使用基本授权和Fail2Ban禁止

・5 分钟阅读

在你的应用程序上使用基本身份验证,没有什么办法可以阻止人们试图强行进入。但是,通过实施Fail2ban,您可以在用户被禁止之前向入侵者提供x次重试。

创建.htpasswd文件

执行到容器中并创建.htpasswd文件

使用此命令创建.htpasswd文件,如果你不使用它,只需删除Docker部分。

docker exec -it letsencrypt htpasswd -c /config/nginx/.htpasswd USER-NAME


New password:
Re-type new password:
Adding password for user yourusername

结果将如下所示:

login:password
exampleuser:$apr1$adiBYUBX$61udeQ5OGHJXev1l.Mr5X/

如果选择将.htaccess放在根目录中,则可以通过以下方式阻止对它的访问:


location ~ /. { 
return 404; 
}

使用包含语法,并且创建一个包含在块中的basicauth.conf文件。

include /config/nginx/basicauth.conf;

下面是一个示例:


# SABNZBD redirect
location /sabnzbd {
return 301 /sabnzbd/;
}
# SABNZBD
location /sabnzbd/ {
include /config/nginx/basicauth.conf;
include /config/nginx/proxy.conf;
proxy_pass http://192.168.1.34:8383/sabnzbd/;
}

备注: 如果使用基于Organizr的服务器身份验证,这将不起作用,

basicauth.conf内容


auth_basic "Restricted";
auth_basic_user_file /config/nginx/.htpasswd;

Fail2Ban

如果你使用linuxservers letsencrypt容器,Fail2ban应该已经预先配置为禁止失败的http auths。

如果没有,你可以在你的jail.local 文件。


[nginx-http-auth]

enabled = true
filter = nginx-http-auth
port = http,https
logpath = /config/log/nginx/error.log
ignoreip = 192.168.1.0/24

备注: 忽略IP是使fail2ban不会禁止你的本地IP ,

若要查找网络掩码运行 ipconfig /all 在Windows或 ifconfig | grep netmask 在Linux上。

  • logpath是Nginx错误日志的路径

你还需要创建一个名为 nginx-http-auth.conf 在fail2ban目录中的filter.d文件夹中。


# fail2ban filter configuration for nginx
[Definition]

failregex = ^ [error] d+#d+: *d+ user "S+":? (password mismatch|was not found in ".*"), client: , server: S*, request: "S+ S+ HTTP/d+.d+", host: "S+"(, referrer: "S+")?s*$

ignoreregex = 

# DEV NOTES:
# Based on samples in https://github.com/fail2ban/fail2ban/pull/43/files
# Extensive search of all nginx auth failures not done yet.
# 
# Author: Daniel Black
Fail2ban.log输出

2017-11-04 15:14:58,867 fail2ban.filter [308]: INFO [nginx-http-auth] Ignore 192.168.1.1 by ip
2017-11-04 15:14:58,868 fail2ban.filter [308]: INFO [nginx-http-auth] Ignore 192.168.1.1 by ip
2017-11-04 15:52:04,055 fail2ban.filter [308]: INFO [nginx-http-auth] Found 77.16.40.104 - 2017-11-04 15:52:04
2017-11-04 15:52:06,530 fail2ban.filter [308]: INFO [nginx-http-auth] Found 77.16.40.104 - 2017-11-04 15:52:06
2017-11-04 15:52:16,989 fail2ban.filter [308]: INFO [nginx-http-auth] Found 77.16.40.104 - 2017-11-04 15:52:16
2017-11-04 15:52:18,817 fail2ban.filter [308]: INFO [nginx-http-auth] Found 77.16.40.104 - 2017-11-04 15:52:18
2017-11-04 15:52:29,309 fail2ban.filter [308]: INFO [nginx-http-auth] Found 77.16.40.104 - 2017-11-04 15:52:29
2017-11-04 15:52:29,340 fail2ban.actions [308]: NOTICE [nginx-http-auth] Ban 77.16.40.104

解除屏蔽

执行以下命令进入容器:

docker exec -it letsencrypt bash

检查监狱的状态:

fail2ban-client status nginx-http-auth

输出


Status for the jail: nginx-http-auth
|- Filter
| |- Currently failed: 0
| |- Total failed: 5
| `- File list: /config/log/nginx/error.log
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 77.16.40.104

解除屏蔽

fail2ban-client unban 77.16.40.104

如果您已经知道要解除的IP,可以输入以下内容:

docker exec -it letsencrypt fail2ban-client set nginx-http-auth unbanip 77.16.40.104
或者
docker exec -it letsencrypt fail2ban-client unban 77.16.40.104

Zhongy0410 profile image