fail2ban常见规则

文章目录 收缩

jail.local

/etc/fail2ban/jail.local

[884358]
enabled = true
port = http,https
filter = nginx-cc
action = %(action_mwl)s
maxretry = 100
findtime = 60
bantime = 3600
logpath = /www/wwwlogs/884358.com.log

[884358-404]
enabled = true
port = http,https
filter = nginx-404
action = %(action_mwl)s
maxretry = 10
findtime = 60
bantime = 86400
logpath = /www/wwwlogs/884358.com.log

匹配http请求

#/etc/fail2ban/filter.d/nginx-cc.conf
failregex = <HOST> -.*- .*HTTP/[12].* .* .*$

匹配404请求

/etc/fail2ban/filter.d/nginx-404.conf
failregex = <HOST> -.*- .*HTTP/[12].* 404 .*$

匹配不包含图片的404请求

failregex = <HOST> -.*- ((?!(\.jpg|\.png|\.gif)).)*HTTP/[12].* 404 .*$

查看状态

fail2ban-client status 884358
fail2ban-client status 884358-404

测试匹配规则

fail2ban-regex /www/wwwlogs/884358.com.log  /etc/fail2ban/filter.d/nginx-404.conf

firewalld 防火墙规则

# 获取所有 direct 规则
firewall-cmd --direct --get-all-rules

# 获取 ipset 列表
ipset list

常用命令

#切割日志
logrotate -vf /etc/logrotate.d/fail2ban
#启动
systemctl start fail2ban
#停止
systemctl stop fail2ban
#开机启动
systemctl enable fail2ban
#查看被ban IP,其中nginx-cc为名称
fail2ban-client status nginx-cc
#删除被ban IP
fail2ban-client set nginx-cc unbanip 192.168.111.111
#添加要ban的IP
fail2ban-client set nginx-cc banip 192.168.111.111
#查看日志
tail /var/log/fail2ban.log
#查看在fail2ban黑名单里的IP是否已经加到了firewall中。
ipset list

其他

日志切割之Logrotate:
https://www.cnblogs.com/clsn/p/8428257.html

发表评论

电子邮件地址不会被公开。 必填项已用*标注