Security

如何在 Nginx 中使用 fail2ban?

  • August 24, 2012

如何在 Nginx 伺服器上使用 fail2ban?放入jails.conf 的規則是什麼?

從下面開始 http://snippets.aktagon.com/snippets/554-How-to-Secure-an-nginx-Server-with-Fail2Ban

/etc/fail2ban/nginx-dos.conf 中的新過濾器:

# Fail2Ban configuration file
#
# Generated on Fri Jun 08 12:09:15 EST 2012 by BeezNest
#
# Author: Yannick Warnir
#
# $Revision: 1 $
#

[Definition]
# Option:  failregex
# Notes.:  Regexp to catch a generic call from an IP address.
# Values:  TEXT
#
failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

在我們的 jail.local 中,我們有(在文件末尾):

[nginx-dos]
# Based on apache-badbots but a simple IP check (any IP requesting more than
# 240 pages in 60 seconds, or 4p/s average, is suspicious)
# Block for two full days.
# @author Yannick Warnier
enabled = true
port    = http,8090
filter  = nginx-dos
logpath = /var/log/nginx/*-access.log
findtime = 60
bantime  = 172800
maxretry = 240

當然,如果您要記錄網站的所有資源(圖像、css、js 等),作為普通使用者很容易獲得這些數字。為避免這種情況,請使用 Nginx 的 access_log off 指令,如下所示:

# Serve static files directly
       location ~* \.(png|jpe?g|gif|ico)$ {
               expires 1y;
               access_log off;
               try_files $uri $uri/ @rewrite;
               gzip off;
       }
       location ~* \.(mp3)$ {
               expires 1y;
               access_log off;
               gzip off;
       }
       location ~* \.(css)$ {
               expires 1d;
               access_log off;
       }
       location ~* \.(js)$ {
               expires 1h;
               access_log off;
       }

引用自:https://serverfault.com/questions/420895