How to Secure an nginx Server with Fail2Ban

最新推荐文章于 2021-12-02 12:32:06 发布
最新推荐文章于 2021-12-02 12:32:06 发布
阅读量913 收藏
点赞数
分类专栏: Linux

http://snippets.aktagon.com/snippets/554-how-to-secure-an-nginx-server-with-fail2ban


Our Security Requirements

  • Block anyone trying to run scripts (.pl, .cgi, .exe, etc)
  • Block anyone trying to use the server as a proxy
  • Block anyone failing to authenticate using nginx basic authentication
  • Block anyone failing to authenticate using our application’s log in page
  • Block bad bots
  • Limit the number of connections per session

We could use ModSecurity to support these requirements, but it’s not compatible with nginx. We want a lightweight and easy-to-use solution. We can fulfill all these requirements with fail2ban and nginx.

Configuring Fail2ban

All except the last requirement of connection throttling is supported by Fail2Ban. To start blocking unwanted guests, put this in Fail2Ban’s jail.conf file:

[nginx-auth]
enabled = true
filter = nginx-auth
action = iptables-multiport[name=NoAuthFailures, port="http,https"]
logpath = /var/log/nginx*/*error*.log
bantime = 600 # 10 minutes
maxretry = 6

[nginx-login]
enabled = true
filter = nginx-login
action = iptables-multiport[name=NoLoginFailures, port="http,https"]
logpath = /var/log/nginx*/*access*.log
bantime = 600 # 10 minutes
maxretry = 6
 
[nginx-badbots]
enabled  = true
filter = apache-badbots
action = iptables-multiport[name=BadBots, port="http,https"]
logpath = /var/log/nginx*/*access*.log
bantime = 86400 # 1 day
maxretry = 1
 
[nginx-noscript]
enabled = true
action = iptables-multiport[name=NoScript, port="http,https"]
filter = nginx-noscript
logpath = /var/log/nginx*/*access*.log
maxretry = 6
bantime  = 86400 # 1 day
 
[nginx-proxy]
enabled = true
action = iptables-multiport[name=NoProxy, port="http,https"]
filter = nginx-proxy
logpath = /var/log/nginx*/*access*.log
maxretry = 0
bantime  = 86400 # 1 day

Filter configuration

The following filter configuration files are stored in /etc/fail2ban/filter.d/:

# Proxy filter /etc/fail2ban/filter.d/nginx-proxy.conf:
#
# Block IPs trying to use server as proxy.
#
# Matches e.g.
# 192.168.1.1 - - "GET http://www.something.com/
#
[Definition]
failregex = ^<HOST> -.*GET http.*
ignoreregex =
 
# Noscript filter /etc/fail2ban/filter.d/nginx-noscript.conf:
#
# Block IPs trying to execute scripts such as .php, .pl, .exe and other funny scripts.
#
# Matches e.g.
# 192.168.1.1 - - "GET /something.php
#
[Definition]
failregex = ^<HOST> -.*GET.*(\.php|\.asp|\.exe|\.pl|\.cgi|\scgi)
ignoreregex =
 
#
# Auth filter /etc/fail2ban/filter.d/nginx-auth.conf:
#
# Blocks IPs that fail to authenticate using basic authentication
#
[Definition]
 
failregex = no user/password was provided for basic authentication.*client: <HOST>
            user .* was not found in.*client: <HOST>
            user .* password mismatch.*client: <HOST>
 
ignoreregex =


#
# Login filter /etc/fail2ban/filter.d/nginx-login.conf:
#
# Blocks IPs that fail to authenticate using web application's log in page
#
# Scan access log for HTTP 200 + POST /sessions => failed log in
[Definition]
failregex = ^<HOST> -.*POST /sessions HTTP/1\.." 200
ignoreregex =

Testing fail2ban Rules

You should test your fail2ban rules with the fail2ban-regex command:

# Test against a log file
# fail2ban-regex <log file> <filter configuration>
fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/nginx-login.conf 

# Test using strings
# fail2ban-regex <e.g. row from log file> <failure regex from filter configuration>
fail2ban-regex "127.1.1.1 - - [21/Feb/2012:10:31:08 +0200] \"POST /sessions HTTP/1.1\" 200 1532 \"https://xxx.com/sessions\" \"Mozilla/5.0 Safari/535.11\" \"-\"" "^<HOST> -.*POST /sessions HTTP/1\..\" 200"

Limiting the number of connections

We limit the number of connections to 2 per second and allow a burst of 50 with the following nginx configuration:

http {
    limit_req_zone  $binary_remote_addr  zone=app:10m   rate=2r/s; 
    ... 
    server {
         ... 
        location / {
            limit_req   zone=app burst=50;
        }

Note that you could also use Rack::Attack to implement many of these requirements.

