fail2ban处理nginx下的恶意扫描

发表于2012-10-222023-01-10 作者 admin

最近听说同行公司的数据库被人暴了，老大要求将我们自己的站点也做下检查。在查看nginx日志时，同样发现有人进行过恶意扫描。同时也为了防止别人恶性来公司站点上扒取数据。所以决定通过fail2ban配合iptables自动封掉这些IP。

发现的恶意扫描日志：

access.log:112.122.134.43 - - [06/Oct/2012:21:27:22 +0800] "HEAD /flashfxp.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
access.log:112.122.134.43 - - [06/Oct/2012:21:27:22 +0800] "HEAD /ip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
access.log:112.122.134.43 - - [06/Oct/2012:21:27:23 +0800] "HEAD /1.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
access.log:112.14.63.7 - - [06/Oct/2012:21:27:23 +0800] "HEAD /flashfxp.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
access.log:114.112.29.44 - - [06/Oct/2012:21:27:23 +0800] "HEAD /flashfxp.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
access.log:114.112.29.44 - - [06/Oct/2012:21:27:23 +0800] "HEAD /ip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
access.log:114.112.29.44 - - [06/Oct/2012:21:27:23 +0800] "HEAD /1.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
access.log:112.122.134.43 - - [06/Oct/2012:21:27:23 +0800] "HEAD /2.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
access.log:112.14.63.7 - - [06/Oct/2012:21:27:23 +0800] "HEAD /ip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
access.log:112.122.134.43 - - [06/Oct/2012:21:27:23 +0800] "HEAD /wwwroot.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
access.log:112.14.63.7 - - [06/Oct/2012:21:27:23 +0800] "HEAD /1.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
access.log:114.112.29.44 - - [06/Oct/2012:21:27:23 +0800] "HEAD /2.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
access.log:112.122.134.43 - - [06/Oct/2012:21:27:23 +0800] "HEAD /www.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
access.log:112.122.134.43 - - [06/Oct/2012:21:27:24 +0800] "HEAD /web.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
access.log:210.72.75.212 - - [06/Oct/2012:21:27:24 +0800] "HEAD /flashfxp.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"
access.log:114.112.29.44 - - [06/Oct/2012:21:27:24 +0800] "HEAD /wwwroot.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" "-"

一般有些人会定期将站点进行备份，备份后的文件，往往可能是以上面的名字命名，这些恶意的扫描者，希望通过扫到这些信息后，直接下载，邪恶ing……。

fail2ban的安装在此不再提，我之前有篇日志对其安装方法做过介绍。不想通过rpmforge源进行yum安装的，可以在http://pkgs.repoforge.org/fail2ban/ 找到相关的rpm包。不过也可以到 sourceforge 上找源码包进行安装。安装完成后，在/etc/fail2ban/filter.d/目录下建立nginx.conf文件保存下面的内容：

[Definition]
failregex = <HOST> -.*- .*HTTP/1.* 404 .*$
ignoreregex =

注：过滤原理是通过查找一定时期内访问结果为404 的所有IP，并通过定义下面的条件，找出符合该规则的IP 。

打开/etc/fail2ban/jail.local配置文件，在其最后加入下面的内容：

[nginx-get-dos]
enabled = true
port = http,https
filter = nginx   //对应上面过滤规则中我们新建的nginx.conf文件
logpath = /logs/nginx/361way.access.log   //日志文件位置
maxretry = 20   //失败多少次后就封掉IP
findtime = 60   //在多少时间内，查找符合规则的IP
bantime = 3600  //禁止该IP多长时间
action = iptables[name=HTTP, port=http, protocol=tcp]
#ignoreip = 192.168.1.2   //白名单中的IP

通过fail2ban-regex命令，查看符合规则的IP ：

fail2ban-regex /logs/nginx/361way.access.log /etc/fail2ban/filter.d/nginx.conf
…………………………
…………………………
    110.20.60.68 (Mon Oct 22 21:08:26 2012)
    123.205.60.22 (Mon Oct 22 21:11:58 2012)
    203.202.60.69 (Mon Oct 22 21:14:18 2012)
Date template hits:
0 hit(s): Month Day Hour:Minute:Second
0 hit(s): Weekday Month Day Hour:Minute:Second Year
0 hit(s): Weekday Month Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
77607 hit(s): Day/Month/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-Month-Year Hour:Minute:Second[.Millisecond]
0 hit(s): TAI64N
0 hit(s): Epoch
Success, the total number of match is 35201
However, look at the above section 'Running tests' which could contain important
information.

注：以上结果是从日志中批配nginx.conf规则的数，并未对jail.local文件中的规则进行匹配。

[root@bj1 fail2ban]# fail2ban-client status nginx-get-dos
Status for the jail: nginx-get-dos
|- filter
|  |- File list:        /logs/nginx/361way.access.log
|  |- Currently failed: 1
|  `- Total failed:     210
`- action
   |- Currently banned: 1
   |  `- IP list:       192.168.1.5
   `- Total banned:     1

上面查看到的结果同iptables -L (或iptables -nL)得到的结果对应：

[root@bj1 fail2ban]# iptables -nL
……………………………………
……………………………………
Chain fail2ban-HTTP (1 references)
target     prot opt source               destination
DROP       all  --  192.168.1.5         0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

发表回复 取消回复

发表回复取消回复