sh Nginx限制req模块和fail2ban

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了sh Nginx限制req模块和fail2ban相关的知识,希望对你有一定的参考价值。

# In /etc/nginx/nginx.conf file under http{..} block, add following
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;

# /etc/nginx/sites-available/webcoder.kz
location ~ \.php$ {
    limit_req zone=one burst=1 nodelay;
  	try_files $uri /index.php =404;
  	fastcgi_split_path_info ^(.+\.php)(/.+)$;
  	fastcgi_pass unix:/var/run/php5-fpm.sock;
  	fastcgi_index index.php;
  	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
  	include fastcgi_params;
	}
}

# 10m is size of zone. 1MB can hold 16000 states. I think this means 16000 unique IP addresses. 
# In case you have way too many sites or very high traffic sites, you may want to increase it to 20MB 
# or 100MB.
# 1r/s means 1 request per second is allowed. You cannot specify fractions. If you want to slowdown 
# further, means less requests per second try 30r/m which means 30 requests per min, 
# effectively 1 request per 2 second.

# nodelay makes sure as soon as request limit exceeds, HTTP status code 503 (Service Unavailable) is returned.
apt-get install fail2ban

# Create a nginx filter file:
touch /etc/fail2ban/filter.d/nginx-req-limit.conf

# Add following content in it:

# Fail2Ban configuration file
#
# supports: ngx_http_limit_req_module module

[Definition]

failregex = limiting requests, excess:.* by zone.*client: <HOST>

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

# If you don’t see jail.local, simply run:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

# Add following towards end:
[nginx-req-limit]

enabled = true
filter = nginx-req-limit
action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
logpath = /var/log/nginx/*error.log
findtime = 600
bantime = 10800
maxretry = 5

# After saving both config files, restart fail2ban using:
service fail2ban restart

# fail2ban logs
tail -f /var/log/fail2ban.log

# You can also use fail2ban-client to find out status of a particular jail using following command:
fail2ban-client status nginx-req-limit

# unban ip address
fail2ban-client set JAILNAMEHERE unbanip IPADDRESSHERE

以上是关于sh Nginx限制req模块和fail2ban的主要内容,如果未能解决你的问题,请参考以下文章

nginx 的限制连接模块limit_zone与limit_req_zone

Nginx限制访问速率和最大并发连接数模块--limit (防止DDOS攻击)

nginx配置访问限制

Nginx 限制连接的实践 (DDOS)

nginx网站限速限流配置——网站被频繁攻击,nginx上的设置limit_req和limit_conn

nginx限制客户端请求频率,防止恶意攻击