我有这个监狱:
##To stop DOS attack from remote host.
[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath = /usr/local/nginx/localhost-access.log
maxretry = 100
findtime = 300
bantime = 6000
action = iptables[name=HTTP, port=http, protocol=tcp]
Status for the jail: http-get-dos
|- Filter
| |- Currently failed: 18
| |- Total failed: 99871
| `- File list: /usr/local/nginx/localhost-access.log
`- Actions
|- Currently banned: 2
|- Total banned: 5
`- Banned IP list: 94.60.20.166 193.112.177.8
然而,运行之后fail2ban-client status http-get-dos,IP 被标记为禁止,我仍然收到大量来自被禁止 IP 的传入请求,这会导致 CPU 使用率过高:
193.112.177.8 - - [01/Jul/2019:17:48:59 +0100] "GET /companies/xxx HTTP/1.1" 200 18935 "https://example.com/companies/xxx" "shelby/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"
193.112.177.8 - - [01/Jul/2019:17:48:59 +0100] "GET /companies/xxx HTTP/1.1" 200 18935 "https://example.com/companies/xxx" "asdfgh/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"
193.112.177.8 - - [01/Jul/2019:17:49:00 +0100] "GET /companies/xxx HTTP/1.1" 200 18935 "https://example.com/companies/xxx" "tigger/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"
...
现在,如果我这样做:
iptables -A INPUT -s 193.112.177.8 -j DROP
我没有在日志中看到来自此 IP 的更多请求。问题是,为什么 fail2ban 的禁令不像上面的规则那样起作用?
答案1
我相信你的网站是https这样的,这就是为什么你仍然收到请求,因为你没有禁止,https但只是http
正确的做法是
action = iptables-multiport[name=HTTP, port="http,https", protocol=tcp]