用fail2ban监控nginx日志小李贼.docx
- 文档编号:29187647
- 上传时间:2023-07-21
- 格式:DOCX
- 页数:7
- 大小:16.46KB
用fail2ban监控nginx日志小李贼.docx
《用fail2ban监控nginx日志小李贼.docx》由会员分享,可在线阅读,更多相关《用fail2ban监控nginx日志小李贼.docx(7页珍藏版)》请在冰豆网上搜索。
用fail2ban监控nginx日志小李贼
用fail2ban监控nginx日志小李贼
用fail2ban监控nginx日志
September9th,2010liLeaveacommentGotocomments背景
fail2ban是一款日志扫描软件,尝试从日志中发现恶意的攻击行为,尤其是用户名密码的失败尝试,并可以通过iptables防火墙封禁恶意用户的IP,以防止进一步的攻击.
最近在nginx服务器的日志中发现了很多可疑的请求,看起来像是试图从Web服务器上发现漏洞页面:
221.204.246.105--[08/Sep/2010:
06:
45:
13+0000]"GET/dbzhedit/ewebeditor.aspHTTP/1.1"4045748"-""Mozilla/4.0"
221.204.246.105--[08/Sep/2010:
06:
45:
14+0000]"GET/edit/ewebeditor.aspHTTP/1.1"4045744"-""Mozilla/4.0"
221.204.246.105--[08/Sep/2010:
06:
45:
15+0000]"GET/ugvbadmin/edit/ewebeditor.aspHTTP/1.1"4045754"-""Mozilla/4.0"
222.189.228.42--[08/Sep/2010:
18:
10:
50+0000]"GET/piqmUserReg.aspHTTP/1.1"4045790"-""Mozilla/4.0"
222.189.228.42--[08/Sep/2010:
18:
10:
51+0000]"GET/UserReg.aspHTTP/1.1"4045786"-""Mozilla/4.0"
222.189.228.42--[08/Sep/2010:
18:
10:
52+0000]"GET/ioifupfile_flash.aspHTTP/1.1"4045795"-""Mozilla/4.0"
222.189.228.42--[08/Sep/2010:
18:
10:
53+0000]"GET/upfile_flash.aspHTTP/1.1"4045791"-""Mozilla/4.0"
222.189.228.42--[08/Sep/2010:
18:
10:
53+0000]"GET/admin/zhmuupfile_flash.aspHTTP/1.1"4045801"-""Mozilla/4.0"
222.189.228.42--[08/Sep/2010:
18:
10:
54+0000]"GET/admin/upfile_flash.aspHTTP/1.1"4045797"-""Mozilla/4.0"
222.189.228.42--[08/Sep/2010:
18:
10:
54+0000]"GET/admins/xvmbupfile_flash.aspHTTP/1.1"4045802"-""Mozilla/4.0"
安装fail2ban
我觉得可以用fail2ban扫描日志中上述攻击,并且封禁恶意用户.首先安装fail2ban,在Ubuntu/Debian下用apt-get一次搞定:
apt-getinstallfail2ban
配置fail2ban的nginx过滤规则
从攻击行为特征来看,这是短时间连续导致服务器发送HTTP404文件未找到错误码,下面是用于发现上述攻击的fail2banfilter规则,在/etc/fail2ban/filter.d/目录下建立nginx.conf文件保存下面的内容:
[Definition]
failregex=<HOST>-.*-.*HTTP/1.*404.*$
ignoreregex=
测试fail2ban过滤规则
在正式激活改过滤规则之前,可以首先用fail2ban-regex测试规则的有效性:
#fail2ban-regex/var/log/nginx/access.log/etc/fail2ban/filter.d/nginx.conf
Runningtests
=============
Useregexfile:
/etc/fail2ban/filter.d/nginx.conf
Uselogfile:
/var/log/nginx/access.log
Results
=======
Failregex
|-Regularexpressions:
|[1]<HOST>-.*-.*HTTP/1.*404.*$
|
`-Numberofmatches:
[1]1304match(es)
Ignoreregex
|-Regularexpressions:
|
`-Numberofmatches:
Summary
=======
Addressesfound:
[1]
222.189.228.42(WedSep0818:
10:
502010)
222.189.228.42(WedSep0818:
10:
512010)
222.189.228.42(WedSep0818:
10:
522010)
222.189.228.42(WedSep0818:
10:
522010)
...
Datetemplatehits:
...
XXXXhit(s):
Day/MONTH/Year:
Hour:
Minute:
Second
...
Success,thetotalnumberofmatchisYYYY
However,lookattheabovesection'Runningtests'whichcouldcontainimportant
information.
