I've been checking Nginx In the access log of , Found a lot of 404 request , After careful study, we find that someone is trying to blow up the website .

You tried to attack me as soon as I went online ?????? How can this bear ..

So --- After looking up the information, I learned that there is a magic tool fail2ban Can cooperate with iptables Automatic sealing IP

iptables yes Centos6 It's a firewall strategy , stay Centos7 Has been used in Firewall replaced

The experimental system is Centos6

Don't talk about it

1. Download and install fail2ban

   cd /usr/loca/src
  wget https://github.com/fail2ban/fail2ban/archive/0.9.4.tar.gz
  tar -zxf 0.9..tar.gz
  mv 0.9. fail2ban-
  cd fail2ban-
  ./setup.py

2. Directory structure

 /etc/fail2ban                    # fail2ban  Service configuration directory 
/etc/fail2ban/action.d # iptables 、mail And so on
/etc/fail2ban/filter.d # Condition matching file directory , Filter the key content of the log
/etc/fail2ban/jail.conf # fail2ban Protection Profile
/etc/fail2ban/fail2ban.conf # fail2ban The configuration file , Define log levels 、 journal 、sock File location, etc cd /etc/fail2ban # Go to the directory where the configuration file is located
cp jail.conf jail.local # Backup configuration files

3. Configure protection
First, write forbidden access nginx 404 Status code ip Address configuration rules

 vim /etc/fail2ban/filter.d/nginx.conf

 [Definition]
failregex = <HOST> -.*- .*HTTP/.* .*$
ignoreregex =

After saving, test whether the configuration file is correct relative to the log

 fail2ban-regex /home/wwwlogs/access.log /etc/fail2ban/filter.d/nginx.conf 

Then add the blocking rules to the configuration file

 vim /etc/fail2ban/jail.conf   #  Write at the end of the file 

 [nginx]
enabled = true
port = http,https
filter = nginx # The name of the rule file
action = iptables[name=nginx, port=http, protocol=tcp]
# sendmail-whois[name=tomcat, dest=abc@mail.com] Send mail function
logpath = /home/wwwlogs/access.log # Log path
bantime = # The time of the ban
findtime = # In seconds
maxretry = # Several times

4. start-up

 /etc/init.d/iptables start
/etc/init.d/fail2ban start or fail2ban-client start

5. Check the status and other commands

 fail2ban-client start #  start-up 
fail2ban-client reload # heavy load
fail2ban-client stop # stop it
fail2ban-client status # Check the status
fail2ban-client set nginx addignoreip 180.158.35.30 # take ip Join in nginx The white list of prisons
fail2ban-client set nginx delignoreip 180.158.35.30 # take ip remove nginx The white list of prisons
fail2ban-client set nginx banip IP Address # manual ban
fail2ban-client set nginx unbanip IP Address # Manual solution

6. see fail2ban Log

fail2ban The default log is /var/log/fail2ban.log

The journal records Ban IP And UnBan IP The record of

There are also records after modifying the configuration file and reloading it

cat /var/log/fail2ban

7. Summary

fail2ban There are many powerful functions to be studied , stay  /etc/fail2ban/filter.d in , There are many templates to learn and use

Although it seems safer to ban illegal requests for a period of time , But as long as there is an external port, it can not guarantee the absolute security of the server . Learn more about the combination of different tools , To make the server more secure .

Linux Server security fail2ban Installation and configuration of more related articles

  1. linux Next jdk And tomcat Installation and configuration

    Linux in jdk And tomcat Installation and configuration 1. Set up the environment : (1)Linux Environmental Science :CentOS6.1 (2)jdk-1.8 (3)tomcat-9.0 2. stay Linux Create a directory on the system stay usr/lo ...

  2. LINUX operating system (centos6.9) Installation and configuration

    LINUX operating system (centos6.9) Installation and configuration _ Experience in baidu https://jingyan.baidu.com/article/acf728fd6bdba1f8e510a3f7.html cento ...

  3. Linux Next MyCat and MyCat_web Installation and configuration

    Linux Next MyCat and MyCat_web Installation and configuration Mycat Is a database sub database sub table middleware Mycat web It can be done to Mycat monitor , So let's share that Mycat web The process of building Details can be ...