References

http://wiki.nginx.org/HttpLimitReqModule
http://www.fail2ban.org/wiki/index.php/Main_Page
http://serverfault.com/questions/307575/fail2ban-doesnt-process-jail-even-though-regex-matches


leonpengweicn
关注
专栏目录
搭建docker内网私服(docker-registry with nginx&ssl on centos)
gnsydss的专栏
01-04 928
1. Docker Registry 说明 关于如何创建和使用本地仓库,其实已经有很多文章介绍了。因为docker技术正处于发展和完善阶段,所以有些文章要么内容已经过时,要么给出了错误的配置,导致无法正常创建仓库。本文记录的是个人完整的搭建过程,docker version为1.1.2。 官方提供了Docker Hub网站来作为一个公开的集中仓库。然而,本地访问Docker Hub速度往往很慢
nginx+fail2ban+iptables 服务器安全设置
qq_17054659的博客
09-15 1483
iptables设置 1.操作系统为centos7.2,默认firewalld防火墙,为了后续方便,需禁用firewalld启用iptables 2.#先检查是否安装了iptables service iptables status #安装iptables yum install -y iptables #...
sudo noPassword
RockyOnFire的专栏
11-29 2735
  title-----------------sudo noPassword-----------------------1.visudo as root2.put lliu ALL=(ALL) NOPASSWD:ALL after root3.now lliu can access sudo as sudoer and withought input password.----------
关于连接PostgreSQL时提示 FATAL: password authentication failed for user "连接用户名" 的解决办法
热门推荐
qq_35433306的博客
08-08 5万+
postgresql密码错误 FATAL: password authentication failed for user
loaded the "BlueView" nib but the view outlet was not set 错误的解决办法。
leonpengweicn的专栏
11-19 1万+
<br />今天在做练习创建多个视图程序的时候,老是出现下面这样的错误:<br /> <br /> p.p1 {margin: 0.0px 0.0px 0.0px 28.0px; text-indent: -28.0px; font: 11.0px Menlo} <br />'-[UIViewController _loadViewFromNibNamed:bundle:] loaded the "BlueView" nib but the view outlet was not set.'<b
fail2ban防暴力破解[nginx][sshd]
爱辉弟的博客
05-08 1046
介绍:fail2ban是一款实用软件,可以监视你的系统日志,然后匹配日志的错误信息(正则式匹配)执行相应的屏蔽动作。 #需要开启防火墙 安装fail2ban 系统环境Centos6 [root@localhost ~]# yum -y install wget [root@node1 ~]# wget -O /etc/yum.repos.d/epel.repo http://mirrors.ali...
Fail2ban的安装和使用
weixin_47934044的博客
05-20 8081
Fail2ban的安装和使用 1. 简介 CentOS 中使用fail2ban和firewalld限制IP拦截cc攻击 2. 安装和启动 • 安装 $ yum -y install fail2ban 安装后可以使用以下命令查看版本 $ fail2ban-client -V $ fail2ban-server -V 显示如下 Fail2Ban v0.9.7 Copyright © 2004-2008 Cyril Jaquier, 2008- Fail2Ban Contributors Copyright
fail2ban防止暴力破解-防止nginx服务器web目录被黑客扫描
vbird的博客
10-02 1万+
1. 背景 刚买了阿里云服务器,准备用来部署自己的一些站点。结果刚把lnmp环境搭建好,才一天的时间就被来自不同地域IP不断的扫描web站点目录,这运气怕是没几个人能遇到了,幸好之前有熟悉过防止暴力破解fail2ban服务。下面就来介绍一下这款服务软件。写这篇博客参加以下文章: http://www.361way.com/fail2ban-nginx/1825.html 参考-匹配RUL规则...
CentOS7下安装和使用Fail2ban
天涯ur的博客
12-13 3147
本文主要介绍一下CentOS7下Fail2ban安装以及如何和iptables联动来阻止恶意扫描和密码猜测等恶意攻击行为。 从CentOS7开始,官方的标准防火墙设置软件从iptables变更为firewalld。 为了使Fail2ban与iptables联动,需禁用自带的firewalld服务,同时安装iptables服务。因此,在进行Fail2ban的安装与使用前需根据博客CentOS7安装和...
