from each IP address.

[And, do you need help to enable Rate Limit on your Nginx reverse proxy? One of our Server Experts can help you here.]

2) Install Fail2ban

Fail2ban is a great tool for server owners to automatically ban suspicious IPs in the server firewall.

It scans Nginx log files for failed login attempts, and ban these IPs for a specific period of time using firewall.

So to enable it, our Hosting Engineers analyze the nginx log files first and obtain a specific pattern for non-existent users.

After that, we create fail2ban filter files in the location /etc/fail2ban/filter.d/. This specifies the patterns to look within the nginx logs.

For instance, we configure a filter file say nginx-auth.conf, and add the following rules.

failregex = no user/password was provided for basic authentication.*client: <HOST>
user .* was not found in.*client: <HOST>
user .* password mismatch.*client: <HOST>
ignoreregex = </host></host></host>

This matches the lines where user has not entered the username and password.

Finally, we configure a fail2ban jail configuration in the location /etc/fail2ban/jail.local. This defines the the nginx log file path, filter name, bantime, etc.

[nginx-auth]
enabled = true
filter = nginx-auth
port = http,https
logpath = /var/log/nginx*/*error*.log
findtime =60
bantime = 500
maxretry = 3

This scans the nginx log files and attempts to match the regex pattern in the filter. If a match is found, it blocks that IP address in the server firewall.

[And, do you need a Server Expert to setup Fail2ban on your server? Click here, and one of our Server Experts will asses your requirements and assist you.]

Conclusion

In short, bruteforce attacks have become common these days. Today, we’ve discussed the top 2 methods to enable Nginx brute force protection and how our Support Engineers implement it.