Posted by Ubuntu20自带的fail2ban为v0.10。
Fail2ban自从0.9启用了数据库支持,好处是以前封的IP有保存,下次重启可以保持原有IP的封锁,坏处有两个,一个开机比较慢,非常慢,另外就是一个大坑,如果你在测试filter时,明明规则正确,但是测试阶段封掉的ip总是会回来,导致调试filter工作看不到效果,我折腾了一天才发现是数据库的问题,所以我禁用了fail2ban的数据库支持:
sudo vi fail2ban.local
添加
[Definition]
# Options: dbfile
# Notes.: Set the file for the fail2ban persistent data to be stored.
# A value of ":memory:" means database is only stored in memory
# and data is lost when fail2ban is stopped.
# A value of "None" disables the database.
# Values: [ None :memory: FILE ] Default: /var/lib/fail2ban/fail2ban.sqlite3
dbfile = None我目前正在使用的nginx的filter过滤器内容:
sudo vi /etc/fail2ban/filter.d/nginx-custom.conf
内容如下:
# Fail2Ban configuration file
#
# Custom regex patterns to ban known (and unwanted) access attempts.
# Based off my own server logs.
[Definition]
badagents = ZmEu|Auto Spider 1.0|zgrab/[0-9]*\.[0-9a-zA-Z]*|Wget\(.*\)|MauiBot.*|AspiegelBot.*|SemrushBot.*|PHP/.*
failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*(?:%(badagents)s)"$
^<HOST> .* ".*\\x.*" .*$
^<HOST> -.*"(GET|POST|HEAD) .+ThinkPHP.+$
^<HOST> -.*"(GET|POST|HEAD) .+wp-admin.+$
^<HOST> -.*"(GET|POST|HEAD) .+wp-config.+$
^<HOST> -.*"(GET|POST|HEAD) .+wp-login\.php.*$
^<HOST> -.*"(GET|POST|HEAD) /login\.cgi.*$
^<HOST> -.*"(GET|POST|HEAD) /polycom/.*$
^<HOST> -.*"(GET|POST|HEAD) /provision.*/.*$
^<HOST> -.*"(GET|POST|HEAD) /run\.py.*$
^<HOST> -.*"(GET|POST|HEAD) /struts.*$
^<HOST> -.*"(GET|POST|HEAD) /wls-wsat.*$
^<HOST> -.*"(GET|POST|HEAD) /wuwu11\.php.*$
^<HOST> -.*"(GET|POST|HEAD) .+wwwroot\.rar.*$
^<HOST> -.*"(GET|POST|HEAD) .+wwwroot\.zip.*$
^<HOST> -.*"(GET|POST|HEAD) .+\.aspx .+$
^<HOST> -.*"(GET|POST|HEAD) .+phpunit.+$
^<HOST> -.*"(GET|POST|HEAD) .+adminer\.php .+$
^<HOST> -.*"(GET|POST|HEAD) .+XDEBUG.+$
^<HOST> -.*"(GET|POST|HEAD) .+sellers\.json .+$
^<HOST> -.*"(GET|POST|HEAD) .+ajax-index\.php .+$
^<HOST> -.*"(GET|POST|HEAD) .+dede\/login\.php .+$
^<HOST> -.*"(GET|POST|HEAD) .+plus\/recommend\.php .+$
^<HOST> -.*"(GET|POST|HEAD) .+e\/install\/index.php .+$
^<HOST> -.*"(GET|POST|HEAD) .+m\/e\/install\/index\.php .+$
^<HOST> -.*"(GET|POST|HEAD) .+e_bak\/install\/index.php .+$
^<HOST> -.*"(GET|POST|HEAD) .+Go-http-client.+$
^<HOST> -.*"(GET|POST|HEAD) .+Apache-HttpClient.+$
^<HOST> -.*"(GET|POST|HEAD) .+python-requests.+$
^<HOST> -.*"(GET|POST|HEAD) .+bidswitchbot.+$
^<HOST> -.*"(GET|POST|HEAD) .+Google-adstxt.+$
^<HOST> -.*"(GET|POST|HEAD) /.git/HEAD.*$
^<HOST> -.*"(GET|POST|HEAD) /TP/public/index\.php.*$
^<HOST> -.*"(GET|POST|HEAD) /admin/login\.php.*$
^<HOST> -.*"(GET|POST|HEAD) /allstat\.php.*$
^<HOST> -.*"(GET|POST|HEAD) /cfg/.*$
^<HOST> -.*"(GET|POST|HEAD) /cisco/.*$
^<HOST> -.*"(GET|POST|HEAD) /config.*/.*$
^<HOST> -.*"(GET|POST|HEAD) /firmware/.*$
^<HOST> -.*"(GET|POST|HEAD) /linksys/.*$
^<HOST> -.*"POST /rpc/trackback/.*$
ignoreregex =
#Endsudo nano /etc/fail2ban/jail.local启用自定义nginx-custom模块:
[nginx-custom]
enabled = true
port = http,https
filter = nginx-custom
logpath = /var/log/nginx/access.log
maxretry = 1
bantime = 86400
findtime = 86400
其中的logpath就是需要过滤的访问日志文件
sudo fail2ban-client reload
sudo fail2ban-client status nginx-custom
返回结果
Status for the jail: nginx-custom
|- Filter
| |- Currently failed: 0
| |- Total failed: 31
| `- File list: /var/log/nginx/access.log
`- Actions
|- Currently banned: 22
|- Total banned: 22
`- Banned IP list: 45.155.205.108 121.235.207.204 192.241.204.148 83.150.213.220 35.181.87.238 35.225.94.95 185.191.171.5 185.191.171.40 173.236.242.79 18.231.94.162 23.97.154.104 185.191.171.9 185.191.171.42 104.131.60.154 185.191.171.39 143.110.137.82 52.64.20.252 112.213.97.64 206.189.231.196 149.202.8.66 192.241.203.197 192.241.222.109引用网址:https://confluence.jaytaala.com/display/TKB/Implement+fail2ban+with+custom+apache+filter%2C+ipset%2C+and+a+sample+based+verification+approach