fail2ban 不断尝试再次禁止

fail2ban 不断尝试再次禁止

我在让 fail2ban 执行我想要的操作时遇到了问题。我使用的操作禁止了 CLoudFlare 上的 IP,这意味着在 Cloudflare 端更新所有内容之前,仍会有很多请求通过(因此用户无法再访问该网站)。

在此之前,fail2ban 会一遍又一遍地尝试禁止该 IP,导致它向 cloudflare 发送数千个(如果发生 DDoS 攻击)请求,这会花费很长时间,因此在处理完之前的(已被禁止的)攻击者之前,不会禁止任何其他攻击者。

那么,有没有办法阻止 fail2ban 再次尝试禁止他们,而是忽略他们?

#!/bin/bash

# Make sure that the ip-blacklist file exists
# otherwise we go ahead and create it
if [ ! -e "/etc/fail2ban/ip.blacklist" ] ; then
    touch "/etc/fail2ban/ip.blacklist"
fi

if [[ $1 = ban ]]; then
    if ! grep -q "$2" /etc/fail2ban/ip.blacklist; then
        # Store the IP as we need it later to check if the user is already banned
        echo "$2" >> /etc/fail2ban/ip.blacklist

        # Submit the ban request
    fi 
elif [[ $1 = unban ]]; then
    # Remove the IP from the blacklist 
    perl -ni -e "print unless (/^$2$/);" /etc/fail2ban/ip.blacklist
    #sed -i '/^$2$/d' /etc/fail2ban/ip.blacklist

    # Submit the unban request
fi

答案1

考虑创建一个被禁 IP 列表,并在发出禁封请求时将 IP 添加到该列表中。如果 IP 在列表中,则在操作脚本中忽略禁封请求。您还需要更改解禁操作以从被禁 IP 列表中删除 IP。创建如下脚本:

#!/bin/bash

# Define ourbanfile
banFile=ip.blacklist

# Ensure we have a banFile will be created if missing
if [ ! -e ${banFile} ]; then
    touch ${banFile}
fi

# Ban or unban as desired
if [[ $1 = ban ]]; then
    if ! grep -q "$2" ${banFile}; then
        # Store the IP as we need it later to check if the user is already banned
        echo "$2" >> ${banFile}

        # Submit the ban request
    fi
elif [[ $1 = unban ]]; then
    # Remove the IP from the blacklist
    perl -ni -e "print unless (/^$2\$/);" ${banFile}
    #sed -i '/^$2$/d' ${banFile}

    # Submit the unban request
fi

# Cat banfile if running on terminal (testing)
tty -s  && cat ${banFile}

# EOF

你的行动将是:

actionban = /path/to/script ban <IP>
actionunban = /path/to/script unban <IP>

相关内容