无法阻止对 nginx 服务器的攻击

Question

你可以在 nginx jail 中安装 fail2ban，它会自动扫描日志文件并阻止某些流量

安装 fail2ban 后，您可以在 /etc/fail2ban/jail.d/nginx.conf 中创建一个 jail（例如）

在这个文件中你把这个

[nginx-http-auth]
enabled = true
mode = normal
port    = http,https
logpath = %(nginx_error_log)s

你也可以把这个放进去，但你需要要使用“nginx-limit-req”jail，您应该拥有ngx_http_limit_req_module并定义limit_req，limit_req_zone如 nginx 文档中所述

[nginx-limit-req]
enabled = true 
port    = http,https
logpath = %(nginx_error_log)s

在流量过大（包括 DDoS 攻击）的情况下，此功能非常有用

下面是一个 PowerShell 脚本，用于阻止 droplet 防火墙中的特定 IP

# Set your DigitalOcean API token
$token = "YOUR_DIGITALOCEAN_API_TOKEN"

# Set the ID of the firewall you want to modify
$firewallId = "YOUR_FIREWALL_ID"

# Set the IP address you want to block
$ipToBlock = "IP_ADDRESS_TO_BLOCK"

# Define the API endpoint URL
$endpoint = "https://api.digitalocean.com/v2/firewalls/$firewallId"

# Define the JSON payload to add a new inbound rule blocking the specified IP address
$jsonPayload = @{
    inbound_rules = @(
        @{
            protocol = "tcp"
            ports = ""
            sources = @{
                addresses = @($ipToBlock)
            }
        }
    )
} | ConvertTo-Json

# Make the API request to update the firewall
$response = Invoke-RestMethod -Uri $endpoint -Method Put -Headers @{Authorization = "Bearer $token"} -ContentType "application/json" -Body $jsonPayload

# Check if the request was successful
if ($response) {
    Write-Host "IP address $ipToBlock has been blocked in the firewall."
} else {
    Write-Host "Failed to block IP address $ipToBlock in the firewall."
}

如果你不想让它到达 nginx 服务器，我遇到了一个 docker-waf，你可以把它放在你的 web 服务器前面，并使用 Modsecurity 和 owasp modsecurity crs 规则一起阻止恶意流量 https://github.com/theonemule/docker-waf

OWASP Modsecurity CRS 中还有 Dos 保护。

可选的 DoS 保护，防止客户端请求过快。

#
# When a client is making more than 100 requests (excluding static files) within
# 60 seconds, this is considered a 'burst'. After two bursts, the client is
# blocked for 600 seconds.

Answer 1