激活fail2ban过滤规则
从测试结果可以看出,恶意攻击节点的IP地址和攻击时间都能够正确发现,因此可以进一步修改fail2ban的配置文件激活上述规则.下面是我的/etc/fail2ban/jail.local配置文件内容:
[DEFAULT]
ignoreip=127.0.0.1
bantime=3600
maxretry=6
destemail=root
action=%(action_mwl)s
[nginx]
enabled=true
port=http,https
filter=nginx
logpath=/var/log/nginx/access.log
上述配置设置fail2ban用nginx过滤规则监控nginx的access.log文件,如果发现恶意攻击,除了在iptables防火墙中封禁该客户端IP之外,还将发送邮件包含该IP地址的whois信息给root.用下面的命令激活上述配置:
fail2ban-clientreload
从/var/log/fail2ban.log日志文件中可以看到上述nginx规则激活的信息:
2010-09-0908:
00:
54,810fail2ban.server:
INFOChangedloggingtargetto/var/log/fail2ban.logforFail2banv0.8.4
2010-09-0908:
00:
54,810fail2ban.jail:
INFOCreatingnewjail'nginx'
2010-09-0908:
00:
54,811fail2ban.jail:
INFOJail'nginx'usespoller
2010-09-0908:
00:
54,812fail2ban.filter:
INFOAddedlogfile=/var/log/nginx/access.log
2010-09-0908:
00:
54,813fail2ban.filter:
INFOSetmaxRetry=50
2010-09-0908:
00:
54,815fail2ban.filter:
INFOSetfindtime=600
2010-09-0908:
00:
54,815fail2ban.actions:
INFOSetbanTime=3600
...
2010-09-0908:
00:
54,970fail2ban.jail:
INFOJail'nginx'started
测试fail2ban的效果
可以用下面的命令模拟攻击者连续访问不存在的URL,看看fail2ban的效果:
whiletrue;dowgethttp:
//127.0.0.10/404;done
#typeCtrl-Cwhenyoustuckat"Connectingto127.0.0.10:
80..."
看fail2ban的日志是否记录了上述攻击:
#grepBan/var/log/fail2ban.log
2010-09-0908:
06:
09,338fail2ban.actions:
WARNING[nginx-fnf]Ban127.0.0.10
用iptables命令看fail2ban添加的IP封禁规则:
#iptables-L
ChainINPUT(policyACCEPT)
targetprotoptsourcedestination
fail2ban-nginxtcp--anywhereanywheremultiportdportswww,https
ChainFORWARD(policyACCEPT)
targetprotoptsourcedestination
ChainOUTPUT(policyACCEPT)
targetprotoptsourcedestination
Chainfail2ban-nginx(1references)
targetprotoptsourcedestination
DROPall--127.0.0.10anywhere
RETURNall--anywhereanywhere
fail2ban发来的邮件看起来像是这样的:
Hi,
TheIP222.169.224.226hasjustbeenbannedbyFail2Banafter
7attemptsagainstssh.
Herearemoreinformationabout222.169.224.226:
%[node-3]
%Whoisdatacopyrightterms
inetnum:
222.168.0.0-222.169.255.255
netname:
CHINANET-JL
descr:
CHINANETJilinprovincenetwork
descr:
JilinTelecomCorporation
...
LinescontainingIP:
222.169.224.226in/var/log/auth.log
Sep902:
30:
14localhostsshd[24401]:
Didnotreceiveidentificationstringfrom222.169.224.226
Sep902:
34:
59localhostsshd[24511]:
pam_unix(sshd:
auth):
authenticationfailure;logname=uid=0euid=0tty=sshruser=rhost=222.169.224.226user=root
Sep902:
35:
01localhostsshd[24511]:
Failedpasswordforrootfrom222.169.224.226port36724ssh2
Sep902:
35:
03localhostsshd[24515]:
Invaliduserfluffyfrom222.169.224.226
Sep902:
35:
03localhostsshd[24515]:
pam_unix(sshd:
auth):
authenticationfailure;logname=uid=0euid=0tty=sshruser=rhost=222.169.224.226
Sep902:
35:
05localhostsshd[24515]:
Failedpasswordforinvaliduserfluffyfrom222.169.224.226port36927ssh2
Sep902:
35:
06localhostsshd[24519]:
Invaliduseradminfrom222.169.224.226
Sep902:
35:
06localhostsshd[24519]:
pam_unix(sshd:
auth):
authenticationfailure;logname=uid=0euid=0tty=sshruser=rhost=222.169.224.226
Sep902:
35:
09localhostsshd[24519]:
Failedpasswordforinvaliduseradminfrom222.169.224.226port37140ssh2
Sep902:
35:
10localhostsshd[24521]:
Invalidusertestfrom222.169.224.226
Sep902:
35:
10localhostsshd[24521]:
pam_unix(sshd:
auth):
authenticationfailure;logname=uid=0euid=0tty=sshruser=rhost=222.169.224.226
Sep902:
35:
12localhostsshd[24521]:
Failedpasswordforinvalidusertestfrom222.169.224.226port37391ssh2
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- 用fail2ban监控nginx日志 小李贼 fail2ban 监控 nginx 日志