🛡️ Hardening Your DigitalOcean Droplet: A Guide to Fail2Ban
If you are running a Flask or Node.js app on a DigitalOcean Droplet, you likely see bots “fuzzing” your server—scanning for /admin.php, wp-login.php, or other common vulnerabilities. Even if you aren’t running PHP, these requests waste your resources.
Fail2Ban is the industry-standard tool to solve this. It monitors your logs, detects these patterns, and automatically bans the offending IP addresses at the firewall level.
1. Installation
Start by updating your system and installing the Fail2Ban package.
sudo apt update
sudo apt install fail2ban -y
Check that the service is running:
sudo systemctl status fail2ban
2. Safe Configuration
Fail2Ban uses a .conf file for defaults, but you should create a .local file to store your custom settings. This prevents your changes from being overwritten during system updates.
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local
Essential Global Settings
Inside the [DEFAULT] section, ensure your own IP is safe and set your ban “aggression”:
- ignoreip: Add your home/office IP (e.g.,
127.0.0.1/8 123.123.123.123) to avoid locking yourself out. - bantime: How long the ban lasts (e.g.,
1h,24h). - findtime: The window of time to count failures (e.g.,
10m). - maxretry: Number of “strikes” allowed before the ban.
3. Creating a Custom “Anti-Fuzzer” Filter
Standard filters catch SSH attacks, but we need a custom rule to catch people scanning for PHP files on your non-PHP site.
Step A: Define the Pattern
Create a new filter definition:
sudo nano /etc/fail2ban/filter.d/nginx-fuzzing.conf
Paste this content:
[Definition]
failregex = ^<HOST> -.*"(GET|POST|HEAD).*\.(php|asp|aspx|jsp|cgi).*".*404
ignoreregex =
This regex identifies any IP that triggers a 404 error while specifically requesting script files.
Step B: Enable the Jail
Add this to the bottom of your /etc/fail2ban/jail.local file:
[nginx-fuzzing]
enabled = true
port = http,https
filter = nginx-fuzzing
logpath = /var/log/nginx/access.log
maxretry = 5
findtime = 300
bantime = 24h
4. Management Commands
After any configuration change, you must restart the service:
sudo systemctl restart fail2ban
Monitoring Security
| Command | Description |
|---|---|
sudo fail2ban-client status |
See all active protection “jails.” |
sudo fail2ban-client status nginx-fuzzing |
See how many bots have been banned today. |
sudo fail2ban-client set [jail] unbanip [IP] |
Use this if you accidentally ban a legitimate user. |
5. Why This Matters
By blocking these bots at the Nginx/Fail2Ban level, your application server doesn’t have to process junk traffic. This keeps your server fast, responsive, and secure.