fail2ban+nginx
# cat /data/program/nginx/conf/nginx.confhttp {
include mime.types;
default_typeapplication/octet-stream;
limit_req_zone $binary_remote_addr zone=allips:10m rate=20r/m;
sendfile on;
server {
listen 80;
server_namelocalhost;
location / {
root html;
indexindex.html index.htm;
}
error_page 500 502 503 504/50x.html;
location = /50x.html {
root html;
limit_req zone=allips burst=3 nodelay;
}
# cat test.sh
for (( i=0;i>test.log ;
sleep 1
done
# sh test.sh
# sh test.sh
# cat test.log |grep 503|wc -l
74
#cat test.log |grep 200|wc -l
46
# tail -f /data/program/nginx/logs/error.log
2018/04/24 23:46:24 13440#0: *76815 limiting requests, excess: 3.108 by zone "allips", client: 192.168.2.230, server: localhost, request: "HEAD /50x.html HTTP/1.1", host: "192.168.3.232"
2018/04/24 23:46:26 13440#0: *76817 limiting requests, excess: 3.433 by zone "allips", client: 192.168.2.230, server: localhost, request: "HEAD /50x.html HTTP/1.1", host: "192.168.3.232"
2018/04/24 23:46:27 13440#0: *76818 limiting requests, excess: 3.090 by zone "allips", client: 192.168.2.230, server: localhost, request: "HEAD /50x.html HTTP/1.1", host: "192.168.3.232"
# cat /etc/fail2ban/filter.d/nginx-req-limit.conf
#Fail2Ban configuration file
#
# supports: ngx_http_limit_req_module module
failregex = .* limiting requests, excess:.* by zone.*client: , .*
# Option: ignoreregex #
#Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# cat /etc/fail2ban/jail.conf
enabled= true
port = https,http
filter = nginx-req-limit
logpath= /data/program/nginx/logs/error.log
maxretry = 20
findtime = 60
bantime= 60
action = iptables-multiport
sendmail-whois-lines
# service fail2ban start
# iptables -nvL
Chain INPUT (policy ACCEPT 463K packets, 40M bytes)
pkts bytes target prot opt in out source destination
0 0 fail2ban-nginx-req-limittcp--* * 0.0.0.0/0 0.0.0.0/0 multiport dports 443,80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 371K packets, 37M bytes)
pkts bytes target prot opt in out source destination
Chain fail2ban-nginx-req-limit (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all--* * 0.0.0.0/0 0.0.0.0/0
# sh test.sh
# iptables -nvL
Chain INPUT (policy ACCEPT 4370 packets, 354K bytes)
pkts bytes target prot opt in out source destination
226 15216 fail2ban-nginx-req-limittcp--* * 0.0.0.0/0 0.0.0.0/0 multiport dports 443,80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3505 packets, 305K bytes)
pkts bytes target prot opt in out source destination
Chain fail2ban-nginx-req-limit (1 references)
pkts bytes target prot opt in out source destination
10 600 REJECT all--* * 192.168.2.230 0.0.0.0/0 reject-with icmp-port-unreachable
216 14616 RETURN all--* * 0.0.0.0/0 0.0.0.0/0
# iptables -nvL --line-numbers
# iptables -D fail2ban-nginx-req-limit 1
# service fail2ban stop
页:
[1]