防御是一个系统工程,攻击花样多,防御的成本高瓶颈多,防御起来即被动又无奈。的特点是分布式,针对带宽和服务攻击,也就是四层流量攻击和七层应用攻击,相应的防御瓶颈四层在带宽,七层的多在架构的吞吐量。对于七层的应用攻击,我们还是可以做一些配置来防御的,例如前端是Nginx,主要使用nginx的http_limit_conn和http_limit_req模块来防御。ngx_http_limit_conn_module 可以限制单个IP的连接数,ngx_http_limit_req_module 可以限制单个IP每秒请求数,通过限制连接数和请求数能相对有效的防御。下面是配置方法:
一、安装fail2ban 软件
#wget
#rpm -ivh rpmforge-release-0.3.6-1.el5.rf.i386.rpm
#yum install fail2ban
#/etc/init.d/iptables start
二、配置Nginux的ngx_http_limit_req_module模块
[root@localhost vhosts]# more phpsite.conf
limit_req_zone $binary_remote_addr zone=php_com:10m rate=10r/s;
server { listen 80;
server_name
#charset utf8;
access_log /usr/local/tengie/logs/ ;
location / {
root /www/php;
index index.php index.html index.htm;
limit_req zone=php_com burst=5;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/local/tengine/html;
}
location ~ /purge(/.*) #用于清除缓存
{
allow 127.0.0.1;
allow 108.88.3.0/24; #设置只允许指定的IP或IP段才可以清除URL缓存。
deny all;
fastcgi_cache_purge TEST $host$1$is_args$args;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
location ~ \.php$ {
root /www/php;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
#以下是fastcgi_cache的配置
fastcgi_cache TEST;
fastcgi_cache_valid 200 302 1h;
fastcgi_cache_min_uses 1;
fastcgi_cache_use_stale error timeout invalid_header http_500;
fastcgi_cache_key $host$request_uri;
}
}
//参数说明 :$binary_remote_addr 二进制远程地址 zone=one:10m 定义zone名字叫one,并为这个zone分配10M内存,用来存储会话(二进制远程地址),1m内存可以保存16000会话 rate=10r/s; 限制频率为每秒10个请求 burst=5 允许超过频率限制的请求数不多于5个,假设1、2、3、4秒请求为每秒9个,那么第5秒内请求15个是允许的,反之,如果第一秒内请求15个,会将5个请求放到第二秒,第二秒内超过10的请求直接503,类似多秒内平均速率限制。 nodelay 超过的请求不被延迟处理,设置后15个请求在1秒内处理。
三、查看Nginx拦截日志
[root@localhost vhosts]# more /usr/local/tengie/logs/error.log
2016/05/03 03:42:46 [warn] 26383#0: module ngx_http_cache_purge_module is already statically loaded, skipping in /usr/local/tengie/con
f/nginx.conf:12
2016/05/03 03:44:55 [error] 26385#0: *97 limiting requests, excess: 5.410 by zone "ttlsa_com", client: 108.88.3.22, server:
e.com, request: "GET /index.html HTTP/1.1", host: "e.com"
2016/05/03 03:44:55 [error] 26385#0: *97 open() "/usr/local/tengine/html/50x.html" failed (2: No such file or directory), client: 108.
88.3.22, server: e.com, request: "GET /index.html HTTP/1.1", host: "e.com"
三、配置Nginx+fail2ban+Iptables
1、配置fail2ban
[root@localhost ~]# more /etc/fail2ban/filter.d/nginx-req-limit.conf
#Fail2Ban configuration file
#
# supports: ngx_http_limit_req_module module
[Definition]
failregex = limiting requests, excess:.* by zone.*client:
# Option: ignoreregex #
Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
[root@localhost ~]#
2、配置fail2ban 配置文件 jail.conf 增加nginx检查
# more /etc/fail2ban/jail.conf
[nginx-req-limit]
enabled = true
filter = nginx-req-limit
action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
logpath = /usr/local/tengie/logs/*error.log
findtime = 600
bantime = 7200
maxretry = 10
3、启动 fail2ban 软件
# /etc/init.d/fail2ban start
4、查看iptabales防火墙
[root@localhost ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-ReqLimit tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
fail2ban-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 108.88.3.0/24 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 108.88.3.0/24 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 108.88.3.0/24 0.0.0.0/0 tcp dpt:50000
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-ReqLimit (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
[root@localhost ~]# 5、
5、查看Iptables中drop的IP
[root@localhost ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-ReqLimit tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
fail2ban-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 108.88.3.0/24 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 108.88.3.0/24 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 108.88.3.0/24 0.0.0.0/0 tcp dpt:50000
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-ReqLimit (1 references)
target prot opt source destination
DROP all -- 108.88.3.22 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
[root@localhost ~]#
6、手动解锁IP:
# iptables -D fail2ban-ReqLimit 1
阅读(5771) | 评论(0) | 转发(0) |