Fail2Ban 自定义日志监禁
需求
fail2ban 根据某个程序的日志文件进行监视,发现对应问题后进行监禁IP。
具体需求示例:监控nginx示例,1分钟发现10个404页面访问则封禁该IP1天,目的:防止恶意扫描
fail2ban安装参考:Fail2Ban安装和使用保护SSH免受暴力攻击-XQLEE'Blog
Fail2ban 思路图
安装一个nginx
sudo apt install nginx -y查看nginx启用状态
sudo service nginx status自定义Fail2ban Filter过滤器
默认的nginx日志示例:
192.168.153.1 - - [25/Apr/2025:03:13:36 +0000] "GET /favicon.ico HTTP/1.1" 404 196 "http://192.168.153.132/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 Edg/135.0.0.0"
192.168.153.1 - - [25/Apr/2025:03:13:38 +0000] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 Edg/135.0.0.0"
192.168.153.1 - - [25/Apr/2025:03:13:38 +0000] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 Edg/135.0.0.0"
192.168.153.1 - - [25/Apr/2025:03:13:48 +0000] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 Edg/135.0.0.0"
192.168.153.1 - - [25/Apr/2025:03:13:48 +0000] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 Edg/135.0.0.0"
192.168.153.1 - - [25/Apr/2025:03:13:48 +0000] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 Edg/135.0.0.0"
192.168.153.1 - - [25/Apr/2025:03:13:48 +0000] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 Edg/135.0.0.0"
192.168.153.1 - - [25/Apr/2025:03:13:48 +0000] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 Edg/135.0.0.0"
192.168.153.1 - - [25/Apr/2025:03:13:49 +0000] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 Edg/135.0.0.0"
192.168.153.1 - - [25/Apr/2025:03:13:51 +0000] "GET /abs HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 Edg/135.0.0.0"编写自定义filter 过滤器
过滤器文件名:my-nginx.local
cd /etc/fail2ban/filter.d/
sudo vi my-nginx.local为啥要.locl后缀配置?参考:Fail2Ban 配置官方建议-XQLEE'Blog 说明
重启fail2ban服务
sudo service fail2ban restart查看fail2ban日志
vi /var/log/fail2ban.log如果有问题也可以在这里看到
查看监禁状态
ubuntu@ubuntu2404:/etc/fail2ban/jail.d$ sudo fail2ban-client status
Status
|- Number of jail: 2
`- Jail list: my-nginx, sshd
ubuntu@ubuntu2404:/etc/fail2ban/jail.d$ sudo fail2ban-client status my-nginx
Status for the jail: my-nginx
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/nginx/access.log
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
ubuntu@ubuntu2404:/etc/fail2ban/jail.d$
测试
Windows环境?
使用浏览器访问一个不存在的路径,默认安装的nginx就/存在,其他都没有,所以来测试:http://192.168.153.132/test.html
5次后直接就访问不起了,打开主机命令查看
发现IP已经被封杀了。
有朋友会问:这里怎么像个路由ip?那是因为主机在Vmware里面,开的nat模式所以物理机就相当于他的路由了。
恢复访问
上面由于只设置了监禁60秒,所以等会又可以访问了
命令查看监禁情况
网页访问
另外也可以在主机执行命令解禁
sudo fail2ban-client set my-nginx unbanip 192.168.153.1
https://blog.xqlee.com/article/2504251110174178.html
评论
相关文章
需求fail2ban 根据某个程序的日志文件进行监视,发现对应问题后进行监禁IP。具体需求示例:监控nginx示例,1分钟发现10个404页面访问则封禁该IP1
If not configured manually, Fail2ban will load configuration files from the dire
前言通过上一篇Fail2Ban安装和使用保护SSH免受暴力攻击-XQLEE'Blog安装和基本使用已经能满足Linux服务器对于ssh服务的防护工作了。这里接着
备份备份现有配置和数据库以便回滚备份配置sudo mkdir -p /opt/fail2ban-baksudo cp -R /etc/fail2ban /opt
ddos攻击属于网络攻击的常见模式之一。这里写一个能简单防御的脚本ddos-deflate脚本的安装和卸载
Nginx 限流组件limit_req
limit_req作用:
限制用户(同一个ip)在给定时间内HTTP请求的数量,
流量限制主要用作安全目的,
可以防止大量请求的...