fix not working fail2ban, add jails for nginx

deployment/bare_metal/nginx/common/limit_requests.conf

@@ -1,3 +1,4 @@
 limit_req_zone $binary_remote_addr zone=frontend:20m rate=5r/s;
 limit_req_zone $binary_remote_addr zone=backend:25m rate=15r/s;
-limit_req_zone $binary_remote_addr zone=api:5m rate=30r/s;
+limit_req_zone $binary_remote_addr zone=api:5m rate=30r/s;
+limit_conn_zone $binary_remote_addr zone=addr:10m;

deployment/hetzner_cloud/cloudConfig.yaml

@@ -9,6 +9,7 @@ users:
 
 packages:
   - fail2ban
+  - python3-systemd
   - ufw
   - git
   - mariadb-server

deployment/hetzner_cloud/install.sh

@@ -80,6 +80,14 @@ expect eof
 ")
 echo "$SECURE_MYSQL"
 
+# Configure fail2ban, seems to not run out of the box on Debian 12
+echo -e "[sshd]\nbackend = systemd" | tee /etc/fail2ban/jail.d/sshd.conf
+# enable nginx-limit-req filter to block also user which exceed nginx request limiter
+echo -e "[nginx-limit-req]\nenabled = true\nlogpath  = $SCRIPT_PATH/log/nginx-error.*.log" | tee /etc/fail2ban/jail.d/nginx-limit-req.conf
+# enable nginx bad request filter 
+echo -e "[nginx-bad-request]\nenabled = true\nlogpath  = $SCRIPT_PATH/log/nginx-error.*.log" | tee /etc/fail2ban/jail.d/nginx-bad-request.conf
+systemctl restart fail2ban
+
 # Configure nginx
 rm /etc/nginx/sites-enabled/default
 envsubst "$(env | sed -e 's/=.*//' -e 's/^/\$/g')" < $SCRIPT_PATH/nginx/sites-available/gradido.conf.template > $SCRIPT_PATH/nginx/sites-available/gradido.conf