If you protect a path with Nginx HTTP Basic Auth (auth_basic), failed logins are written to the Nginx error log. The built-in nginx-http-auth filter matches them.

1. The jail

In /etc/fail2ban/jail.local:

[nginx-http-auth]
enabled  = true
filter   = nginx-http-auth
port     = http,https
logpath  = /var/log/nginx/error.log
maxretry = 5
findtime = 10m
bantime  = 1h

2. Reload

sudo fail2ban-client reload

3. Verify the filter matches

fail2ban-regex /var/log/nginx/error.log /etc/fail2ban/filter.d/nginx-http-auth.conf

A non-zero matched count (after a few failed logins) confirms it’s wired up. Then:

sudo fail2ban-client status nginx-http-auth

Custom log path? If your error_log directive points elsewhere (e.g. per-site logs), set logpath to that file or use a glob like /var/log/nginx/*error.log.

Fail2ban Jail for Nginx HTTP Basic Auth (nginx-http-auth)

1. The jail

2. Reload

3. Verify the filter matches