如何Fail2Ban拉黑非正常浏览器UA?

Fail2Ban

1 前言

一个问题,一篇文章,一出故事。
继上次笔者已经Fail2Ban一批wordpress攻击者,

如何Fail2Ban拉黑wordpress攻击者?


笔者昨天发现服务器被CC攻击导致宕机,然后笔者已经在Nginx启用一些防御模块,

如何配置Nginx防止CC攻击?


针对以下非正常的UA,笔者决定使用Fail2ban进行进一步处理。

183.56.195.106 - - [20/Aug/2025:14:04:51 +0800] "POST /xmlrpc.php HTTP/1.1" 200 520 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)" "-"
38.134.40.117 - - [03/Sep/2025:02:25:17 +0800] "GET / HTTP/1.1" 301 162 "-" "Go-http-client/1.1" "-"

2 最佳实践

2.1 环境配置

如何安装部署fail2ban基础环境?

2.2 配置Fail2Ban

2.2.1 创建过滤规则

vim /etc/fail2ban/filter.d/wordpress.conf

加入如下配置,

[Definition]
failregex = ^<HOST> -.*".*(Scrapy|HttpClient|Go-http-client).*" .*$

然后,你可以使用如下命令来确认规则,

fail2ban-regex --print-all-matched /var/log/nginx/access.log /etc/fail2ban/filter.d/wordpress.conf

2.2.2 定义监视配置

vim /etc/fail2ban/jail.d/wordpress.local

加入如下配置,

[wordpress]
enabled = true
port = http,https
filter = wordpress
logpath = /var/log/nginx/access.log
maxretry = 5
findtime = 5m
bantime = 24h

配置修改后,你需要重启服务使配置生效,

systemctl restart fail2ban.service
systemctl status fail2ban.service

2.2.3 查看服务状态

fail2ban-client status wordpress

可见如下显示,

Status for the jail: wordpress
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     124
|  `- File list:        /var/log/nginx/access.log
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   183.56.195.106

2.2.4 查看防火墙状态

iptables -L -v -n

可见如下显示,

#...
Chain f2b-wordpress (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    190 13749 REJECT     all  --  *      *       183.56.195.106       0.0.0.0/0            reject-with icmp-port-unreachable

2.2.5 手动确认日志状态

tail -f /var/log/nginx/access.log | egrep “Scrapy|HttpClient|Go-http-client”

参阅文档
====================
https://github.com/fail2ban/fail2ban/wiki/Developing-Regex-in-Fail2ban
https://wangdoc.com/ssh/fail2ban

没有评论

发表回复

Fail2Ban
如何拉黑wordpress php post攻击者?

1 前言 一个问题,一篇文章,一出故事。 继上次笔者已经Fail2Ban一批wordpress攻击者 …

Fail2Ban
如何拉黑wordpress wp-login.php post 200的攻击者?

1 前言 一个问题,一篇文章,一出故事。 继上次笔者已经Fail2Ban一批wordpress攻击者 …

Fail2Ban
如何Fail2Ban拉黑wordpress攻击者?

1 前言 一个问题,一篇文章,一出故事。 笔者今天打开博客发现非常慢,于是查看Nginx日志,发现大 …