1. Prohibir que la IP a la que se accede con frecuencia acceda a nginx
En el entorno de producción, a menudo nos encontramos con visitas frecuentes y anormales al sitio web de nginx desde una determinada dirección IP. En este momento, debemos proteger nuestro servidor mediante medidas de seguridad.
Implementar nginx
[root@localhost tools]# yum install gcc gcc-c++ make automake autoconf libtool pcre* zlib openssl openssl-devel
[root@localhost tools]# tar xf nginx-1.11.2.tar.gz
[root@localhost tools]# ls
nginx-1.11.2 nginx-1.11.2.tar.gz
[root@localhost tools]# cd nginx-1.11.2
[root@localhost nginx-1.11.2]# ls
auto CHANGES CHANGES.ru conf configure contrib html LICENSE man README src
[root@localhost nginx-1.11.2]# ./configure
[root@localhost nginx-1.11.2]# make
[root@localhost nginx-1.11.2]# make install
Prueba el servicio nginx
[root@localhost ~]# curl -I 172.16.1.100
HTTP/1.1 200 OK
Server: nginx/1.11.2
Date: Mon, 17 Aug 2020 09:36:29 GMT
Content-Type: text/html
Content-Length: 15
Last-Modified: Mon, 17 Aug 2020 09:36:19 GMT
Connection: keep-alive
ETag: "5f3a4f93-f"
Accept-Ranges: bytes
Se puede acceder a nginx normalmente.
A continuación, suponga que 172.16.1.100 es un host de piratas informáticos que accede con frecuencia a los servicios nginx
Simulación 172.16.1.100 visitas 10 veces 172.16.1.10
172.16.1.100
[root@localhost ~]# ab -c 1 -n 10 http://172.16.1.10/
This is ApacheBench, Version 2.3 <$Revision: 1430300 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking 172.16.1.10 (be patient).....done
Server Software: nginx/1.11.2
Server Hostname: 172.16.1.10
Server Port: 80
Document Path: /
Document Length: 612 bytes
Concurrency Level: 1
Time taken for tests: 0.016 seconds
Complete requests: 10
Failed requests: 0
Write errors: 0
Total transferred: 8450 bytes
HTML transferred: 6120 bytes
Requests per second: 617.02 [#/sec] (mean)
Time per request: 1.621 [ms] (mean)
Time per request: 1.621 [ms] (mean, across all concurrent requests)
Transfer rate: 509.16 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 0 1 0.3 0 1
Processing: 1 1 0.3 1 2
Waiting: 0 1 0.3 1 1
Total: 1 1 0.5 1 2
ERROR: The median and mean for the initial connection time are more than twice the standard
deviation apart. These results are NOT reliable.
Percentage of the requests served within a certain time (ms)
50% 1
66% 1
75% 1
80% 2
90% 2
95% 2
98% 2
99% 2
100% 2 (longest request)
Ver registros de nginx
172.16.1.10
[root@localhost ~]# tail /usr/local/nginx/logs/access.log
172.16.1.100 - - [26/Jul/2020:05:58:24 +0800] "GET / HTTP/1.0" 200 612 "-" "ApacheBench/2.3"
172.16.1.100 - - [26/Jul/2020:05:58:24 +0800] "GET / HTTP/1.0" 200 612 "-" "ApacheBench/2.3"
172.16.1.100 - - [26/Jul/2020:05:58:24 +0800] "GET / HTTP/1.0" 200 612 "-" "ApacheBench/2.3"
172.16.1.100 - - [26/Jul/2020:05:58:24 +0800] "GET / HTTP/1.0" 200 612 "-" "ApacheBench/2.3"
172.16.1.100 - - [26/Jul/2020:05:58:24 +0800] "GET / HTTP/1.0" 200 612 "-" "ApacheBench/2.3"
172.16.1.100 - - [26/Jul/2020:05:58:24 +0800] "GET / HTTP/1.0" 200 612 "-" "ApacheBench/2.3"
172.16.1.100 - - [26/Jul/2020:05:58:24 +0800] "GET / HTTP/1.0" 200 612 "-" "ApacheBench/2.3"
172.16.1.100 - - [26/Jul/2020:05:58:24 +0800] "GET / HTTP/1.0" 200 612 "-" "ApacheBench/2.3"
172.16.1.100 - - [26/Jul/2020:05:58:24 +0800] "GET / HTTP/1.0" 200 612 "-" "ApacheBench/2.3"
172.16.1.100 - - [26/Jul/2020:05:58:24 +0800] "GET / HTTP/1.0" 200 612 "-" "ApacheBench/2.3"
Se puede ver que 172.16.1.100 visitó nginx 10 veces en un segundo y luego prohibió este problema ip
Restringir el acceso de ip a través de iptables
172.16.1.10
[root@localhost ~]# iptables -I INPUT -s 172.16.1.100 -ptcp --dport 80 -j DROP
172.16.1.100
[root@localhost ~]# curl 172.16.1.10
curl: (7) Failed connect to 172.16.1.10:80; 连接超时
En este momento 172.16.1.100 ya no puede acceder a nginx
Restricciones del archivo de configuración de Nginx
172.16.1.10
172.16.1.100
[root@localhost ~]# curl -I 172.16.1.10
HTTP/1.1 403 Forbidden
Server: nginx/1.11.2
Date: Sat, 25 Jul 2020 23:12:06 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
para resumir
Las anteriores son dos formas sencillas de restringir el acceso de IP, y hay muchas formas de usar herramientas para restringir el acceso de IP.
Link de referencia:
Prohibir ip de acceso frecuente para acceder a nginx: https://www.jianshu.com/p/48a8bbeaf76a