生活随笔
收集整理的這篇文章主要介紹了
fail2ban封IP之Http
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
環境介紹:http是一個tomcat 的js程序 ,設置的路徑為/opt/tomcat5/logs/localhost_access_log.txt
OS:centos 5.3? fail2ban版本:fail2ban-0.8.2-3.el5.rf.noarch.rpm
官方網站:http://www.fail2ban.org/wiki/index.php/Main_Page
背景:及時發現別人的惡意請求并禁止
步驟:
1.安裝fail2ban
這里我走了彎路,下源碼包安裝報錯,大家可以這個網址下載:http://packages.sw.be/fail2ban/
?
#rpm?-ivh?fail2ban-0.8.23.el5.rf.noarch.rpm? ?
2.配置fail2ban的自定義過濾規則
分析/opt/tomcat5/logs/localhost_access_log.txt? 日志的惡意請求如下 :
?
192.168.32.41?-?-?[10/Sep/2010:18:11:27?+0800]?"GET?12345678.txt?HTTP/1.1"?404?1063 ?192.168.32.41?-?-?[10/Sep/2010:18:11:27?+0800]?"GET?12345678.txt?HTTP/1.1"?404?1063 ?192.168.32.41?-?-?[10/Sep/2010:18:11:29?+0800]?"GET?12345678.txt?HTTP/1.1"?404?1063 ?192.168.32.41?-?-?[10/Sep/2010:18:11:29?+0800]?"GET?12345678.txt?HTTP/1.1"?404?1063 ?192.168.32.41?-?-?[10/Sep/2010:18:11:29?+0800]?"GET?12345678.txt?HTTP/1.1"?404?1063 ?192.168.32.41?-?-?[10/Sep/2010:18:11:29?+0800]?"GET?12345678.txt?HTTP/1.1"?404?1063 ? 從***行為特征來看, 這是短時間連續導致服務器發送HTTP 404文件未找到錯誤碼, 下面是用于發現上述***的fail2ban filter規則,
在/etc/fail2ban/filter.d/目錄下建立tomcat.conf文件保存下面的內容:
?
[Definition] ?failregex?=?<HOST>?-.*-?.*HTTP/1.*?404?.*$ ?ignoreregex?=? 3.測試fail2ban的過濾規則
?
#?fail2ban-regex?/opt/tomcat5/logs/localhost_access_log.txt?/etc/fail2ban/filter.d/tomcat.conf? 結果如下:
?
Running?tests?============= ??Use?regex?file?:?/etc/fail2ban/filter.d/tomcat.conf ?Use?log?file???:?/opt/tomcat5/logs/localhost_access_log.txt ???Results?======= ??Failregex ?|-?Regular?expressions: ?|??[1]??-.*-?.*HTTP/1.*?404?.*$ ?| ?`-?Number?of?matches: ????[1]?13?match(es) ??Ignoreregex ?|-?Regular?expressions: ?| ?`-?Number?of?matches: ??Summary?======= ??Addresses?found: ?[1] ?????192.168.32.41?(Fri?Sep?10?18:10:59?2010) ?????192.168.32.41?(Fri?Sep?10?18:11:27?2010) ?????192.168.32.41?(Fri?Sep?10?18:11:27?2010) ?????192.168.32.41?(Fri?Sep?10?18:11:29?2010) ?????192.168.32.41?(Fri?Sep?10?18:11:29?2010) ?????192.168.32.41?(Fri?Sep?10?18:11:29?2010) ?????192.168.32.41?(Fri?Sep?10?18:11:29?2010) ?????192.168.32.41?(Fri?Sep?10?18:11:30?2010) ?????192.168.32.41?(Fri?Sep?10?18:11:30?2010) ?????192.168.32.41?(Fri?Sep?10?18:27:44?2010) ?????192.168.32.41?(Fri?Sep?10?18:27:47?2010) ?????192.168.32.41?(Fri?Sep?10?18:27:50?2010) ?????192.168.32.41?(Fri?Sep?10?18:27:53?2010) ??Date?template?hits: ?0?hit(s):?Month?Day?Hour:Minute:Second ?0?hit(s):?Weekday?Month?Day?Hour:Minute:Second?Year ?0?hit(s):?Weekday?Month?Day?Hour:Minute:Second ?0?hit(s):?Year/Month/Day?Hour:Minute:Second ?130?hit(s):?Day/Month/Year:Hour:Minute:Second ?0?hit(s):?Year-Month-Day?Hour:Minute:Second ?0?hit(s):?Day-Month-Year?Hour:Minute:Second[.Millisecond] ?0?hit(s):?TAI64N ?0?hit(s):?Epoch ??Success,?the?total?number?of?match?is?13 ??However,?look?at?the?above?section?'Running?tests'?which?could?contain?important ?information.? 4.激活fail2ban的規則
從測試結果可以看出, 惡意***節點的IP地址和***時間都能夠正確發現, 因此可以進一步修改fail2ban的配置文件激活上述規則.
下面是我的/etc/fail2ban/jail.local配置文件內容:
?
[tomcat] ?enabled?=?true?port?=?http,https ?filter?=?tomcat?action?=?iptables[name=tomcat,?port=8080,?protocol=tcp]? ??????????sendmail-whois[name=tomcat,?dest=abc@mail.com] ?maxretry?=?2?logpath?=?/opt/tomcat5/logs/localhost_access_log.txt ?bantime??=?1800? 5.測試效果
生成2個錯誤的鏈接,查看fail2ban日志 如下:
?
2010-09-10?18:33:30,156?fail2ban.actions.action:?INFO???Set?actionStart?=?printf?%b?"Subject:?[Fail2Ban]?:?started ?From:?Fail2Ban?<>?To:?\n ?Hi,\n ?The?jail??has?been?started?successfully.\n ?Regards,\n ?Fail2Ban"?|?/usr/sbin/sendmail?-f?? ?2010-09-10?18:33:30,157?fail2ban.actions.action:?INFO???Set?actionUnban?=? ?2010-09-10?18:33:30,158?fail2ban.actions.action:?INFO???Set?actionCheck?=? ?2010-09-10?18:33:31,546?fail2ban.actions:?WARNING?[tomcat]?Ban?192.168.32.41? ?
并查看管理員郵箱 ,已經收到郵件了,內容大概如下:
?
Hi, ??The?IP?192.168.32.41?has?just?been?banned?by?Fail2Ban?after ?4?attempts?against?tomcat. ???Here?are?more?information?about?192.168.32.41: ??[Querying?whois.arin.net] ?[whois.arin.net] ?# ?#?Query?terms?are?ambiguous.??The?query?is?assumed?to?be: ?#?????"n?192.168.32.41" ?# ?#?Use?"?"?to?get?help. ? ?
6.寫完收工。
上面只是根據我的需求,寫的一點東西,其他很功能大家自己可以去研究 。
轉載于:https://blog.51cto.com/wenxin1234114/391104
總結
以上是生活随笔為你收集整理的fail2ban封IP之Http的全部內容,希望文章能夠幫你解決所遇到的問題。
如果覺得生活随笔網站內容還不錯,歡迎將生活随笔推薦給好友。
