Apache有个非常好用的插件叫Fail2Ban,目的是阻挡一些攻击性或者扫描性的请求,把符合条件的请求从Apache日志里找出来并且禁止该IP的访问一段时间.
安装:
sudo yum install fail2ban
安装完成后,在/etc 目录下会多了fail2ban的目录,此时创建一个jail.local 文件去配置fail2ban (sudo vi /etc/fail2ban/jail.local)
以下是在网上找到的配置 (可以修改bantime,并且要修改logpath指向apache的error_log才行. 调节maxretry去设定多少失败次数后才被禁止访问; ignoreip去除外某些IP地址):
jail.local
# detect password authentication failures
[apache]
enabled = true
filter = apache-auth
action = iptables-multiport[name=auth, port="http,https"]
logpath = /var/log/httpd/error_log
bantime = 3600
maxretry = 10
ignoreip = 10.*.*.*
# detect spammer robots crawling email addresses
[apache-badbots]
enabled = true
filter = apache-badbots
action = iptables-multiport[name=badbots, port="http,https"]
logpath = /var/log/httpd/error_log
bantime = 3600
maxretry = 1
ignoreip = 10.*.*.*
# detect potential search for exploits
[apache-noscript]
enabled = true
filter = apache-noscript
action = iptables-multiport[name=noscript, port="http,https"]
logpath = /var/log/httpd/error_log
bantime = 3600
maxretry = 5
ignoreip = 10.*.*.*
# detect Apache overflow attempts
[apache-overflows]
enabled = true
filter = apache-overflows
action = iptables-multiport[name=overflows, port="http,https"]
logpath = /var/log/httpd/error_log
bantime = 3600
maxretry = 2
ignoreip = 10.*.*.*
假如需要查看某一个Fail2Ban Filter阻止了哪些IP, 可以通过Fail2Ban-client 命令去查看:
terminal
sudo fail2ban-client status apache-noscript
以上命令就是查看apache-noscript的具体状态和阻挡了什么IP
以下是从Google找到的一个防止URL扫描配置:
urlscanning过滤:https://unix.stackexchange.com/questions/119508/how-to-use-fail2ban-to-ban-all-php-and-cgi-bin-requests
网友评论