简介
随着互联网的普及,越来越多的人开始使用Linux作为服务器操作系统,Linux系统默认的防火墙策略往往不足以应对大流量访问,特别是针对单个IP的访问,为了防止恶意用户通过某个IP地址进行大量请求,影响服务器性能,本文将介绍如何配置Linux防单IP大流量访问。
原理
Linux防单IP大流量访问的核心思想是通过限制单个IP地址在一定时间内的请求次数来达到保护服务器的目的,当一个IP地址在短时间内发出大量请求时,服务器可以暂时拒绝该IP地址的请求,从而保护服务器资源。
方法
1、使用iptables防火墙
iptables是Linux系统中最常用的防火墙工具,可以用来配置各种网络规则,要实现防单IP大流量访问,可以使用以下命令:
创建一个新的链 iptables -N single_ip_limit 在新的链中添加规则,限制单个IP地址的请求次数和时间间隔 iptables -A single_ip_limit -p tcp --dport 80 -m connlimit --connlimit-above 100 --connlimit-period 300 -j REJECT --reject-with tcp-reset 将所有匹配到的数据包发送到新创建的链中进行处理 iptables -A INPUT -j single_ip_limit
2、使用fail2ban工具
fail2ban是一个用于防止暴力破解的工具,可以通过配置文件来实现对特定IP地址的封禁,要实现防单IP大流量访问,首先需要安装fail2ban:
安装fail2ban sudo apt-get install fail2ban
编辑fail2ban的配置文件(通常位于/etc/fail2ban/jail.conf),在[DEFAULT]部分添加以下内容:
[DEFAULT] maxretry = 300 限制单个IP地址在300秒内的最大尝试次数 findtime = 600 查找失败日志的时间间隔,单位为秒 bantime = 1800 对单个IP地址的封禁时间,单位为秒 backend = systemd 使用systemd作为后端管理工具 usedns = warn 如果启用了DNS过滤,当检测到恶意请求时给出警告信息 filter = %(__name__)s[%(__name__)s[cnt]["replied"]] > %(maxretry)s [ipvar:client] -> %(bantime)s | %(__name__)s[%(__name__)s[cnt]["replied"]] > %(findtime)s [ipvar:client] -> %(bantime)s & %(__name__)s[cnt]["succeeded"] == 0 [ipvar:client] -> %(bantime)s & %(__name__)s[cnt]["succeeded"] == 0 [ipvar:client] -> %(bantime)s & %(__name__)s[cnt]["failed"] > %(bantime)s [ipvar:client] -> %(bantime)s & %(__name__)s[cnt]["failed"] > %(bantime)s [ipvar:client] -> %(bantime)s & %(__name__)s[cnt]["failed"] > %(bantime)s [ipvar:client] -> %(bantime)s & %(__name__)s[cnt]["failed"] > %(bantime)s [ipvar:client] -> %(bantime)s & %(__name__)s[cnt]["failed"] > %(bantime)s [ipvar:client] -> %(bantime)s & %(__name__)s[cnt]["succeeded"] == 0 [ipvar:client] -> %(bantime)s & %(__name__)s[cnt]["succeeded"] == 0 [ipvar:client] -> %(bantime)s & %(__name__)s[cnt]["succeeded"] == 0 [ipvar:client] -> %(bantime)s & %(__name__)s[cnt]["succeeded"] == 0 [ipvar:client] -> %(bantime)s & %(__name__)s[cnt]["succeeded"] == 0 [ipvar:client] -> %(bantime)s & %(__name__)s[cnt]["succeeded"] == 0 [ipvar:client] -> %(bantime)s & %(__name__)s[cnt]["succeeded"] == 0 [ipvar:client] -> %(bantime)s & %(__name__)s[cnt]["succeeded"] == 0 [ipvar:client] -> %(bantime)s & %(__name__)s[cnt]["succeeded"] == 0 [ipvar:client] -> %(bantime)s & ... (省略其他条件) action = banip [ipv4addr]/%(bantime):%(bantime)d | banlistpath=%(banpath)s [ipv4addr]/%(bantime):%(bantime)d,findtime=600 [ipv4addr]/%(findtime):%(findtime)d,maxretry=300 [ipv4addr]/%(maxretry):%(maxretry}d,rejectfactor=50 [ipv4addr],ishard=no,portnum=http,protocol=tcp,reason=Too many requests (threshold_breach),skip=false [ipv4addr],chain=single_ip_limit [ipv4addr],destemail=root@localhost [ipv4addr],desthost=localhost [ipv4addr],destport=auto,expire=86400 [ipv4addr],priority=300 [ipv4addr],table=filter [ipv4addr],warning=300 [ipv4addr],minretry=15 [ipv4addr],maxretry=300 [ipv4addr],findtime=600 [ipv4addr],bantime=1800 [ipv4addr],usagecount=-1 [ipv4addr],countertimeout=900 [ipv4addr],usefulerrormessage=This IP has been banned due to too many requests from this host. If it is a mistake or you are the victim of a DDoS attack, please let us know at http://www.yourserver.com/contact.php before blocking your IP again. (default="") [ipv4addr],addtag=IPBlockingFilter [ipv4addr]
3、配置fail2ban守护进程自动启动并定期检查日志文件
编辑/etc/systemd/system/fail2ban.service文件,添加以下内容:
[Unit] Description=Fail2Ban is a failsafe mechanism for preventing bruteforce attacks and other forms of malicious traffic on your server. It monitors network traffic and blocks any IP address that makes too many requests in a short period of time. Fail2Ban uses various strategies to prevent such attacks including rate limiting and ban lists. Fail2Ban is fully open source and can be customized to fit your needs. For more information see https://www.fail2ban.org. After=network.target firewalld.service syslog.target sshd.service dbus.service irc-server.service netstat.target systemd-logind.service systemd-sysusers.service systemd-journald.socket systemd-resolve.service systemd-tmpfiles-setup.service systemd-random-seed.service udevd.service rsyslog.service cups-daemon.service postfix.service mysqld.service apache2.service httpd.service lighttpd.service php7.process supervisord.service nagios3.service prometheus-server.service nodejs.service docker.service containerd.service containerd-checkpoint.service containerd-cgroups.service containerd-runc.service libvirtd.service kvmlet.socket libvirtd-lxcfs bridge-utils.socket libguestfs-tools.socket devicemapper-udev-sync.service devicemapper-eventfd.socket devicemapper-eventfd-helper.socket devicemapper-pcisubsystem.socket devicemapper-userspace-cachedir.socket devicemapper-lvmetad-socket devicemapper-vgsession-udev.socket devicemapper-vgsession-devices.socket devicemapper-thinpool-uuidgen.socket devicemapper-persistent-datastore.socket devicemapper-persistent-stateless-store.socket devicemapper-scsi-transport-idlenesspoller.socket devicemapper-scsi-transport-idlenesspoller64bit.socket devicemapper-dmeventfd.socket devicemapper-udev9pdeplugfs usermountnfsproxy socket brctl ifup brctl status gpm getty initctl iotop lvm2 modprobe netcat netstat nmap openssh portmap pkill plock ptrace readahead resolvconf socat sudo tail fdisk umount
原创文章,作者:K-seo,如若转载,请注明出处:https://www.kdun.cn/ask/272342.html
微信扫一扫