fail2ban处理nginx下的恶意扫描
最近听说同行公司的数据库被人暴了,老大要求将我们自己的站点也做下检查。在查看nginx日志时,同样发现有人进行过恶意扫描。同时也为了防止别人恶性来公司站点上扒取数据。所以决定通过fail2ban配合iptables自动封掉这些IP。
发现的恶意扫描日志:
1access.log:112.122.134.43 - - [06/Oct/2012:21:27:22 +0800] "HEAD /flashfxp.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
2access.log:112.122.134.43 - - [06/Oct/2012:21:27:22 +0800] "HEAD /ip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
3access.log:112.122.134.43 - - [06/Oct/2012:21:27:23 +0800] "HEAD /1.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
4access.log:112.14.63.7 - - [06/Oct/2012:21:27:23 +0800] "HEAD /flashfxp.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
5access.log:114.112.29.44 - - [06/Oct/2012:21:27:23 +0800] "HEAD /flashfxp.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
6access.log:114.112.29.44 - - [06/Oct/2012:21:27:23 +0800] "HEAD /ip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
7access.log:114.112.29.44 - - [06/Oct/2012:21:27:23 +0800] "HEAD /1.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
8access.log:112.122.134.43 - - [06/Oct/2012:21:27:23 +0800] "HEAD /2.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
9access.log:112.14.63.7 - - [06/Oct/2012:21:27:23 +0800] "HEAD /ip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
10access.log:112.122.134.43 - - [06/Oct/2012:21:27:23 +0800] "HEAD /wwwroot.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
11access.log:112.14.63.7 - - [06/Oct/2012:21:27:23 +0800] "HEAD /1.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
12access.log:114.112.29.44 - - [06/Oct/2012:21:27:23 +0800] "HEAD /2.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
13access.log:112.122.134.43 - - [06/Oct/2012:21:27:23 +0800] "HEAD /www.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
14access.log:112.122.134.43 - - [06/Oct/2012:21:27:24 +0800] "HEAD /web.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
15access.log:210.72.75.212 - - [06/Oct/2012:21:27:24 +0800] "HEAD /flashfxp.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
16access.log:114.112.29.44 - - [06/Oct/2012:21:27:24 +0800] "HEAD /wwwroot.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
一般有些人会定期将站点进行备份,备份后的文件,往往可能是以上面的名字命名,这些恶意的扫描者,希望通过扫到这些信息后,直接下载,邪恶ing……。
fail2ban的安装在此不再提,我之前有篇日志对其安装方法做过介绍。不想通过rpmforge源进行yum安装的,可以在http://pkgs.repoforge.org/fail2ban/ 找到相关的rpm包。不过也可以到 sourceforge 上找源码包进行安装。安装完成后, 在/etc/fail2ban/filter.d/目录下建立nginx.conf文件保存下面的内容:
1[Definition]
2failregex = <HOST> -.*- .*HTTP/1.* 404 .*$
3ignoreregex =
注:过滤原理是通过查找一定时期内访问结果为404 的所有IP,并通过定义下面的条件,找出符合该规则的IP 。
打开/etc/fail2ban/jail.local配置文件,在其最后加入下面的内容:
1[nginx-get-dos]
2enabled = true
3port = http,https
4filter = nginx //对应上面过滤规则中我们新建的nginx.conf文件
5logpath = /logs/nginx/361way.access.log //日志文件位置
6maxretry = 20 //失败多少次后就封掉IP
7findtime = 60 //在多少时间内,查找符合规则的IP
8bantime = 3600 //禁止该IP多长时间
9action = iptables[name=HTTP, port=http, protocol=tcp]
10#ignoreip = 192.168.1.2 //白名单中的IP
通过fail2ban-regex命令,查看符合规则的IP :
1fail2ban-regex /logs/nginx/361way.access.log /etc/fail2ban/filter.d/nginx.conf
2…………………………
3…………………………
4 110.20.60.68 (Mon Oct 22 21:08:26 2012)
5 123.205.60.22 (Mon Oct 22 21:11:58 2012)
6 203.202.60.69 (Mon Oct 22 21:14:18 2012)
7Date template hits:
80 hit(s): Month Day Hour:Minute:Second
90 hit(s): Weekday Month Day Hour:Minute:Second Year
100 hit(s): Weekday Month Day Hour:Minute:Second
110 hit(s): Year/Month/Day Hour:Minute:Second
1277607 hit(s): Day/Month/Year:Hour:Minute:Second
130 hit(s): Year-Month-Day Hour:Minute:Second
140 hit(s): Day-Month-Year Hour:Minute:Second[.Millisecond]
150 hit(s): TAI64N
160 hit(s): Epoch
17Success, the total number of match is 35201
18However, look at the above section 'Running tests' which could contain important
19information.
注:以上结果是从日志中批配nginx.conf规则的数,并未对jail.local文件中的规则进行匹配 。
1[root@bj1 fail2ban]# fail2ban-client status nginx-get-dos
2Status for the jail: nginx-get-dos
3|- filter
4| |- File list: /logs/nginx/361way.access.log
5| |- Currently failed: 1
6| `- Total failed: 210
7`- action
8 |- Currently banned: 1
9 | `- IP list: 192.168.1.5
10 `- Total banned: 1
上面查看到的结果同iptables -L (或iptables -nL)得到的结果对应:
1[root@bj1 fail2ban]# iptables -nL
2……………………………………
3……………………………………
4Chain fail2ban-HTTP (1 references)
5target prot opt source destination
6DROP all -- 192.168.1.5 0.0.0.0/0
7RETURN all -- 0.0.0.0/0 0.0.0.0/0
捐赠本站(Donate)
如您感觉文章有用,可扫码捐赠本站!(If the article useful, you can scan the QR code to donate))
- Author: shisekong
- Link: https://blog.361way.com/fail2ban-nginx/1825.html
- License: This work is under a 知识共享署名-非商业性使用-禁止演绎 4.0 国际许可协议. Kindly fulfill the requirements of the aforementioned License when adapting or creating a derivative of this work.