Apache有个非常好用的插件叫Fail2Ban

Apache有个非常好用的插件叫Fail2Ban,目的是阻挡一些攻击性或者扫描性的请求,把符合条件的请求从Apache日志里找出来并且禁止该IP的访问一段时间.

安装:

sudo yum install fail2ban

安装完成后,在/etc 目录下会多了fail2ban的目录,此时创建一个jail.local 文件去配置fail2ban (sudo vi /etc/fail2ban/jail.local)

以下是在网上找到的配置 (可以修改bantime,并且要修改logpath指向apache的error_log才行. 调节maxretry去设定多少失败次数后才被禁止访问; ignoreip去除外某些IP地址):

jail.local

# detect password authentication failures

[apache]

enabled  = true

filter   = apache-auth

action   = iptables-multiport[name=auth, port="http,https"]

logpath  = /var/log/httpd/error_log

bantime  = 3600

maxretry = 10

ignoreip = 10.*.*.*

# detect spammer robots crawling email addresses

[apache-badbots]

enabled  = true

filter   = apache-badbots

action   = iptables-multiport[name=badbots, port="http,https"]

logpath  = /var/log/httpd/error_log

bantime  = 3600

maxretry = 1

ignoreip = 10.*.*.*

# detect potential search for exploits

[apache-noscript]

enabled  = true

filter   = apache-noscript

action   = iptables-multiport[name=noscript, port="http,https"]

logpath  = /var/log/httpd/error_log

bantime  = 3600

maxretry = 5

ignoreip = 10.*.*.*

# detect Apache overflow attempts

[apache-overflows]

enabled  = true

filter   = apache-overflows

action   = iptables-multiport[name=overflows, port="http,https"]

logpath  = /var/log/httpd/error_log

bantime  = 3600

maxretry = 2

ignoreip = 10.*.*.*

假如需要查看某一个Fail2Ban Filter阻止了哪些IP, 可以通过Fail2Ban-client 命令去查看:

terminal

sudo fail2ban-client status apache-noscript

以上命令就是查看apache-noscript的具体状态和阻挡了什么IP

以下是从Google找到的一个防止URL扫描配置:

urlscanning过滤:https://unix.stackexchange.com/questions/119508/how-to-use-fail2ban-to-ban-all-php-and-cgi-bin-requests