通过Nginx做web server时,发现error.log中有很多连接尝试,这个时候fail2ban可以比较好的对付这些爬虫,探测程序等。
1. Policy配置
# Install fail2ban
sudo apt-get install fail2ban
# Copy jail.conf at /etc/fail2ban/jail.local and edit it.
[nginx-noscript]
enabled = true
port = http,https
filter = nginx-noscript
logpath = /usr/local/nginx-1.8.0/logs/error.log
maxretry = 1
findtime = 60
bantime = 7200
# Create /etc/fail2ban/filter.d/nginx-noscript.conf
[Definition]
failregex = ^.*(.*\.php).*failed.*client:
,.*"$
ignoreregex =
# To block php script attack.
# Restart fail2ban service
sudo service fail2ban restart
# fail2ban Logs
/var/log/fail2ban.log
# Debug filter
fail2ban-regex /usr/local/nginx-1.8.0/logs/error.log /etc/fail2ban/filter.d/nginx-noscript.conf
# List all rule in iptables
sudo iptables -L --line-numbers
# Remove some rule added by fail2ban, n is rule id.
sudo iptables -D fail2ban-nginx-noscript n
2. 查找分析Log
因为fail2ban会定期备份日志,所以需要查看IP地址时需要对所有的log进行查找,可以用zgrep
zgrep -c 210.213. /var/log/fail2ban.
3. 配置文件
/etc/fail2ban/fail2ban.
4. Log rotate 配置 /etc/logrotate.d/fail2ban
1 /var/log/fail2ban.log {
2
3 weekly
4 rotate 4
5 compress
6
7 delaycompress
8 missingok
9 postrotate
10 fail2ban-client set logtarget /var/log/fail2ban.log >/dev/null
11 endscript
12
13 # If fail2ban runs as non-root it still needs to have write access
14 # to logfiles.
15 # create 640 fail2ban adm
16 create 640 root adm
17 }
5. Permanently Ban Repeat Offenders With Fail2Ban