I have some rules in nginx to block trafic: bad bots/user agents, ips, wp-logins. All rules block with return 444
fail2ban is listing nginx logs, but can't diferenciate the rules all rules are 444.
I need any trick to differentiate the nginx rules inside the log to apply diffrent blocks with fail2ban. Is it possible?
Rather than making your webserver return 444, configure these nginx locations to not log anything. That way the CPU and disk IO saved writing the logs can be used for your real visitors.
CPU/IO time is also saved when you don't need fail2ban to scan through the logs.
Every real visitor is saved from being subject to IP/nftables rules slowing down their access.
You'll also be saved the anguish of looking at the logs and focusing on the background noise of the internet rather than the real visitors you care about.
