Vulnerability scanners spray your server with requests for paths that don’t exist (/.env,
/wp-login.php, /phpmyadmin, …), generating a flood of 404s. The built-in nginx-botsearch
filter catches those probe patterns in the access log.
1. The jail
In /etc/fail2ban/jail.local:
[nginx-botsearch]
enabled = true
filter = nginx-botsearch
port = http,https
logpath = /var/log/nginx/access.log
maxretry = 2
findtime = 10m
bantime = 1d
Scanners fire fast, so a low maxretry (2) and a longer bantime (1 day) work well.
2. Reload
sudo fail2ban-client reload
3. Verify against your real log
fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/nginx-botsearch.conf
sudo fail2ban-client status nginx-botsearch
4. Want to ban on ANY repeated 404?
nginx-botsearch only matches known scanner paths. To ban any IP generating lots of 404s, add a
small custom filter /etc/fail2ban/filter.d/nginx-404.conf:
[Definition]
failregex = ^<HOST> -.*"(GET|POST|HEAD).*" 404
ignoreregex =
…and a jail with a higher maxretry (legit users hit 404s too):
[nginx-404]
enabled = true
filter = nginx-404
logpath = /var/log/nginx/access.log
maxretry = 15
findtime = 2m
bantime = 1h
Caution: a broad 404 jail can catch real users (a missing favicon, a broken link). Keep
maxretry generous and watch fail2ban-client status nginx-404 for false positives before
tightening.