Fail2Ban
1 前言
一个问题,一篇文章,一出故事。
笔者今天打开博客发现非常慢,于是查看Nginx日志,发现大量的如下日志,
161.248.239.201 - - [07/Aug/2025:16:00:27 +0800] "POST /wp-login.php HTTP/1.1" 499 0 "-" "Mozilla/5.0" "-" 161.248.239.201 - - [07/Aug/2025:16:00:27 +0800] "POST /wp-login.php HTTP/1.1" 503 0 "-" "Mozilla/5.0" "161.248.239.201" 54.197.102.71 - - [07/Aug/2025:17:25:46 +0800] "GET /wp-login.php?redirect_to=https://www.cmdschool.org/archives/22565 HTTP/1.1" 200 3717 "-" "Mozilla/5.0 AppleWebKit/537
看这架势,不知道那个刚入门的菜鸟黑客看上笔者的站点想要进来观光。
笔者心想写个文档都不让人安心,直想问候他家人,于是笔者整理以下应对方案。
2 最佳实践
2.1 环境配置
2.2 配置Fail2Ban
2.2.1 创建过滤规则
vim /etc/fail2ban/filter.d/wordpress.conf
加入如下配置,
[Definition]
failregex = ^ -.*"POST /wp-login.php HTTP/1.1" 499.*$
^ -.*"POST /wp-login.php HTTP/1.1" 503.*$
^ -.*"GET /wp-login.php\?redirect_to=.* HTTP/1.1" 200.*$
然后,你可以使用如下命令来确认规则,
fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/wordpress.conf
2.2.2 定义监视配置
vim /etc/fail2ban/jail.d/wordpress.local
加入如下配置,
[wordpress] enabled = true port = http,https filter = wordpress logpath = /var/log/nginx/access.log maxretry = 5 findtime = 5m bantime = 24h
配置修改后,你需要重启服务使配置生效,
systemctl restart fail2ban.service systemctl status fail2ban.service
2.2.3 查看服务状态
fail2ban-client status wordpress
可见如下显示,
Status for the jail: wordpress |- Filter | |- Currently failed: 1 | |- Total failed: 26 | `- File list: /var/log/nginx/access.log `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 161.248.239.201
2.2.4 查看防火墙状态
iptables -L -v -n
可见如下显示,
#... Chain f2b-wordpress (1 references) pkts bytes target prot opt in out source destination 297 13860 REJECT all -- * * 161.248.239.201 0.0.0.0/0 reject-with icmp-port-unreachable 8608 20M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
2.2.5 手动确认日志状态
tail -f /var/log/nginx/access.log | grep wp-login.php
参阅文档
====================
https://github.com/fail2ban/fail2ban/wiki/Developing-Regex-in-Fail2ban
https://wangdoc.com/ssh/fail2ban
没有评论