我想我在apache日志中发现了许多人(我想),许多未经授权的尝试访问我的Web服务器。在找到的URL模式中,每次都有类似“ / phpmyadmin”的内容。因为这是为了确保无法在服务器上找到某些东西,所以我想做的是:“如果有人尝试将phpMyAdmin
其IP列入黑名单,而不再让我烦恼了”,有人知道如何使用Apache或其他方法做到这一点。软件?提前感谢!
可能会对您有帮助。
1)在/etc/fail2ban/filter.d/myapachejail.conf中创建一个过滤器
[INCLUDES]
before = common.conf
[Definition]
failregex = ^.* <HOST> -.*"(:?GET|POST|HEAD) \/(?:\/|)(?:w00tw00t\.at.*|phpMyAdmin.*|whatever.*|anotherone.*\..*)".*
ignoreregex =
2)更新您的/etc/fail2ban/jail.local(包括该监狱)
banaction = iptables-multiport
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"]
[apachejail]
enabled = true
port = http,https
filter = myapachejail
logpath = /var/log/apache2/other_vhosts_access.log #<=== THIS MUST BE YOUR LOG FILE
maxretry = 1 # 1: Paranoid mode, 2: Heavy filter, 5: Ban any scanner
action = %(action_mwl)
3)检查您的过滤器正则表达式是否与任何日志条目匹配
sudo fail2ban-regex /var/log/apache2/other_vhosts_access.log /etc/fail2ban/filter.d/myapachejail.conf
Result:
Lines: 6160 lines, 0 ignored, 108 matched, 6052 missed
4)确认找到/etc/fail2ban/action.d/iptables-multiport.conf
5)重新启动fail2ban服务
sudo service fail2ban restart
6)检查您的新监狱正在运行:
sudo fail2ban-client status
Status
|- Number of jail: 5
`- Jail list: myapachejail,xxxxx,xxx,xxxxx,xxxx
7)检查fail2ban日志
sudo vim /var/log/fail2ban.log
2014-07-07 07:32:20,926 fail2ban.actions:警告[myapachejail]禁止198.20.69.74 2014-07-07 08:45:36,153 fail2ban.actions:警告[myapachejail]禁止116.10.191.223
7)检查您的iptables是否被禁止:
sudo iptables -L -n
REJECT all -- 198.20.69.74 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 116.10.191.223 0.0.0.0/0 reject-with icmp-port-unreachable
本文收集自互联网,转载请注明来源。
如有侵权,请联系[email protected] 删除。
我来说两句