最近服务器被DDOS恶意攻击，对于此类攻击，笔者基本思路是使用IP地址过滤，因为这里的攻击者采用的是不同的IP轮流攻击，这里采用FAIL2BAN+IPTABLE来记录重复请求并将IP地址记录黑名单的方式实现, 日志如下：

139.208.55.108 - - [19/Jun/2017:16:47:49 +0800] "POST /sys/zh/wininhr/home/index?a=sendSMSy HTTP/1.1" 200 478 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 360SE)"
139.208.55.108 - - [19/Jun/2017:16:47:49 +0800] "POST /sys/zh/wininhr/home/index?a=sendSMSy HTTP/1.1" 200 478 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon 2.0)"
139.208.55.108 - - [19/Jun/2017:16:47:49 +0800] "POST /sys/zh/wininhr/home/index?a=sendSMSy HTTP/1.1" 200 478 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; TencentTraveler 4.0)"
139.208.55.108 - - [19/Jun/2017:16:47:49 +0800] "POST /sys/zh/wininhr/home/index?a=sendSMSy HTTP/1.1" 200 478 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser)"
139.208.55.108 - - [19/Jun/2017:16:47:49 +0800] "POST /sys/zh/wininhr/home/index?a=sendSMSy HTTP/1.1" 200 478 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 360SE)"
139.208.55.108 - - [19/Jun/2017:16:47:49 +0800] "POST /sys/zh/wininhr/home/index?a=sendSMSy HTTP/1.1" 200 478 "-" "Opera/9.80 (Windows NT 6.1; U; en) Presto/2.8.131 Version/11.11"
183.157.18.57 - - [19/Jun/2017:16:47:50 +0800] "POST /sys/zh/wininhr/home/index?a=sendSMSy HTTP/1.1" 200 478 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)"
112.51.51.91 - - [19/Jun/2017:16:47:51 +0800] "POST /sys/zh/wininhr/home/index?a=sendSMSy HTTP/1.1" 200 478 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; The World)"
125.84.177.240 - - [19/Jun/2017:16:47:51 +0800] "POST /sys/zh/wininhr/home/index?a=sendSMSy HTTP/1.1" 200 478 "-" "Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; en) Presto/2.8.131 Version/11.11"
218.77.94.240 - - [19/Jun/2017:16:47:52 +0800] "POST /sys/zh/wininhr/home/index?a=sendSMSy HTTP/1.1" 200 478 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 360SE)"
175.167.236.138 - - [19/Jun/2017:16:47:54 +0800] "POST /sys/zh/wininhr/home/index?a=sendSMSy HTTP/1.1" 200 478 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; SE 2.X MetaSr 1.0; SE 2.X MetaSr 1.0; .NET CLR 2.0.50727; SE 2.X MetaSr 1.0)"

安装fail2ban

apt-get install fail2ban

配置基本属性：vi /etc/fail2ban/jail.conf

[nginx-get-sms-limit]
enabled=true
filter=nginx-get-sms-limit
action=iptables[name=nppl, port=http, protocol=tcp]
logpath=/var/log/apache2/other_vhosts_access.log  #NGinx: /var/log/nginx/access.log
findtime=60
bantime=7200
maxretry=3

配置拦截规则：vi /etc/fail2ban/filter.d/nginx-get-sms-limit.conf

[Definition]
failregex=<HOST>.*GET.*sms\?phone.*

调试匹配项

fail2ban-regex /var/log/apache2/other_vhosts_access.log /etc/fail2ban/filter.d/nginx-get-sms-limit.conf
fail2ban-client status nginx-get-sms-limit

查看被禁用IP地址

iptables -nL

REJECT     all  --  175.8.29.85          0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  114.232.99.86        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  59.58.7.225          0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  117.81.205.54        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  27.154.70.171        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  123.82.184.185       0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  182.37.56.89         0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  60.175.17.23         0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  183.9.84.178         0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  111.122.177.36       0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  1.60.213.68          0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  115.218.227.113      0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  182.41.105.209       0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  125.109.17.39        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  140.237.98.68        0.0.0.0/0            reject-with icmp-port-unreachable

PS: 这里注意一下 IPTABLES 里面有3中类型：ACCEPT, REJECT, DROP, 默认为REJECT, REJECT与DROP的区别：打一个比方你收到一个诈骗电话， DROP就是直接挂机，REJECT就是你跟他说我不需要。
这里我们改成DROP，不记录日志直接拒绝：

• ACCEPT：允许数据包通过。
• DROP：直接丢弃数据包。
• REJECT：丢弃数据包，同时发送响应报文通知发送方。

增加配置项到： vi /etc/fail2ban/action.d/iptables-blocktype.local

[Init]
blocktype = DROP

查看屏蔽日志: /var/log/fail2ban.log

2017-06-19 16:51:12,252 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 60.180.1.255
2017-06-19 16:51:24,273 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 117.89.101.27
2017-06-19 16:51:24,281 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 183.253.143.67
2017-06-19 16:51:25,288 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 36.22.177.154
2017-06-19 16:51:41,315 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 115.202.100.52
2017-06-19 16:51:46,330 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 49.73.108.251
2017-06-19 16:51:49,341 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 116.10.160.6
2017-06-19 16:52:02,364 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 115.210.142.15
2017-06-19 16:52:06,378 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 183.30.139.203
2017-06-19 16:52:24,410 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 223.73.193.42
2017-06-19 16:52:25,421 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 124.238.145.101
2017-06-19 16:52:28,432 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 113.222.233.141
2017-06-19 16:52:28,440 fail2ban.actions: INFO   [nginx-get-sms-limit] 113.222.233.141 already banned
2017-06-19 16:52:29,442 fail2ban.actions: INFO   [nginx-get-sms-limit] 113.222.233.141 already banned
2017-06-19 16:52:30,444 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 113.5.228.58
2017-06-19 16:52:30,452 fail2ban.actions: INFO   [nginx-get-sms-limit] 113.5.228.58 already banned
2017-06-19 16:52:31,454 fail2ban.actions: INFO   [nginx-get-sms-limit] 113.5.228.58 already banned
2017-06-19 16:52:32,456 fail2ban.actions: INFO   [nginx-get-sms-limit] 113.5.228.58 already banned
2017-06-19 16:52:33,457 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 125.118.140.47
2017-06-19 16:52:37,471 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 117.179.227.224
2017-06-19 16:52:38,478 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 27.18.63.44
2017-06-19 16:52:38,486 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 110.81.60.177
2017-06-19 16:52:39,497 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 115.229.49.104
2017-06-19 16:52:48,517 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 117.82.174.234
2017-06-19 16:52:52,529 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 121.34.167.236
2017-06-19 16:52:53,538 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 106.226.56.52
2017-06-19 16:52:54,546 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 60.181.11.55
2017-06-19 16:53:00,561 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 27.151.192.86
2017-06-19 16:53:01,570 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 113.88.251.191
2017-06-19 16:53:03,580 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 211.162.109.118
2017-06-19 16:53:07,593 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 1.204.205.221
2017-06-19 16:53:12,608 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 114.218.251.125
2017-06-19 16:53:13,619 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 101.207.134.2
2017-06-19 16:53:16,633 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 27.151.202.76
2017-06-19 16:53:20,647 fail2ban.actions: WARNING [nginx-get-sms-limit] Ban 49.222.181.56
...

更多查看：

@see http://www.361way.com/fail2ban-nginx/1825.html