# ═══════════════════════════════════════════════════════════ # fail2ban 配置 · 语言保护罩 L3 自动封禁层 # ═══════════════════════════════════════════════════════════ # # 编号: ZY-SVR-F2B-006 # 服务器: ZY-SVR-006 (43.153.203.105 · 新加坡 · 智库节点) # 守护: 铸渊 · ICE-GL-ZY001 # 版权: 国作登字-2026-A-00037559 # # 部署路径: # /etc/fail2ban/jail.d/novel-shield.conf (本文件) # /etc/fail2ban/filter.d/novel-scan.conf (过滤规则) # /etc/fail2ban/filter.d/novel-ratelimit.conf (频率限制) # # 封禁机制: # 1. 端口扫描检测 → ban 1小时 # 2. 高频请求检测 → ban 6小时 # 3. 路径扫描检测 (爬 /admin /wp-admin 等) → ban 24小时 # 4. 封禁IP的连接 → TARPIT (连接挂起耗尽扫描工具资源) # 5. 封禁记录写入 /var/log/novel-shield-bans.log (面板可读) # # 安装方式: # sudo apt install fail2ban # sudo cp novel-shield.conf /etc/fail2ban/jail.d/ # sudo cp novel-scan-filter.conf /etc/fail2ban/filter.d/novel-scan.conf # sudo systemctl enable fail2ban && sudo systemctl restart fail2ban # # ═══════════════════════════════════════════════════════════ # ─── 全局设置 ─── [DEFAULT] # 永远不封禁本机回环地址 ignoreip = 127.0.0.1/8 ::1 # 封禁时长(默认 1 小时) bantime = 3600 # 检测时间窗口(10 分钟内) findtime = 600 # 触发封禁的最大失败次数 maxretry = 5 # 封禁动作(iptables DROP + 记录日志) banaction = iptables-allports # 发送封禁日志到专用文件(面板可读取) action = %(action_)s novel-ban-log # ─── 封禁日志动作定义 ─── # /etc/fail2ban/action.d/novel-ban-log.conf # [Definition] # actionban = echo "$(date -Iseconds) BAN jail= attempts=" >> /var/log/novel-shield-bans.log # actionunban = echo "$(date -Iseconds) UNBAN jail=" >> /var/log/novel-shield-bans.log # ═══════════════════════════════════════════════════════════ # Jail 1: Nginx 高频请求 · L3 核心防护 # ═══════════════════════════════════════════════════════════ [novel-nginx-limit-req] enabled = true port = http,https filter = nginx-limit-req logpath = /var/log/nginx/shield-access.log /var/log/nginx/novel-access.log # 5分钟内触发 nginx 429 限速超过 10 次 → ban 6小时 maxretry = 10 findtime = 300 bantime = 21600 # ═══════════════════════════════════════════════════════════ # Jail 2: 路径扫描 (爬常见后台路径) # ═══════════════════════════════════════════════════════════ [novel-path-scan] enabled = true port = http,https filter = novel-scan logpath = /var/log/nginx/shield-access.log /var/log/nginx/novel-access.log # 5分钟内扫描超过 3 次 → ban 24小时 maxretry = 3 findtime = 300 bantime = 86400 # ═══════════════════════════════════════════════════════════ # Jail 3: SSH 暴力破解防护 # ═══════════════════════════════════════════════════════════ [novel-sshd] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log # 10分钟内失败 3 次 → ban 12小时 maxretry = 3 findtime = 600 bantime = 43200 # ═══════════════════════════════════════════════════════════ # Jail 4: 重复 400/403/404 错误 (通用扫描) # ═══════════════════════════════════════════════════════════ [novel-nginx-4xx] enabled = true port = http,https filter = novel-4xx logpath = /var/log/nginx/shield-access.log /var/log/nginx/novel-access.log # 10分钟内 5 次 40x 错误 → ban 1小时 maxretry = 5 findtime = 600 bantime = 3600