最近服務(wù)器被DDOS惡意攻擊，對于此類攻擊，筆者基本思路是使用IP地址過濾，因為這里的攻擊者采用的是不同的IP輪流攻擊恬惯，這里采用FAIL2BAN+IPTABLE來記錄重復(fù)請求并將IP地址記錄黑名單的方式實現(xiàn), 日志如下：

139.208.55.108 - - [19/Jun/2017:16:47:49 +0800] "POST /sys/zh/wininhr/home/index?a=sendSMSy HTTP/1.1" 200 478 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 360SE)"
139.208.55.108 - - [19/Jun/2017:16:47:49 +0800] "POST /sys/zh/wininhr/home/index?a=sendSMSy HTTP/1.1" 200 478 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon 2.0)"
139.208.55.108 - - [19/Jun/2017:16:47:49 +0800] "POST /sys/zh/wininhr/home/index?a=sendSMSy HTTP/1.1" 200 478 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; TencentTraveler 4.0)"
139.208.55.108 - - [19/Jun/2017:16:47:49 +0800] "POST /sys/zh/wininhr/home/index?a=sendSMSy HTTP/1.1" 200 478 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser)"
139.208.55.108 - - [19/Jun/2017:16:47:49 +0800] "POST /sys/zh/wininhr/home/index?a=sendSMSy HTTP/1.1" 200 478 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 360SE)"
139.208.55.108 - - [19/Jun/2017:16:47:49 +0800] "POST /sys/zh/wininhr/home/index?a=sendSMSy HTTP/1.1" 200 478 "-" "Opera/9.80 (Windows NT 6.1; U; en) Presto/2.8.131 Version/11.11"
183.157.18.57 - - [19/Jun/2017:16:47:50 +0800] "POST /sys/zh/wininhr/home/index?a=sendSMSy HTTP/1.1" 200 478 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)"
112.51.51.91 - - [19/Jun/2017:16:47:51 +0800] "POST /sys/zh/wininhr/home/index?a=sendSMSy HTTP/1.1" 200 478 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; The World)"
125.84.177.240 - - [19/Jun/2017:16:47:51 +0800] "POST /sys/zh/wininhr/home/index?a=sendSMSy HTTP/1.1" 200 478 "-" "Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; en) Presto/2.8.131 Version/11.11"
218.77.94.240 - - [19/Jun/2017:16:47:52 +0800] "POST /sys/zh/wininhr/home/index?a=sendSMSy HTTP/1.1" 200 478 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 360SE)"
175.167.236.138 - - [19/Jun/2017:16:47:54 +0800] "POST /sys/zh/wininhr/home/index?a=sendSMSy HTTP/1.1" 200 478 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; SE 2.X MetaSr 1.0; SE 2.X MetaSr 1.0; .NET CLR 2.0.50727; SE 2.X MetaSr 1.0)"

安裝fail2ban

apt-get install fail2ban

配置基本屬性：vi /etc/fail2ban/jail.conf

[nginx-get-sms-limit]
enabled=true
filter=nginx-get-sms-limit
action=iptables[name=nppl, port=http, protocol=tcp]
logpath=/var/log/apache2/other_vhosts_access.log  #NGinx: /var/log/nginx/access.log
findtime=60
bantime=7200
maxretry=3

配置攔截規(guī)則：vi /etc/fail2ban/filter.d/nginx-get-sms-limit.conf

[Definition]
failregex=<HOST>.*GET.*sms\?phone.*

調(diào)試匹配項

fail2ban-regex /var/log/apache2/other_vhosts_access.log /etc/fail2ban/filter.d/nginx-get-sms-limit.conf
fail2ban-client status nginx-get-sms-limit

查看被禁用IP地址

iptables -nL

REJECT     all  --  175.8.29.85          0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  114.232.99.86        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  59.58.7.225          0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  117.81.205.54        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  27.154.70.171        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  123.82.184.185       0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  182.37.56.89         0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  60.175.17.23         0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  183.9.84.178         0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  111.122.177.36       0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  1.60.213.68          0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  115.218.227.113      0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  182.41.105.209       0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  125.109.17.39        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  140.237.98.68        0.0.0.0/0            reject-with icmp-port-unreachable

PS: 這里注意一下 IPTABLES 里面有3中類型：ACCEPT, REJECT, DROP, 默認(rèn)為REJECT, REJECT與DROP的區(qū)別：打一個比方你收到一個詐騙電話， DROP就是直接掛機(jī)亚茬，REJECT就是你跟他說我不需要酪耳。
這里我們改成DROP，不記錄日志直接拒絕：

• ACCEPT：允許數(shù)據(jù)包通過才写。
• DROP：直接丟棄數(shù)據(jù)包葡兑。
• REJECT：丟棄數(shù)據(jù)包，同時發(fā)送響應(yīng)報文通知發(fā)送方赞草。

增加配置項到： vi /etc/fail2ban/action.d/iptables-blocktype.local

[Init]
blocktype = DROP

查看屏蔽日志: /var/log/fail2ban.log

2017-06-19 16:51:12,252 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 60.180.1.255
2017-06-19 16:51:24,273 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 117.89.101.27
2017-06-19 16:51:24,281 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 183.253.143.67
2017-06-19 16:51:25,288 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 36.22.177.154
2017-06-19 16:51:41,315 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 115.202.100.52
2017-06-19 16:51:46,330 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 49.73.108.251
2017-06-19 16:51:49,341 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 116.10.160.6
2017-06-19 16:52:02,364 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 115.210.142.15
2017-06-19 16:52:06,378 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 183.30.139.203
2017-06-19 16:52:24,410 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 223.73.193.42
2017-06-19 16:52:25,421 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 124.238.145.101
2017-06-19 16:52:28,432 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 113.222.233.141
2017-06-19 16:52:28,440 fail2ban.actions: INFO   [nginx-get-sms-limit] 113.222.233.141 already banned
2017-06-19 16:52:29,442 fail2ban.actions: INFO   [nginx-get-sms-limit] 113.222.233.141 already banned
2017-06-19 16:52:30,444 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 113.5.228.58
2017-06-19 16:52:30,452 fail2ban.actions: INFO   [nginx-get-sms-limit] 113.5.228.58 already banned
2017-06-19 16:52:31,454 fail2ban.actions: INFO   [nginx-get-sms-limit] 113.5.228.58 already banned
2017-06-19 16:52:32,456 fail2ban.actions: INFO   [nginx-get-sms-limit] 113.5.228.58 already banned
2017-06-19 16:52:33,457 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 125.118.140.47
2017-06-19 16:52:37,471 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 117.179.227.224
2017-06-19 16:52:38,478 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 27.18.63.44
2017-06-19 16:52:38,486 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 110.81.60.177
2017-06-19 16:52:39,497 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 115.229.49.104
2017-06-19 16:52:48,517 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 117.82.174.234
2017-06-19 16:52:52,529 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 121.34.167.236
2017-06-19 16:52:53,538 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 106.226.56.52
2017-06-19 16:52:54,546 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 60.181.11.55
2017-06-19 16:53:00,561 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 27.151.192.86
2017-06-19 16:53:01,570 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 113.88.251.191
2017-06-19 16:53:03,580 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 211.162.109.118
2017-06-19 16:53:07,593 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 1.204.205.221
2017-06-19 16:53:12,608 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 114.218.251.125
2017-06-19 16:53:13,619 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 101.207.134.2
2017-06-19 16:53:16,633 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 27.151.202.76
2017-06-19 16:53:20,647 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 49.222.181.56
...

更多查看：

@see http://www.361way.com/fail2ban-nginx/1825.html