使用 Fail2Ban 自動阻擋攻擊者

vi /etc/fail2ban/jail.local 

 加入 

 [nginx-http-auth]

enabled = true

filter = nginx-http-auth

action = iptables[name=HTTP, port=http, protocol=tcp]

logpath = /var/log/nginx/error.log

bantime = 3600

findtime = 600

maxretry = 5 

 重新啟動服務 

 systemctl restart fail2ban 

 檢查當前被封的 IP 

 fail2ban-client status 

 額外再加入 

 [nginx-primary-script]

enabled = true

filter = nginx-primary-script

action = iptables[name=PrimaryScript, port=http, protocol=tcp]

logpath = /var/log/nginx/error.log

maxretry = 3

bantime = 3600 

 防止攻擊腳本 

 [Definition]

failregex = .*FastCGI sent in stderr: "Primary script unknown".*request: ".*installer\.php.*

 .*FastCGI sent in stderr: "Primary script unknown".*request: ".*WordPress/installer\.php.*

 .*FastCGI sent in stderr: "Primary script unknown".*request: ".*phpinfo\.php.*

 .*FastCGI sent in stderr: "Primary script unknown".*request: ".*info\.php.*

# 常見入侵腳本和工具

 .*GET /wp-admin.* # WordPress 管理面板攻擊

 .*GET /wp-login\.php.* # WordPress 登錄攻擊

 .*GET /xmlrpc\.php.* # WordPress XML-RPC 攻擊

 .*GET /phpMyAdmin/.* # phpMyAdmin 攻擊

 .*GET /pma/.* # phpMyAdmin 縮寫攻擊

 .*GET /myadmin/.* # 其他管理工具探測

 .*GET /config\.php.* # 嘗試訪問配置文件

 .*GET /setup\.php.* # 安裝腳本

 .*GET /install\.php.* # 安裝腳本

 .*GET /adminer.* # Adminer 攻擊

# 常見惡意腳本探測

 .*GET /shell\.php.* # 後門探測

 .*GET /cmd\.php.* # 命令執行腳本

 .*GET /console\.php.* # 惡意工具腳本

 .*GET /backdoor\.php.* # 後門腳本探測

 .*GET /wp-content/uploads/shell.* # WordPress 上傳漏洞

 .*GET /eval-stdin.* # eval 利用腳本

# 文件探測攻擊

 .*GET /\.env.* # Laravel 或其他框架配置文件

 .*GET /\.git/config.* # Git 配置文件

 .*GET /backup.* # 嘗試下載備份

 .*GET /dump.* # 嘗試訪問數據庫轉儲

 .*GET /debug.* # 調試工具

 .*GET /error_log.* # 日誌檔案

# 特定漏洞利用

 .*GET /HNAP1/.* # HNAP 協議漏洞 (常針對路由器)

 .*GET /boaform/admin/formLogin.* # IOT 設備漏洞

 .*GET /invoker/JMXInvokerServlet.* # JBoss 漏洞

 .*GET /webdav.* # WebDAV 攻擊

 .*GET /manager/html.* # Tomcat 管理界面探測

 

 直接封某個IP 

 fail2ban-client set nginx-primary-script banip xxx.xxx.xxx.xxx 

 如果封錯想解除 

 fail2ban-client set nginx-primary-script unbanip 192.168.1.100 

 白名單 寫在 /etc/fail2ban/jail.local 

 [DEFAULT]

ignoreip = 127.0.0.1/8 ::1 192.168.1.100 

 做完任何設定都要記得重啟 

 systemctl restart fail2ban