Posted in: 网络随笔

Fail2ban 0.10的nginx防御filter及设置

Ubuntu20自带的fail2ban为v0.10。

Fail2ban自从0.9启用了数据库支持,好处是以前封的IP有保存,下次重启可以保持原有IP的封锁,坏处有两个,一个开机比较慢,非常慢,另外就是一个大坑,如果你在测试filter时,明明规则正确,但是测试阶段封掉的ip总是会回来,导致调试filter工作看不到效果,我折腾了一天才发现是数据库的问题,所以我禁用了fail2ban的数据库支持:

sudo vi fail2ban.local

添加

[Definition]
 
# Options: dbfile
# Notes.: Set the file for the fail2ban persistent data to be stored.
#         A value of ":memory:" means database is only stored in memory
#         and data is lost when fail2ban is stopped.
#         A value of "None" disables the database.
# Values: [ None :memory: FILE ] Default: /var/lib/fail2ban/fail2ban.sqlite3
dbfile = None

我目前正在使用的nginx的filter过滤器内容:

sudo vi /etc/fail2ban/filter.d/nginx-custom.conf

内容如下:

# Fail2Ban configuration file
#
# Custom regex patterns to ban known (and unwanted) access attempts.
# Based off my own server logs.

[Definition]

badagents = ZmEu|Auto Spider 1.0|zgrab/[0-9]*\.[0-9a-zA-Z]*|Wget\(.*\)|MauiBot.*|AspiegelBot.*|SemrushBot.*|PHP/.*

failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*(?:%(badagents)s)"$
            ^<HOST> .* ".*\\x.*" .*$
            ^<HOST> -.*"(GET|POST|HEAD) .+ThinkPHP.+$
	    ^<HOST> -.*"(GET|POST|HEAD) .+wp-admin.+$
	    ^<HOST> -.*"(GET|POST|HEAD) .+wp-config.+$
            ^<HOST> -.*"(GET|POST|HEAD) .+wp-login\.php.*$
	    ^<HOST> -.*"(GET|POST|HEAD) /login\.cgi.*$
            ^<HOST> -.*"(GET|POST|HEAD) /polycom/.*$
            ^<HOST> -.*"(GET|POST|HEAD) /provision.*/.*$
            ^<HOST> -.*"(GET|POST|HEAD) /run\.py.*$
            ^<HOST> -.*"(GET|POST|HEAD) /struts.*$
            ^<HOST> -.*"(GET|POST|HEAD) /wls-wsat.*$
            ^<HOST> -.*"(GET|POST|HEAD) /wuwu11\.php.*$
            ^<HOST> -.*"(GET|POST|HEAD) .+wwwroot\.rar.*$
	    ^<HOST> -.*"(GET|POST|HEAD) .+wwwroot\.zip.*$
	    ^<HOST> -.*"(GET|POST|HEAD) .+\.aspx .+$
            ^<HOST> -.*"(GET|POST|HEAD) .+phpunit.+$
            ^<HOST> -.*"(GET|POST|HEAD) .+adminer\.php .+$
	    ^<HOST> -.*"(GET|POST|HEAD) .+XDEBUG.+$
	    ^<HOST> -.*"(GET|POST|HEAD) .+sellers\.json .+$
	    ^<HOST> -.*"(GET|POST|HEAD) .+ajax-index\.php .+$
	    ^<HOST> -.*"(GET|POST|HEAD) .+dede\/login\.php .+$
	    ^<HOST> -.*"(GET|POST|HEAD) .+plus\/recommend\.php .+$
	    ^<HOST> -.*"(GET|POST|HEAD) .+e\/install\/index.php .+$
	    ^<HOST> -.*"(GET|POST|HEAD) .+m\/e\/install\/index\.php .+$
	    ^<HOST> -.*"(GET|POST|HEAD) .+e_bak\/install\/index.php .+$
	    ^<HOST> -.*"(GET|POST|HEAD) .+Go-http-client.+$
	    ^<HOST> -.*"(GET|POST|HEAD) .+Apache-HttpClient.+$
	    ^<HOST> -.*"(GET|POST|HEAD) .+python-requests.+$
	    ^<HOST> -.*"(GET|POST|HEAD) .+bidswitchbot.+$
	    ^<HOST> -.*"(GET|POST|HEAD) .+Google-adstxt.+$
	    ^<HOST> -.*"(GET|POST|HEAD) /.git/HEAD.*$
            ^<HOST> -.*"(GET|POST|HEAD) /TP/public/index\.php.*$
            ^<HOST> -.*"(GET|POST|HEAD) /admin/login\.php.*$
            ^<HOST> -.*"(GET|POST|HEAD) /allstat\.php.*$
            ^<HOST> -.*"(GET|POST|HEAD) /cfg/.*$
            ^<HOST> -.*"(GET|POST|HEAD) /cisco/.*$
            ^<HOST> -.*"(GET|POST|HEAD) /config.*/.*$
            ^<HOST> -.*"(GET|POST|HEAD) /firmware/.*$
            ^<HOST> -.*"(GET|POST|HEAD) /linksys/.*$
            ^<HOST> -.*"POST /rpc/trackback/.*$
            
   

ignoreregex =

#End
sudo nano /etc/fail2ban/jail.local

启用自定义nginx-custom模块:

[nginx-custom]
enabled  = true
port     = http,https
filter   = nginx-custom
logpath  = /var/log/nginx/access.log
maxretry = 1
bantime  = 86400
findtime = 86400

其中的logpath就是需要过滤的访问日志文件

sudo fail2ban-client reload
sudo fail2ban-client status nginx-custom

返回结果

Status for the jail: nginx-custom
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	31
|  `- File list:	/var/log/nginx/access.log
`- Actions
   |- Currently banned:	22
   |- Total banned:	22
   `- Banned IP list:	45.155.205.108 121.235.207.204 192.241.204.148 83.150.213.220 35.181.87.238 35.225.94.95 185.191.171.5 185.191.171.40 173.236.242.79 18.231.94.162 23.97.154.104 185.191.171.9 185.191.171.42 104.131.60.154 185.191.171.39 143.110.137.82 52.64.20.252 112.213.97.64 206.189.231.196 149.202.8.66 192.241.203.197 192.241.222.109

引用网址:https://confluence.jaytaala.com/display/TKB/Implement+fail2ban+with+custom+apache+filter%2C+ipset%2C+and+a+sample+based+verification+approach

发表评论

您的电子邮箱地址不会被公开。 必填项已用*标注