106 lines
4.8 KiB
Plaintext
106 lines
4.8 KiB
Plaintext
# ═══════════════════════════════════════════════════════════
|
||
# fail2ban 配置 · 语言保护罩 L3 自动封禁层
|
||
# ═══════════════════════════════════════════════════════════
|
||
#
|
||
# 编号: ZY-SVR-F2B-006
|
||
# 服务器: ZY-SVR-006 (43.153.203.105 · 新加坡 · 智库节点)
|
||
# 守护: 铸渊 · ICE-GL-ZY001
|
||
# 版权: 国作登字-2026-A-00037559
|
||
#
|
||
# 部署路径:
|
||
# /etc/fail2ban/jail.d/novel-shield.conf (本文件)
|
||
# /etc/fail2ban/filter.d/novel-scan.conf (过滤规则)
|
||
# /etc/fail2ban/filter.d/novel-ratelimit.conf (频率限制)
|
||
#
|
||
# 封禁机制:
|
||
# 1. 端口扫描检测 → ban 1小时
|
||
# 2. 高频请求检测 → ban 6小时
|
||
# 3. 路径扫描检测 (爬 /admin /wp-admin 等) → ban 24小时
|
||
# 4. 封禁IP的连接 → TARPIT (连接挂起耗尽扫描工具资源)
|
||
# 5. 封禁记录写入 /var/log/novel-shield-bans.log (面板可读)
|
||
#
|
||
# 安装方式:
|
||
# sudo apt install fail2ban
|
||
# sudo cp novel-shield.conf /etc/fail2ban/jail.d/
|
||
# sudo cp novel-scan-filter.conf /etc/fail2ban/filter.d/novel-scan.conf
|
||
# sudo systemctl enable fail2ban && sudo systemctl restart fail2ban
|
||
#
|
||
# ═══════════════════════════════════════════════════════════
|
||
|
||
# ─── 全局设置 ───
|
||
[DEFAULT]
|
||
# 永远不封禁本机回环地址
|
||
ignoreip = 127.0.0.1/8 ::1
|
||
# 封禁时长(默认 1 小时)
|
||
bantime = 3600
|
||
# 检测时间窗口(10 分钟内)
|
||
findtime = 600
|
||
# 触发封禁的最大失败次数
|
||
maxretry = 5
|
||
# 封禁动作(iptables DROP + 记录日志)
|
||
banaction = iptables-allports
|
||
# 发送封禁日志到专用文件(面板可读取)
|
||
action = %(action_)s
|
||
novel-ban-log
|
||
|
||
# ─── 封禁日志动作定义 ───
|
||
# /etc/fail2ban/action.d/novel-ban-log.conf
|
||
# [Definition]
|
||
# actionban = echo "$(date -Iseconds) BAN <ip> jail=<name> attempts=<failures>" >> /var/log/novel-shield-bans.log
|
||
# actionunban = echo "$(date -Iseconds) UNBAN <ip> jail=<name>" >> /var/log/novel-shield-bans.log
|
||
|
||
# ═══════════════════════════════════════════════════════════
|
||
# Jail 1: Nginx 高频请求 · L3 核心防护
|
||
# ═══════════════════════════════════════════════════════════
|
||
[novel-nginx-limit-req]
|
||
enabled = true
|
||
port = http,https
|
||
filter = nginx-limit-req
|
||
logpath = /var/log/nginx/shield-access.log
|
||
/var/log/nginx/novel-access.log
|
||
# 5分钟内触发 nginx 429 限速超过 10 次 → ban 6小时
|
||
maxretry = 10
|
||
findtime = 300
|
||
bantime = 21600
|
||
|
||
# ═══════════════════════════════════════════════════════════
|
||
# Jail 2: 路径扫描 (爬常见后台路径)
|
||
# ═══════════════════════════════════════════════════════════
|
||
[novel-path-scan]
|
||
enabled = true
|
||
port = http,https
|
||
filter = novel-scan
|
||
logpath = /var/log/nginx/shield-access.log
|
||
/var/log/nginx/novel-access.log
|
||
# 5分钟内扫描超过 3 次 → ban 24小时
|
||
maxretry = 3
|
||
findtime = 300
|
||
bantime = 86400
|
||
|
||
# ═══════════════════════════════════════════════════════════
|
||
# Jail 3: SSH 暴力破解防护
|
||
# ═══════════════════════════════════════════════════════════
|
||
[novel-sshd]
|
||
enabled = true
|
||
port = ssh
|
||
filter = sshd
|
||
logpath = /var/log/auth.log
|
||
# 10分钟内失败 3 次 → ban 12小时
|
||
maxretry = 3
|
||
findtime = 600
|
||
bantime = 43200
|
||
|
||
# ═══════════════════════════════════════════════════════════
|
||
# Jail 4: 重复 400/403/404 错误 (通用扫描)
|
||
# ═══════════════════════════════════════════════════════════
|
||
[novel-nginx-4xx]
|
||
enabled = true
|
||
port = http,https
|
||
filter = novel-4xx
|
||
logpath = /var/log/nginx/shield-access.log
|
||
/var/log/nginx/novel-access.log
|
||
# 10分钟内 5 次 40x 错误 → ban 1小时
|
||
maxretry = 5
|
||
findtime = 600
|
||
bantime = 3600
|