Security
如何在 Nginx 中使用 fail2ban?
如何在 Nginx 伺服器上使用 fail2ban?放入jails.conf 的規則是什麼?
從下面開始 http://snippets.aktagon.com/snippets/554-How-to-Secure-an-nginx-Server-with-Fail2Ban
/etc/fail2ban/nginx-dos.conf 中的新過濾器:
# Fail2Ban configuration file # # Generated on Fri Jun 08 12:09:15 EST 2012 by BeezNest # # Author: Yannick Warnir # # $Revision: 1 $ # [Definition] # Option: failregex # Notes.: Regexp to catch a generic call from an IP address. # Values: TEXT # failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =在我們的 jail.local 中,我們有(在文件末尾):
[nginx-dos] # Based on apache-badbots but a simple IP check (any IP requesting more than # 240 pages in 60 seconds, or 4p/s average, is suspicious) # Block for two full days. # @author Yannick Warnier enabled = true port = http,8090 filter = nginx-dos logpath = /var/log/nginx/*-access.log findtime = 60 bantime = 172800 maxretry = 240當然,如果您要記錄網站的所有資源(圖像、css、js 等),作為普通使用者很容易獲得這些數字。為避免這種情況,請使用 Nginx 的 access_log off 指令,如下所示:
# Serve static files directly location ~* \.(png|jpe?g|gif|ico)$ { expires 1y; access_log off; try_files $uri $uri/ @rewrite; gzip off; } location ~* \.(mp3)$ { expires 1y; access_log off; gzip off; } location ~* \.(css)$ { expires 1d; access_log off; } location ~* \.(js)$ { expires 1h; access_log off; }