guanghulab/server/novel-db/security/fail2ban-novel.conf
Guanghu Domestic Migration d1e47f4565
Some checks are pending
自动更新代码和重启 / update-and-restart (push) Waiting to run
CI检查 + 自动部署 / check (push) Waiting to run
CI检查 + 自动部署 / deploy (push) Blocked by required conditions
重启聊天服务 / restart (push) Waiting to run
chore: import sanitized domestic snapshot for REPO-002
Source snapshot: ca48d3ddf926d79aa138306164169baf764bb829
2026-07-17 15:54:41 +08:00

106 lines
4.8 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# ═══════════════════════════════════════════════════════════
# fail2ban 配置 · 语言保护罩 L3 自动封禁层
# ═══════════════════════════════════════════════════════════
#
# 编号: ZY-SVR-F2B-006
# 服务器: ZY-SVR-006 (43.153.203.105 · 新加坡 · 智库节点)
# 守护: 铸渊 · ICE-GL-ZY001
# 版权: 国作登字-2026-A-00037559
#
# 部署路径:
# /etc/fail2ban/jail.d/novel-shield.conf (本文件)
# /etc/fail2ban/filter.d/novel-scan.conf (过滤规则)
# /etc/fail2ban/filter.d/novel-ratelimit.conf (频率限制)
#
# 封禁机制:
# 1. 端口扫描检测 → ban 1小时
# 2. 高频请求检测 → ban 6小时
# 3. 路径扫描检测 (爬 /admin /wp-admin 等) → ban 24小时
# 4. 封禁IP的连接 → TARPIT (连接挂起耗尽扫描工具资源)
# 5. 封禁记录写入 /var/log/novel-shield-bans.log (面板可读)
#
# 安装方式:
# sudo apt install fail2ban
# sudo cp novel-shield.conf /etc/fail2ban/jail.d/
# sudo cp novel-scan-filter.conf /etc/fail2ban/filter.d/novel-scan.conf
# sudo systemctl enable fail2ban && sudo systemctl restart fail2ban
#
# ═══════════════════════════════════════════════════════════
# ─── 全局设置 ───
[DEFAULT]
# 永远不封禁本机回环地址
ignoreip = 127.0.0.1/8 ::1
# 封禁时长(默认 1 小时)
bantime = 3600
# 检测时间窗口10 分钟内)
findtime = 600
# 触发封禁的最大失败次数
maxretry = 5
# 封禁动作iptables DROP + 记录日志)
banaction = iptables-allports
# 发送封禁日志到专用文件(面板可读取)
action = %(action_)s
novel-ban-log
# ─── 封禁日志动作定义 ───
# /etc/fail2ban/action.d/novel-ban-log.conf
# [Definition]
# actionban = echo "$(date -Iseconds) BAN <ip> jail=<name> attempts=<failures>" >> /var/log/novel-shield-bans.log
# actionunban = echo "$(date -Iseconds) UNBAN <ip> jail=<name>" >> /var/log/novel-shield-bans.log
# ═══════════════════════════════════════════════════════════
# Jail 1: Nginx 高频请求 · L3 核心防护
# ═══════════════════════════════════════════════════════════
[novel-nginx-limit-req]
enabled = true
port = http,https
filter = nginx-limit-req
logpath = /var/log/nginx/shield-access.log
/var/log/nginx/novel-access.log
# 5分钟内触发 nginx 429 限速超过 10 次 → ban 6小时
maxretry = 10
findtime = 300
bantime = 21600
# ═══════════════════════════════════════════════════════════
# Jail 2: 路径扫描 (爬常见后台路径)
# ═══════════════════════════════════════════════════════════
[novel-path-scan]
enabled = true
port = http,https
filter = novel-scan
logpath = /var/log/nginx/shield-access.log
/var/log/nginx/novel-access.log
# 5分钟内扫描超过 3 次 → ban 24小时
maxretry = 3
findtime = 300
bantime = 86400
# ═══════════════════════════════════════════════════════════
# Jail 3: SSH 暴力破解防护
# ═══════════════════════════════════════════════════════════
[novel-sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
# 10分钟内失败 3 次 → ban 12小时
maxretry = 3
findtime = 600
bantime = 43200
# ═══════════════════════════════════════════════════════════
# Jail 4: 重复 400/403/404 错误 (通用扫描)
# ═══════════════════════════════════════════════════════════
[novel-nginx-4xx]
enabled = true
port = http,https
filter = novel-4xx
logpath = /var/log/nginx/shield-access.log
/var/log/nginx/novel-access.log
# 10分钟内 5 次 40x 错误 → ban 1小时
maxretry = 5
findtime = 600
bantime = 3600