Banning with basic auth and Fail2Ban

By using basic auth on you apps there is nothing stopping people from trying to brute force their way in. But by implementing Fail2ban, you can give the user or intruder x amount of retries before getting banned.

Creating the .htpasswd file

SSH into your server and create the .htpasswd file

Use this command to create a .htpasswd file. Just drop the docker part if you don't use that.

docker exec -it letsencrypt htpasswd -c /config/nginx/.htpasswd USER-NAME

New password:
Re-type new password:
Adding password for user yourusername

The outcome would be like this:


If you choose to put the .htaccess in your root folder you can block access to it with this:

location ~ /\. { 
    return 404; 


Use the include syntax and create a basicauth.conf file that you include in the block.

include /config/nginx/basicauth.conf;

Here is an example:

# SABNZBD redirect
    location /sabnzbd {
        return 301 /sabnzbd/;
    location ^~ /sabnzbd/ {
        include /config/nginx/basicauth.conf;
        include /config/nginx/proxy.conf;
        proxy_set_header Host $host;

Note: This will not work if you use server based authentication with Organizr. Read more here

basicauth.conf contents

auth_basic "Restricted";
auth_basic_user_file /config/nginx/.htpasswd;


If you use linuxservers letsencrypt container, Fail2ban should already be pre configured to ban failed http auths.

If not you can add this in your jail.local file.


enabled  = true
filter   = nginx-http-auth
port     = http,https
logpath  = /config/log/nginx/error.log
ignoreip =

Note: The ignore IP is so that fail2ban won't ban your local IP. Check out if you are wondering what your netmask is.

  • The logpath is the path to your nginx error log

You also need to create a file called nginx-http-auth.conf in the filter.d folder in the fail2ban directory.

# fail2ban filter configuration for nginx

failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: <HOST>, server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(, referrer: "\S+")?\s*$

ignoreregex = 

# Based on samples in
# Extensive search of all nginx auth failures not done yet.
# Author: Daniel Black
Fail2ban.log output
2017-11-04 15:14:58,867 fail2ban.filter         [308]: INFO    [nginx-http-auth] Ignore by ip
2017-11-04 15:14:58,868 fail2ban.filter         [308]: INFO    [nginx-http-auth] Ignore by ip
2017-11-04 15:52:04,055 fail2ban.filter         [308]: INFO    [nginx-http-auth] Found - 2017-11-04 15:52:04
2017-11-04 15:52:06,530 fail2ban.filter         [308]: INFO    [nginx-http-auth] Found - 2017-11-04 15:52:06
2017-11-04 15:52:16,989 fail2ban.filter         [308]: INFO    [nginx-http-auth] Found - 2017-11-04 15:52:16
2017-11-04 15:52:18,817 fail2ban.filter         [308]: INFO    [nginx-http-auth] Found - 2017-11-04 15:52:18
2017-11-04 15:52:29,309 fail2ban.filter         [308]: INFO    [nginx-http-auth] Found - 2017-11-04 15:52:29
2017-11-04 15:52:29,340 fail2ban.actions        [308]: NOTICE  [nginx-http-auth] Ban


If you managed to ban yourself or a friend banned themself you can do this to unban.

Bash into the container with:

docker exec -it letsencrypt bash

Enter fail2ban interactive mode:

fail2ban-client -i

Check the status of the jail:

status nginx-http-auth


Status for the jail: nginx-http-auth
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     5
|  `- File list:        /config/log/nginx/error.log
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:

unban with:

set nginx-http-auth unbanip

If you already know the IP you want to unban you can just type this:

docker exec -it letsencrypt fail2ban-client set nginx-http-auth unbanip

For Fail2Ban integration with Organizr, check out my post here


Previous Post

Blog Comments powered by Disqus.