1] Being alert my free tier(AWS Data Transfer 1GB/month) exceeded

Screenshot 2025-02-01 073641.png

2] Looked into Splunk log(Nginx logs), WebSvr being attacked since last night(since 31 Jan 2025)

Screenshot 2025-02-01 094512.png

3] Install Fail2Ban

Fail2Ban and following steps to block suspicious access/requests:

Adding custom rules
Configure fail2ban to ban attackers IPs

1. Adding custom rules

sudo nano /etc/fail2ban/filter.d/nginx-custom-rules.conf

[Definition]
failregex = ^<HOST> - - \\[.*\\] "POST /cgi-bin/.*(\\.%%2e|%%%%32%%65).* HTTP/1\\.1" 400
            ^<HOST> - - \\[.*\\] "GET /\\.env HTTP/1\\.1" 400
            ^<HOST> - - \\[.*\\] "GET /manager/text/list HTTP/1\\.1" 400
            ^<HOST> - - \\[.*\\] "GET / HTTP/1\\.1" 400
            ^<HOST> - - \\[.*\\] "GET /favicon\\.ico HTTP/1\\.1" 400
            ^<HOST> - - \\[.*\\] ".*(zgrab|Keydrop).*"
            ^<HOST> - - \\[.*\\] ".*[^\\x20-\\x7E].*"  # Detects non-ASCII or malformed requests
ignoreregex =

2. Edit jail.local to add custom rule lines

3. Test the configuration

sudo fail2ban-client -d