A little CLI tool (wrapping ufw) that read Nginx access logs and block ip based on simple rules. THIS IS NOT a replacement of fail2ban, i just do it for fun and to have a simple tool to configure quickly banning undesired IP.

This a RUDE IP deny. It will ban the IP on all machine ports with no ban time, so be careful !

Requirements

ufw
Nginx
Python >= 3.10

Configuration

Create a conf.json next to the script. Use the conf.json.example for sample.

{
    "rules": {
        "codes": [],
        "contents": [],
        "agents": []
    },
    "whitelist": []
}

codes: List of unauthorized HTTP codes
contents: string parts that are not not allowed in the request URL (ex: /x00, .json, .php, .env.local, etc...)
agents: string parts that are not not allowed in user-agent (ex: bot)
whitelist: List of IP to whitelist (ex: 192.168.1.1)

Run

usage: ufwban [-h] [--dry-run] [--refresh] [--reload] [--live]

Ban ip from Nginx access logs based on simple rules.

options:
  -h, --help  show this help message and exit
  --dry-run
  --refresh   Drop all the deny ip in the UFW table and return
  --to-nginx  Generate an Nginx deny configuration
  --reload    Reload the UFW firewall
  --live      Read inputs from stdin

Batch mode:

# read all access.log*, parse Nginx log and ban ip
python ufwban.py

# you can launch a --dry-run mode to see which ip is going to be denied
python ufwban.py --dry-run

# drop all "DENY IN" ufw rules (be careful)
python ufwban.py --refresh

# generate an Nginx deny configuration (use --dry-run to see updates before applying)
python ufwban.py --to-nginx

Live mode:

# Read and parse Nginx access logs on each new entry and ban ip
tail -f /var/log/nginx/access.log | python ufwban.py --live

For each modes, a log is available to show which ip has been banned: ufwban.log.