jail.local
/etc/fail2ban/jail.local
[884358]
enabled = true
port = http,https
filter = nginx-cc
action = %(action_mwl)s
maxretry = 100
findtime = 60
bantime = 3600
logpath = /www/wwwlogs/884358.com.log
[884358-404]
enabled = true
port = http,https
filter = nginx-404
action = %(action_mwl)s
maxretry = 10
findtime = 60
bantime = 86400
logpath = /www/wwwlogs/884358.com.log
匹配http请求
#/etc/fail2ban/filter.d/nginx-cc.conf
failregex = <HOST> -.*- .*HTTP/[12].* .* .*$
匹配404请求
/etc/fail2ban/filter.d/nginx-404.conf
failregex = <HOST> -.*- .*HTTP/[12].* 404 .*$
匹配不包含图片的404请求
failregex = <HOST> -.*- ((?!(\.jpg|\.png|\.gif)).)*HTTP/[12].* 404 .*$
查看状态
fail2ban-client status 884358
fail2ban-client status 884358-404
测试匹配规则
fail2ban-regex /www/wwwlogs/884358.com.log /etc/fail2ban/filter.d/nginx-404.conf
firewalld 防火墙规则
# 获取所有 direct 规则
firewall-cmd --direct --get-all-rules
# 获取 ipset 列表
ipset list
常用命令
#切割日志
logrotate -vf /etc/logrotate.d/fail2ban
#启动
systemctl start fail2ban
#停止
systemctl stop fail2ban
#开机启动
systemctl enable fail2ban
#查看被ban IP,其中nginx-cc为名称
fail2ban-client status nginx-cc
#删除被ban IP
fail2ban-client set nginx-cc unbanip 192.168.111.111
#添加要ban的IP
fail2ban-client set nginx-cc banip 192.168.111.111
#查看日志
tail /var/log/fail2ban.log
#查看在fail2ban黑名单里的IP是否已经加到了firewall中。
ipset list
其他
日志切割之Logrotate:
https://www.cnblogs.com/clsn/p/8428257.html
