fail2ban处理nginx下的恶意扫描

2012年10月22日 发表评论 阅读评论

最近听说同行公司的数据库被人暴了,老大要求将我们自己的站点也做下检查。在查看nginx日志时,同样发现有人进行过恶意扫描。同时也为了防止别人恶性来公司站点上扒取数据。所以决定通过fail2ban配合iptables自动封掉这些IP。

发现的恶意扫描日志:

access.log:112.122.134.43 - - [06/Oct/2012:21:27:22 +0800] "HEAD /flashfxp.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
access.log:112.122.134.43 - - [06/Oct/2012:21:27:22 +0800] "HEAD /ip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
access.log:112.122.134.43 - - [06/Oct/2012:21:27:23 +0800] "HEAD /1.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
access.log:112.14.63.7 - - [06/Oct/2012:21:27:23 +0800] "HEAD /flashfxp.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
access.log:114.112.29.44 - - [06/Oct/2012:21:27:23 +0800] "HEAD /flashfxp.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
access.log:114.112.29.44 - - [06/Oct/2012:21:27:23 +0800] "HEAD /ip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
access.log:114.112.29.44 - - [06/Oct/2012:21:27:23 +0800] "HEAD /1.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
access.log:112.122.134.43 - - [06/Oct/2012:21:27:23 +0800] "HEAD /2.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
access.log:112.14.63.7 - - [06/Oct/2012:21:27:23 +0800] "HEAD /ip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
access.log:112.122.134.43 - - [06/Oct/2012:21:27:23 +0800] "HEAD /wwwroot.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
access.log:112.14.63.7 - - [06/Oct/2012:21:27:23 +0800] "HEAD /1.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
access.log:114.112.29.44 - - [06/Oct/2012:21:27:23 +0800] "HEAD /2.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
access.log:112.122.134.43 - - [06/Oct/2012:21:27:23 +0800] "HEAD /www.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
access.log:112.122.134.43 - - [06/Oct/2012:21:27:24 +0800] "HEAD /web.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
access.log:210.72.75.212 - - [06/Oct/2012:21:27:24 +0800] "HEAD /flashfxp.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
access.log:114.112.29.44 - - [06/Oct/2012:21:27:24 +0800] "HEAD /wwwroot.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"

一般有些人会定期将站点进行备份,备份后的文件,往往可能是以上面的名字命名,这些恶意的扫描者,希望通过扫到这些信息后,直接下载,邪恶ing……

fail2ban的安装在此不再提,我之前有篇日志对其安装方法做过介绍。不想通过rpmforge源进行yum安装的,可以在http://pkgs.repoforge.org/fail2ban/ 找到相关的rpm包。不过也可以到 sourceforge 上找源码包进行安装。安装完成后, 在/etc/fail2ban/filter.d/目录下建立nginx.conf文件保存下面的内容:

[Definition]
failregex = <HOST> -.*- .*HTTP/1.* 404 .*$
ignoreregex =

注:过滤原理是通过查找一定时期内访问结果为404 的所有IP,并通过定义下面的条件,找出符合该规则的IP 。

打开/etc/fail2ban/jail.local配置文件,在其最后加入下面的内容:

[nginx-get-dos]
enabled = true
port = http,https
filter = nginx   //对应上面过滤规则中我们新建的nginx.conf文件
logpath = /logs/nginx/361way.access.log   //日志文件位置
maxretry = 20   //失败多少次后就封掉IP
findtime = 60   //在多少时间内,查找符合规则的IP
bantime = 3600  //禁止该IP多长时间
action = iptables[name=HTTP, port=http, protocol=tcp]
#ignoreip = 192.168.1.2   //白名单中的IP

通过fail2ban-regex命令,查看符合规则的IP :

fail2ban-regex /logs/nginx/361way.access.log /etc/fail2ban/filter.d/nginx.conf
…………………………
…………………………
    110.20.60.68 (Mon Oct 22 21:08:26 2012)
    123.205.60.22 (Mon Oct 22 21:11:58 2012)
    203.202.60.69 (Mon Oct 22 21:14:18 2012)
Date template hits:
0 hit(s): Month Day Hour:Minute:Second
0 hit(s): Weekday Month Day Hour:Minute:Second Year
0 hit(s): Weekday Month Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
77607 hit(s): Day/Month/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-Month-Year Hour:Minute:Second[.Millisecond]
0 hit(s): TAI64N
0 hit(s): Epoch
Success, the total number of match is 35201
However, look at the above section 'Running tests' which could contain important
information.

注:以上结果是从日志中批配nginx.conf规则的数,并未对jail.local文件中的规则进行匹配 。

[root@bj1 fail2ban]# fail2ban-client status nginx-get-dos
Status for the jail: nginx-get-dos
|- filter
|  |- File list:        /logs/nginx/361way.access.log
|  |- Currently failed: 1
|  `- Total failed:     210
`- action
   |- Currently banned: 1
   |  `- IP list:       192.168.1.5
   `- Total banned:     1

上面查看到的结果同iptables -L (或iptables -nL)得到的结果对应:

[root@bj1 fail2ban]# iptables -nL
……………………………………
……………………………………
Chain fail2ban-HTTP (1 references)
target     prot opt source               destination
DROP       all  --  192.168.1.5         0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0 





本站的发展离不开您的资助,金额随意,欢迎来赏!

You can donate through PayPal.
My paypal id: itybku@139.com
Paypal page: https://www.paypal.me/361way

  1. 本文目前尚无任何评论.