linux - 使用fail2ban 为nginx保驾护航

参考：https://easyengine.io/tutorials/nginx/fail2ban/

安装：

$ apt-get install fail2ban

安装后：

$ cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

然后修改 jail.local的内容：

[nginx-req-limit]

enabled = true
filter = nginx-req-limit
action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
logpath = /var/log/nginx/access.log
findtime = 60
maxretry = 600
bantime = 600

新增文件：/etc/fail2ban/filter.d/nginx-req-limit.conf

# Fail2Ban configuration file
#
# supports: ngx_http_limit_req_module module

[Definition]

failregex =  -.*- .*HTTP/1.* .* .*$

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

查看配置: 

$ fail2ban-client -d

测试： （修改下面的 /tmp/test.log 文件）

root@app:/var/log# fail2ban-regex /tmp/test.log /etc/fail2ban/filter.d/nginx-req-limit.conf

Running tests
=============

Use   failregex filter file : nginx-req-limit, basedir: /etc/fail2ban
Use         log file : /tmp/test.log
Use         encoding : UTF-8


Results
=======

Failregex: 112 total
|-  #) [# of hits] regular expression
|   1) [112]  -.*- .*HTTP/1.* .* .*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [112] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-
( 这里说明： 解析了112行， 匹配到了112行） 
Lines: 112 lines, 0 ignored, 112 matched, 0 missed [processed in 0.01 sec]

日志如下：

222.68.34.237 - - [01/Jul/2019:19:27:16 +0800]  "GET /comp_recruit_infos/414?query=http%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3DOWASP%2520ZAP HTTP/1.1" 403 178 "https://www.wondercv.com/campus_recruiting/user_show?page=102" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0" -
222.68.34.237 - - [01/Jul/2019:19:27:16 +0800]  "GET /comp_recruit_infos/39 HTTP/1.1" 403 178 "https://www.wondercv.com/campus_recruiting/user_show?page=101" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0" -
222.68.34.237 - - [01/Jul/2019:19:27:16 +0800]  "GET /comp_recruit_infos/34 HTTP/1.1" 403 178 "https://www.wondercv.com/campus_recruiting/user_show?page=108" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0" -
222.68.34.237 - - [01/Jul/2019:19:27:16 +0800]  "POST /comp_recruit_infos/401/post HTTP/1.1" 403 178 "https://www.wondercv.com/comp_recruit_infos/401" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0" -
222.68.34.237 - - [01/Jul/2019:19:27:16 +0800]  "POST /comp_recruit_infos/366/post HTTP/1.1" 403 178 "https://www.wondercv.com/comp_recruit_infos/366" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0" -
（下面重复100行）

最后，查看fail2ban的结果：

root@app:/etc/fail2ban# tail /var/log/fail2ban.log -f
2019-07-01 19:37:30,820 fail2ban.filter         [32746]: INFO    Set jail log file encoding to UTF-8
2019-07-01 19:37:30,824 fail2ban.jail           [32746]: INFO    Initiated 'pyinotify' backend
2019-07-01 19:37:30,834 fail2ban.filter         [32746]: INFO    Added logfile = /var/log/nginx/access.log
2019-07-01 19:37:30,838 fail2ban.filter         [32746]: INFO    Set maxRetry = 600
2019-07-01 19:37:30,838 fail2ban.filter         [32746]: INFO    Set findtime = 60
2019-07-01 19:37:30,839 fail2ban.filter         [32746]: INFO    Set jail log file encoding to UTF-8
2019-07-01 19:37:30,839 fail2ban.actions        [32746]: INFO    Set banTime = 600
2019-07-01 19:37:30,845 fail2ban.jail           [32746]: INFO    Jail 'sshd' started
2019-07-01 19:37:30,852 fail2ban.jail           [32746]: INFO    Jail 'nginx-req-limit' started
2019-07-01 19:37:31,463 fail2ban.actions        [32746]: NOTICE  [nginx-req-limit] Ban 222.68.34.237

如果不小心ban了ip , 可以使用这个方法手动解封：

建立ip白名单：