我有一个定期运行的事件源。问题是,http-get-dos
如果用户长时间打开选项卡,fail2ban 将捕获 IP。
所以,我在想,如何在 ningx 中禁用这种类型的特定登录?另一种方法是将fail2ban 配置为忽略此模式。
"GET /users/stream HTTP/2.0"
我愿意在 nginx 或 fail2ban 中实现。
可能相应地更改此行 /etc/fail2ban/filter.d/http-get-dos.conf
是最直接的方法:
failregex = ^<HOST> -.*"(GET|POST).*
更新(/etc/fail2ban/filter.d/http-get-dos.conf):
# Fail2Ban configuration file
[Definition]
# Option: failregex
# Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match.
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.
failregex = ^<HOST> -.*"(GET|POST).*
# Option: ignoreregex
ignoreregex =
##To stop DOS attack from remote host.
[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath = /usr/local/nginx/localhost-access.log
maxretry = 300
findtime = 300
bantime = 600
action = iptables[name=HTTP, port=http, protocol=tcp]
第一次尝试:显然不能使用下面的正则表达式:
fail2ban-regex /usr/local/nginx/localhost-access.log '^<HOST> -.*"(GET|POST).*' '^.+?:\d+ <HOST> -.*"(GET) /users/stream.*$'
Running tests
=============
Use failregex line : ^<HOST> -.*"(GET|POST).*
Use ignoreregex line : ^.+?:\d+ <HOST> -.*"(GET) /users/stream.*$
Use log file : /usr/local/nginx/localhost-access.log
Use encoding : UTF-8
Results
=======
Failregex: 22431 total
|- #) [# of hits] regular expression
| 1) [22431] ^<HOST> -.*"(GET|POST).*
`-
Ignoreregex: 0 total
第二次尝试:但可以使用^<HOST> -.*"(GET) /users/stream.*$
fail2ban-regex /usr/local/nginx/localhost-access.log '^<HOST> -.*"(GET|POST).*' '^<HOST> -.*"(GET) /users/stream.*$'
Running tests
=============
Use failregex line : ^<HOST> -.*"(GET|POST).*
Use ignoreregex line : ^<HOST> -.*"(GET) /users/stream.*$
Use log file : /usr/local/nginx/localhost-access.log
Use encoding : UTF-8
Results
=======
Failregex: 1574 total
|- #) [# of hits] regular expression
| 1) [1574] ^<HOST> -.*"(GET|POST).*
`-
Ignoreregex: 22093 total
|- #) [# of hits] regular expression
| 1) [22093] ^<HOST> -.*"(GET) /users/stream.*$
`-
你在正确的轨道上使用
在你的指令
配置文件。这应该只是调整正则表达式的问题。像这样的东西:
它匹配您的日志文件行,然后匹配任何 GET,并且仅匹配具有 /users/stream 前缀的请求以及附加到它的任何字符串的 GET。