doufuhao0566
2012-03-28 07:32
采纳率: 100%
浏览 57
已采纳

如何通过解析nginx日志文件自动拒绝IP地址

I have 4 webservers behind cloudflare and a loadbalancer, nginx is the webserver, php-fpm manages the php pages. I don't know how to block a simple dos attack ...

I'm able to detect this attack by using the http_limit_req module from nginx http://wiki.nginx.org/HttpLimitReqModule

but this is not blocking the attack at all, yes this can mitigate but webservers are hit and hit again, and php-fpm goes to 80% and in a minute the website is unreachable.

I'm trying to find a way to block this kind of request.

I know how to block certain ip address or certain useragent with nginx but i want to do it automatically. I think that I cannot block the ip with iptables because the request come from the loadbalancer :( but i'm still able to detect the correct ip address with the set_real_ip_from and real_ip_header X-Forwarded-For with nginx.

I have the log file (error.log) filled with the correct ip address as you can see:

2012/03/27 18:34:02 [error] 31234#0: *1283 limiting connections by zone "staging", client: XX.XX.XX.XXX, server: www.xxxxxxx.com, request: "HEAD /it HTTP/1.1", host: "www.xxxxxxx.com"

Someone have an idea and can teach me how to block automatically this ip?

图片转代码服务由CSDN问答提供 功能建议

我在cloudflare后面有4个web服务器和一个loadbalancer,nginx是webserver,php-fpm管理php页面。 我不知道如何阻止简单的dos攻击...

我能够通过使用nginx中的http_limit_req模块来检测这种攻击 http://wiki.nginx.org/HttpLimitReqModule

但这并没有阻止攻击 所有,是的,这可以减轻,但网络服务器被击中并再次被击中,并且php-fpm达到80%,并且在一分钟内网站无法访问。

我正试图找到一种方法 阻止这种请求。

我知道如何使用nginx阻止某些ip地址或某些useragent,但我想自动执行此操作。 我认为我无法使用iptables来阻止ip,因为请求来自loadbalancer :(但我仍然可以使用set_real_ip_from和real_ip_header X-Forwarded-For使用nginx来检测正确的ip地址。

我的日志文件(error.log)中填写了正确的IP地址,如下所示:

2012/03/27 18:34:02 [错误] 31234#0:* 1283通过区域“staging”限制连接,客户端:XX.XX.XX.XXX,服务器:www.xxxxxxx.com,请求:“HEAD / it HTTP / 1.1”,主机:“www.xxxxxxx。 com“

有人有想法,可以教我如何自动阻止这个ip吗?

  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • douhuang4166 2012-03-28 07:40
    已采纳

    use fail2ban for this. It's a log-file parser for many different services which can detect failed logins, etc. and then block an IP-address.

    http://www.fail2ban.org

    Regards

    已采纳该答案
    打赏 评论

相关推荐 更多相似问题