Nginx rejects the configuration of a specified IP address to access the website

Nginx rejects access from a specified IP address is actually very simple. Let's look at the simple configuration.

In the following example, all connections are rejected:
Location /{
# The Error 403 will always be output here.
Deny all;
# These commands will not be enabled, because the connection to be reached has been rejected at the first entry.
Deny 192.168.1.1;
Allow 192.168.1.0/24;
Allow 10.1.1.0/1
}

Of course, we can access some valid IP addresses.

The control rules are checked in the declared order. The first access rule that matches the IP address is enabled.

Location /{
Deny 192.168.1.1;
Allow 192.168.1.0/24;
Allow 10.1.1.0/16;
Deny all;
}
In the preceding example, only the location field can be accessed in the network segments 192.168.1.0/24 and 10.1.1.0/16, but 192.168.1.1 is an exception.

Example

The following are my ideas and steps:
Use Nginx error logs (why not use access logs) to obtain the attacker's IP address. No regular cutting of Nginx error logs was performed before. In order to conveniently count the IP addresses of attackers, write scripts and add scheduled tasks so that error logs can be cut every hour, the blacklist files are cleared every hour.
Script for cutting and clearing the blacklist of error logs:

# Cat rotate-nginx-error-logs.sh [root @ z-dig scripts] #
#! /Bin/bash
# Rotate nginx error logs and clean block ip's configure file
# Nginx pid file:/application/nginx/logs/nginx. pid
# Nginx error logs directory:/data/logs/nginx
# Block Ip's configure file:/application/nginx/conf/website/blockip. conf
# Default log name: error. log
# Author: Mr. Zhou
# E-mail: zhou@111cn.net

NGX_PID =/application/nginx/logs/nginx. pid
NGINX_CMD =/application/nginx/sbin/nginx
LOGS_DIR =/data/logs/nginx
LOG_NAME = error. log
BLOCK_IP_FILE =/application/nginx/conf/website/blockip. conf

Cd $ LOGS_DIR &&
/Usr/bin/rename $ LOG_NAME $ (/bin/date + % F-% H-d "last hour"). $ LOG_NAME &&
/Bin/kill-USR1 $ (cat $ NGX_PID)
> $ BLOCK_IP_FILE &&
$ ($ NGINX_CMD-s reload)
[Root @ z-dig scripts] #

Attackers can obtain the IP address script:
The script calculates more than 20 IP addresses that attempt to guess the path or upload files from the Nginx error log and adds these IP addresses to the Nginx configuration file. If a new IP address is added, reload Nginx to make the configuration file take effect. If no new IP address is added, reload is not performed.

# Cat block-ip.sh [root @ z-dig scripts] #
#! /Bin/bash
# Author: Mr. Zhou
# Email: zhou@111cn.net
# Website: http://www.111cn.net
# Block ip

ERR_LOG =/data/logs/nginx/error. log
BLOCK_IP_FILE =/application/nginx/conf/website/blockip. conf
BLOCKED_IP =/dev/shm/blocked-ip.txt
BLOCK_IP =/dev/shm/block-ip.txt
NGINX_CMD =/application/nginx/sbin/nginx

/Bin/cp $ BLOCK_IP_FILE $ BLOCKED_IP &&
/Bin/sed-nr's #. * [^ 0-9] ([0-9] + \.) {3} [0-9] + ). * # \ 1 # P' $ ERR_LOG |/bin/awk '{IP [$1] ++} END {for (I in IP) print IP [I], i} '|/bin/awk' {if ($1> 20) print "deny" $2 ";"} '> $ BLOCK_IP &&
/Bin/grep-v-f $ BLOCK_IP_FILE $ BLOCK_IP> $ BLOCK_IP_FILE &&
$ ($ NGINX_CMD-s reload)
[Root @ z-dig scripts] #

The configuration file (blacklist) that denies access from the specified IP address is stored separately and included in the nginx main configuration file.

[Root @ z-dig conf] # grep blockip. conf nginx. conf
Include website/blockip. conf;
[Root @ z-dig conf] #

The format of the blockip. conf file is as follows:

[Root @ z-dig website] # cat blockip. conf
Deny 195.154.211.220;
Deny 195.154.188.28;
Deny 195.154.188.186;
Deny 180.97.106.161;
Deny 180.97.106.162;
Deny 180.97.106.36;
Deny 195.154.180.69;
Deny 195.154.211.26;
Deny 221.229.166.247;
Deny 180.97.106.37;
Deny 195.154.216.164;
Deny 195.154.216.165;
[Root @ z-dig website] #

Put the script into a scheduled task for execution:
The Nginx error log is cut hourly and the configuration file that is denied access to the IP address is cleared once. If it is not cleared, the IP address cannot be accessed for life, if it attacks again, it will go to the blacklist again,> _ <. The clear command is placed at the end of the cut script.
You can determine the statistics frequency and execute scripts based on the specified frequency to obtain the attacker's IP address. If the IP address is already in the blacklist, it will be ignored (because the error log is cut once an hour, so there will be repeated IP addresses within one hour ). Then, append the IP addresses of the remaining new attackers to the blacklist. And reload Nginx. If no new attacker IP address is added, nothing will be done.

[Root @ z-dig ~] # Crontab-l
# Rotate nginx log everyday
00 00 ***/bin/bash/application/scripts/rotate-nginx-logs.sh &>/dev/null
# Rotate nginx error log every hour and clean the block ip file
00 */1 ***/bin/bash/application/scripts/rotate-nginx-error-logs.sh &>/dev/null
# Check hacker's ip every ten minutes
*/10 *****/bin/bash/application/scripts/block-ip.sh &>/dev/null
[Root @ z-dig ~] #

The following are the IP addresses of attackers who run the script for a period of time:

[Root @ z-dig ~] # Cat/application/nginx/conf/website/blockip. conf
Deny 195.154.211.220;
Deny 195.154.188.28;
Deny 195.154.188.186;
Deny 180.97.106.161;
Deny 180.97.106.162;
Deny 180.97.106.36;
Deny 195.154.180.69;
Deny 195.154.211.26;
Deny 221.229.166.247;
Deny 180.97.106.37;
Deny 195.154.216.164;
Deny 195.154.216.165;
[Root @ z-dig ~] #

After a period of time, list another blacklist IP address to see if it has changed.

[Root @ z-dig ~] # Cat/application/nginx/conf/website/blockip. conf
Deny 195.154.188..pdf;
[Root @ z-dig ~] # Curl ipinfo. io/195.154.188.224; echo''
{
"Ip": "195.154.188.20 ",
"Hostname": "195-154-188-224.rev.poneytelecom.eu ",
"City ":"",
"Region ":"",
"Country": "FR ",
"Loc": "48.8600, 2.3500 ",
"Org": "AS12876 online s. A. S ."
}
[Root @ z-dig ~] # Grep '1970. 154.188.20.'/data/logs/nginx/error. log | wc-l
102
[Root @ z-dig ~] # Grep '1970. 154.188.20.'/data/logs/nginx/error. log | grep-v 'Access forbidden '| wc-l
24
[Root @ z-dig ~] #
[Root @ z-dig ~] # Tail-n 1/data/logs/nginx/error. log
10:47:53 [error] 30754 #0: * 37828 access forbidden by rule, client: 195.154.188.133, server: www.111cn.net, request: "GET/HTTP/1.1", host: "www.111cn.net ", referrer: "http://www.111cn.net"
[Root @ z-dig ~] #

It seems that it is still a management point. A total of access forbidden by rule is 102-24 = 78 times.
Modify the script appropriately, save the historical data of the blacklist, and regularly add IP addresses greater than 1000 to iptables!