Nginx

Fail2ban 禁止 IP,但直到它已經有數百個請求

  • May 17, 2019

我有一個使用特定使用者代理的監獄。它最終禁止了它,但它仍然得到了數百個請求。

以下是相關資訊(除非需要其他任何資訊):

/etc/fail2ban/jail.conf 中的禁止操作

banaction = iptables-allports

這是 /etc/fail2ban/jail.local 中的條目

[domaincrawler-bot]
enabled = true
filter = domaincrawler-bot
logpath = /var/log/nginx/*access.log
port = 8221,8222,8231,8232
maxretry = 1
findtime = 10
bantime = -1
action = iptables-allports[name=domaincrawler-bot]

我有一個 shell 腳本,它按 IP 地址將最常見的點擊組合在一起,它仍然設法在禁止之前獲得數百個請求:

Count    IP Address    User Agent String

543 80.248.225.168 | "DomainCrawler/3.0 (info@domaincrawler.com; http://www.domaincrawler.com/***************************.com)" "-"
455 80.248.225.79 | "DomainCrawler/3.0 (info@domaincrawler.com; http://www.domaincrawler.com/********.com)" "-"
282 80.248.225.4 | "DomainCrawler/3.0 (info@domaincrawler.com; http://www.domaincrawler.com/********************.com)" "-"

我可以驗證它最終是否會發送到 iptables:

root@****:/var/log/nginx# iptables -L -vn | grep 80.248.225.4
0     0 REJECT     all  --  *      *       80.248.225.4         0.0.0.0/0            reject-with icmp-port-unreachable

這是我在 /etc/fail2ban/filter.d/domaincrawler-bot.conf 中的正則表達式條目

[Definition]
failregex = ^\d{4} <HOST> .*DomainCrawler.*

執行正則表達式測試會產生數千條匹配的行:

root@****:/var/log/nginx# fail2ban-regex --print-all-matched access.log "^\d{4} <HOST> .*DomainCrawler.*"



Running tests
=============

Use   failregex line : ^\d{4} <HOST> .*DomainCrawler.*
Use         log file : access.log
Use         encoding : UTF-8


Results
=======

Failregex: 2222 total
|-  #) [# of hits] regular expression
|   1) [2222] ^\d{4} <HOST> .*DomainCrawler.*
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [80276] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-

Lines: 80276 lines, 0 ignored, 2222 matched, 78054 missed [processed in 7.69 sec] 

我還在 regex101.com 上驗證了它確實找到了這些字元:

正則表達式101_image

這是檢查監獄狀態時的輸出:

   root@****:/var/log/nginx# fail2ban-client status domaincrawler-bot
Status for the jail: domaincrawler-bot
|- Filter
|  |- Currently failed: 1
|  |- Total failed: 31178
|  `- File list:    /var/log/nginx/access.log
`- Actions
  |- Currently banned: 12
  |- Total banned: 12
  `- Banned IP list:   176.74.192.36 176.74.192.40 176.74.192.42 185.6.8.3 185.6.8.7 185.6.8.9 194.68.17.5 80.248.225.142 80.248.225.168 80.248.225.4 80.248.225.7 80.248.225.79

這個特定的伺服器獲得了大量的流量,所以在解析訪問日誌時它可能稍微落後了?我還能做些什麼來提高性能嗎?正如我所說,它最終確實會禁止 IP,但在收到數百(有時數千)不同監獄的請求之前不會。

謝謝你們。

日誌掃描之間有**N 秒的間隔。**大概是 1-5 秒。Fail2ban 在maxretry N 秒後阻塞,以最後一個為準。

引用自:https://serverfault.com/questions/967794