How to automatically deny ip address by parsing nginx log file

I have 4 webservers behind cloud flag and loadbalancer, nginx is webserver, php-fpm manages php pages. I don't know how to block a simple dos attack ...

I can detect this attack using the http_limit_req module from nginx

but that doesn't block the attack at all, yes it can mitigate, but the webservers get hit and hit again and php-fpm goes up to 80% and after a minute the site is unavailable.

I am trying to find a way to block this request.

I know how to block a specific IP or a specific useragent with nginx, but I want to do it automatically. I think I cant block ip using iptables because the request is coming from loadbalancer :( but I can still figure out the correct IP using set_real_ip_from and real_ip_header X-Forwarded-For with nginx.

I have a log file (error.log) populated with the correct IP address, as you can see:

2012/03/27 18:34:02 [error] 31234 # 0: * 1283 restriction of connections by zone "intermediate", client: XX.XX.XX.XXX, server:, request: "HEAD / it HTTP / 1.1 ", host:" "

Anyone have an idea and can teach me how to automatically block this ip?


source to share

1 answer

use fail2ban for this. It is a log file analyzer for many different services that can detect failed logins etc. and then block the IP address.




All Articles