我如何在Nginx服务器上使用fail2ban? jails.conf中的规则是什么?
从下面开始http://snippets.aktagon.com/snippets/554-How-to-Secure-an-nginx-Server-with-Fail2Ban
/etc/fail2ban/nginx-dos.conf中的新filter:
# Fail2Ban configuration file # # Generated on Fri Jun 08 12:09:15 EST 2012 by BeezNest # # Author: Yannick Warnir # # $Revision: 1 $ # [Definition] # Option: failregex # Notes.: Regexp to catch a generic call from an IP address. # Values: TEXT # failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = 在我们的jail.local中,我们有(在文件的末尾):
[nginx-dos] # Based on apache-badbots but a simple IP check (any IP requesting more than # 240 pages in 60 seconds, or 4p/s average, is suspicious) # Block for two full days. # @author Yannick Warnier enabled = true port = http,8090 filter = nginx-dos logpath = /var/log/nginx/*-access.log findtime = 60 bantime = 172800 maxretry = 240
当然,如果你要logging你网站的所有资源(图片,CSS,JS等),那么以普通用户的身份得到这些数字是非常容易的。 为了避免这种情况,请使用Nginx的access_log off指令,如下所示:
# Serve static files directly location ~* \.(png|jpe?g|gif|ico)$ { expires 1y; access_log off; try_files $uri $uri/ @rewrite; gzip off; } location ~* \.(mp3)$ { expires 1y; access_log off; gzip off; } location ~* \.(css)$ { expires 1d; access_log off; } location ~* \.(js)$ { expires 1h; access_log off; }