Nginx bans/shields the IP address of the attacking server

In the /etc/nginx/nginx.conf file, you only need to add allow and deny IP addresses in server{}:

server {

        listen 8080;

        server_name localhost;

        #charset koi8-r;

        #access_log logs/host.access.log main;

        location / {

            allow all;

            # Ban 196.0.0.1

            deny 196.0.0.1;

            root html;

            index index.html index.htm;

        }

Note: allow must be in front of deny.

The second step, Restart nginx service.

Command: service nginx reload

Automatically block IP addresses

In the first step, AWK records the IP addresses accessed more than 60 times per minute in the access.log file.

Command: awk ‘{print $1}’ /var/log/nginx/access.log | sort | uniq -cd | awk ‘{if($1>60)print $0}’

Notes:

awk ‘{print $1}’ /var/log/nginx/access.log: take out the first column of access.log is IP;

sort | uniq -cd: deduplication and sorting;

awk ‘{if($1>60)print $0}’: Determine whether the number of repetitions exceeds 60, and if it exceeds 60, it will be displayed.

The second step, by writing shell script to to achieve the overall function.

Create a new ip_test.sh script in the /usr/local/nginx folder, and add the following code to the script file:

# unblock IP
echo "" > /etc/nginx/blockip.conf
# Determine whether the number of repetitions exceeds 60, and if it exceeds 60, it will be displayed
ip_list=$(awk '{print $1}' /var/log/nginx/access.log | sort | uniq -cd | awk '{if($1>60)print $0}')
# Check if the variable is empty
if test -z "$ip_list"
then
        # If the variable is empty, write to 11.log and restart nginx
        echo "empty" >> /var/log/nginx//11.log
        /usr/sbin/nginx -s reload
else
        # If the variable is not empty, you need to add deny format in front, and write IP into blockip.conf
        echo "deny" $ip_list > /etc/nginx/blockip.conf
        # Remove the previous line number, write it and read it again
        ip_list2=$(awk '{print $3}' /etc/nginx/blockip.conf)
        # Write the read value into blockip.conf again
        echo "deny" $ip_list2";"> /etc/nginx/blockip.conf
        # restart nginx
        /usr/sbin/nginx -s reload
        # Clear the previous log and intercept the latest log
        echo "" > /var/log/nginx/access.log
fi

The third step is to use crontab timing to achieve access to the IP address with more than 60 visits per minute.

# Add execute permission

Command: chmod + x /usr/local/nginx/ip_test.sh

# Add a scheduled task (run every minute)

Command: crontab -e

Add the following code:

* * * * * sh /usr/local/nginx/ip_test.sh

# Check if it is written

Command: crontab -l

# Restart the timing configuration

Command: systemctl restart crond.service

About the use of allow and deny

The first step, nginx prohibits a single IP.

The following commands can be added to nginx:

deny 127.0.0.1;

The second step, nginx prohibits multiple IPs.

The following commands can be added to nginx:

deny 127.0.0.1 196.0.0.1;

Note: nginx prohibits multiple IP addresses, and multiple IP addresses are separated by spaces.

The third step,nginx prohibits from 127.0.0.1 to 127.255.255.254 /strong>IP segment.

deny 127.0.0.0/8;

deny 127.255.0.0/16;

deny 127.255.255.0/24;

deny all;