Fail2ban 禁令未按预期发挥作用

Fail2ban 禁令未按预期发挥作用

我有这个监狱:

##To stop DOS attack from remote host.
[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath  = /usr/local/nginx/localhost-access.log
maxretry = 100
findtime = 300
bantime = 6000
action = iptables[name=HTTP, port=http, protocol=tcp]

Status for the jail: http-get-dos
|- Filter
|  |- Currently failed: 18
|  |- Total failed:     99871
|  `- File list:        /usr/local/nginx/localhost-access.log
`- Actions
   |- Currently banned: 2
   |- Total banned:     5
   `- Banned IP list:   94.60.20.166 193.112.177.8

然而,运行之后fail2ban-client status http-get-dos,IP 被标记为禁止,我仍然收到大量来自被禁止 IP 的传入请求,这会导致 CPU 使用率过高:

193.112.177.8 - - [01/Jul/2019:17:48:59 +0100] "GET /companies/xxx HTTP/1.1" 200 18935 "https://example.com/companies/xxx" "shelby/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"
193.112.177.8 - - [01/Jul/2019:17:48:59 +0100] "GET /companies/xxx HTTP/1.1" 200 18935 "https://example.com/companies/xxx" "asdfgh/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"
193.112.177.8 - - [01/Jul/2019:17:49:00 +0100] "GET /companies/xxx HTTP/1.1" 200 18935 "https://example.com/companies/xxx" "tigger/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"
...

现在,如果我这样做:

iptables -A INPUT -s 193.112.177.8 -j DROP 

我没有在日志中看到来自此 IP 的更多请求。问题是,为什么 fail2ban 的禁令不像上面的规则那样起作用?

答案1

我相信你的网站是https这样的,这就是为什么你仍然收到请求,因为你没有禁止,https但只是http

正确的做法是

action = iptables-multiport[name=HTTP, port="http,https", protocol=tcp]

相关内容