  4. Apache Download the latest version of the server 、 Installation and configuration (win edition )

    Apache Download the latest version of the server . Installation and configuration (win edition ) Apache The download : Sign in http://httpd.apache.org/download.cgi This address , find 2.4.10, As shown in the figure below :   ...

  5. linux The server nginx Uninstall and install

    Just touched linux Server ,nginx It's a bit outrageous that the configuration is disorderly , Just unload the old one and install it again . uninstall linux There are a series of software managers , For example, the common linux Under the yum.Ubuntu Under the apt-get wait . Through this ...

  6. Linux The server pxe+kickstart Deploy unattended installation

    One .    Use the CD image to install a Redhat6.8 The system's virtual machine ( Graphical interface ) Two .    Deploy relevant service programs 1.     Install and configure dhcpd Service program a) install dhcp Service program b) Yes dhcp Service in ...

  7. Linux In the environment SVN Server side installation and configuration

    I've tried it recently Linux(CentOS6.5) Installation and configuration in the environment SVN Server side , There are some problems during the installation , Refer to some experience shared by netizens , And through their own actual operation , The final installation and configuration is successful ! Generally speaking, there are so many opinions on the Internet , Big ...

  8. Linux Server deployment javaweb project , From the environment configuration , Finally, the system runs

    preparedness :javaJDK1.7,Tomcat7.0,MySQL5.8, Operational javaWeb project ,linux The server of the environment ( It can be installed in windows On the computer linux virtual machine , Installed linux The computer of the system ...

  9. Linux CentOS 7 &amp; JDK 1.7 Installation and configuration

    Preface Make a brief note of CentOS 7 Install configuration in JDK 1.7 The whole process ~ download First of all jdk 1.7 64bit & 32bit Download address : jdk-7u79-linux-x64.tar.gz ...

Random recommendation

  1. Java Map Introduction to collection class

      author :Jack Shirazi Learn about one of the most common collection types Map And how to optimize your application specific data Map. Download this article : · Jack Of HashMap test · Oracle ...

  2. phpcms 05

    So called asynchronous loading , That is, two threads execute a task at the same time , Like a load text , A load picture , So you can see the text first footer,html Contains tail files {template "content",& ...

  3. flume+hadoop

    Excerpt from :http://www.kankanews.com/ICkengine/archives/130646.shtml

  4. AutoFac Summary of usage :Part I

    Registration part Use RegisterType To register [Fact] public void can_resolve_myclass() { var builder = new ContainerBuilde ...

  5. Android UI Learning records of

    1,android:textAllCaps=“false” android5.0 It's possible that button Of text It's all uppercase , Set this to display lowercase properly 2, Optimize listview performance : 1,view reusing ...

  6. The first chapter of Dao Zhi Jian ——java Pseudo code

    section : public class Yugongyishan_ { // Define a name Yugongyishan_ Class Public static void main(string args[])   // ...

  7. HDFS All orders are summarized

    .copyFromLocal hadoop fs -copyFromLocal -f dcnew.reg_user_actret.csv /dw/test/reg_user_actret_test # ...

  8. Learning notes DL008: probability theory , A random variable , A probability distribution , Edge probability , Conditional probability , expect 、 variance 、 covariance

    Probability and information theory . probability theory , A mathematical framework for representing uncertainty statements . Provide a way to quantify uncertainty , Provides an export new uncertainty statement (statement) axiom . The field of artificial intelligence , The law of probability ,AI System reasoning , Design algorithm, calculate probability theory and derive expression . Probability and Statistics ...

  9. layer Every time you use it, you have to check it

    1. Close the current pop-up layer var index = parent.layer.getFrameIndex(window.name); setTimeout(function(){parent.layer.cl ...

  10. h5 Wechat shares friends and circle of friends

    Generate JS-SDK Authority verification signature Realize the content parameter customization when sending to friends and sharing to the circle of friends One . WeChat JS-SDK 1. get Access Token access token The method of obtaining the value of is introduced earlier , For details, see   Wechat public service ...