Nginx反向代理,上游是https 443的服务,蜜罐HFish反向代理,Client sent an HTTP request to an HTTPS server
zyugat的博客
12-02 4517
给蜜罐HFish设置反向代理的时候,网页弹出了个 Client sent an HTTP request to an HTTPS server。 必须要 IP+端口,进行访问,我设置了代理域名,那我就要 域名:端口 这样访问。这明显不符合我所想的。 所以我上搜了下发现了篇解决办法 https://www.it-swarm.cn/zh/nginx/%E4%BD%BF%E7%94%A8%E4%B8%8A%E6%B8%B8ssl%E5%B0%86nginx%E9%85%8D%E7%BD%AE%E4%B8%BA%E
Nginx + fail2ban 提高安全性
Jerry的灌水乐园
09-21 4366
通过Nginx做web server时,发现error.log中有很多连接尝试,这个时候fail2ban可以比较好的对付这些爬虫,探测程序等。 # Install fail2ban sudo apt-get install fail2ban # Copy jail.conf at /etc/fail2ban/jail.local and edit it. [nginx-nosc
Nginx」- 配置基本认证(Basic Authentication) @20210217
k4nz
02-17 515
问题描述 配置 Nginx 基础认证(Basic Authentication),实现在访问站点时提示用户进行基础认证。 解决方法 第一步、添加用户 // 创建新的 .htpasswd 文件 # htpasswd -c /etc/apache2/.htpasswd "tom" New password: Re-type new password: Adding password for user tom // 追加用户到 .htpasswd 文件 # htpasswd /etc/apac.
使用 NGINX 流控和 fail2ban 防止 CC 攻击
第一天
07-19 1443
背景知识 CC * 者通过创建大量请求导致服务器资源耗尽,主要针对特定服务接口,属于实现 DoS 的一种方式(DoS *更多是针对网络端口,而不是具体服务接口)。 NGINX 流控 limit_req_zone:通过“漏桶”算法限制每个 IP 发起的请求频率。 limit_conn_zone:限制每个 IP 发起的连接数。 fail2ban 通过匹配服务器日志操作 iptables ...
dep waiting for lockfile /go/pkg/dep/sm.lock: Lockfile created, but doesn't exist
leonpengweicn的专栏
01-26 2553
waiting for lockfile /go/pkg/dep/sm.lock: Lockfile created, but doesn't exist env DEPNOLOCK=1 dep ensure -v
普通用户nginx访问不了_Nginx中的用户认证配置及阻止用户使用代理访问的方法...
weixin_42348371的博客
12-24 503
nginx用户认证配置( Basic HTTP authentication)ngx_http_auth_basic_module模块实现让访问着,只有输入正确的用户密码才允许访问web内容。web上的一些内容不想被其他人知道,但是又想让部分人看到。nginx的http auth模块以及Apache http auth都是很好的解决方案。默认情况下nginx已经安装了ngx_http_auth_b...
学学设计模式【观察者模式】
西瓜肚圆圆
10-28 721
观察者模式学习: 比如一个角色发生了变化,或者做了什么操作,要通知其他一系列对象做动作。又叫发布/订阅模式。  举个例子,比如 中国做了些事情,美国,小日本就急了,跟着做了些事情,中国就是被观察这,美帝国主义,日本等都是观察者 写了个例子,下面是个通用类图和一个例子的类图:     下面是例子的部分代码:   1.首先是一个观察者接口和具体的实现类, package com.
spoj XXXXXXXX
anantheparty的博客
03-17 1万+
树套树裸题,留个版 (树状数组套平衡树)#include<bits/stdc++.h> #define ll long long #define INF 1000000000 #define mp make_pair #define clr(x) memset(x,0,sizeof(x))using namespace std;inline int read() { register in
基于微信小程序的新生报到系统设计与实现.docx
09-13
基于微信小程序的新生报到系统设计与实现.docx
基于java的电商平台的设计与实现.docx
最新发布
09-13
基于java的电商平台的设计与实现.docx
fail2ban nginx
09-08
当你使用Nginx作为网页服务器时,可以结合使用Fail2Ban来增加安全性。Fail2Ban是一个用于防止恶意登录和暴力破解的工具,它监视日志文件并采取相应的措施来阻止攻击者。 要在Nginx上启用Fail2Ban,你可以按照以下...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值