If you protect a path with Nginx HTTP Basic Auth (auth_basic), failed logins are written to the
Nginx error log. The built-in nginx-http-auth filter matches them.
1. The jail
In /etc/fail2ban/jail.local:
[nginx-http-auth]
enabled = true
filter = nginx-http-auth
port = http,https
logpath = /var/log/nginx/error.log
maxretry = 5
findtime = 10m
bantime = 1h
2. Reload
sudo fail2ban-client reload
3. Verify the filter matches
fail2ban-regex /var/log/nginx/error.log /etc/fail2ban/filter.d/nginx-http-auth.conf
A non-zero matched count (after a few failed logins) confirms it’s wired up. Then:
sudo fail2ban-client status nginx-http-auth
Custom log path? If your error_log directive points elsewhere (e.g. per-site logs), set
logpath to that file or use a glob like /var/log/nginx/*error.log.