Disable frequently requested IP access to nginx

Time:2021-9-23

In the production environment, we often encounter frequent and abnormal access to nginx website by an IP address. At this time, we need to protect our server through security measures. Next, we will introduce several methods.
Linux Security: prohibit frequently accessed IP access to nginx Linux Security: prohibit frequently accessed IP access to nginx
Experimental environment:
Version: RedHat 6.5
ip:172.16.1.100,172.16.10
Software: nginx

172.16.1.10 deploy nginx
[[email protected] tools]# ls
nginx-1.11.2.tar.gz
[[email protected] tools]# yum install gcc gcc-c++ make automake autoconf libtool pcre* zlib openssl openssl-devel
[[email protected] tools]# tar xf nginx-1.11.2.tar.gz
[[email protected] tools]# ls
nginx-1.11.2 nginx-1.11.2.tar.gz
[[email protected] tools]# cd nginx-1.11.2
[[email protected] nginx-1.11.2]# ls
auto CHANGES CHANGES.ru conf configure contrib html LICENSE man README src
[[email protected] nginx-1.11.2]# ./configure
[[email protected] nginx-1.11.2]# make
[[email protected] nginx-1.11.2]# make install
Testing nginx services
[[email protected] ~]# curl -I 172.16.1.100
HTTP/1.1 200 OK
Server: nginx/1.11.2
Date: Mon, 17 Aug 2020 09:36:29 GMT
Content-Type: text/html
Content-Length: 15
Last-Modified: Mon, 17 Aug 2020 09:36:19 GMT
Connection: keep-alive
ETag: “5f3a4f93-f”
Accept-Ranges: bytes
Nginx can be accessed normally.
Next, assume that 172.16.1.100 is a hacker host that frequently accesses nginx services

Simulate 10 accesses 172.16.1.10
172.16.1.100

[[email protected] ~]# ab -c 1 -n 10 http://172.16.1.10/
This is ApacheBench, Version 2.3 <$Revision: 1430300 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking 172.16.1.10 (be patient)…..done

Server Software: nginx/1.11.2
Server Hostname: 172.16.1.10
Server Port: 80

Document Path: /
Document Length: 612 bytes

Concurrency Level: 1
Time taken for tests: 0.016 seconds
Complete requests: 10
Failed requests: 0
Write errors: 0
Total transferred: 8450 bytes
HTML transferred: 6120 bytes
Requests per second: 617.02 [#/sec] (mean)
Time per request: 1.621 [ms] (mean)
Time per request: 1.621 [ms] (mean, across all concurrent requests)
Transfer rate: 509.16 [Kbytes/sec] received

Connection Times (ms)

          min  mean[+/-sd] median   max

Connect: 0 1 0.3 0 1
Processing: 1 1 0.3 1 2
Waiting: 0 1 0.3 1 1
Total: 1 1 0.5 1 2
ERROR: The median and mean for the initial connection time are more than twice the standard

   deviation apart. These results are NOT reliable.

Percentage of the requests served within a certain time (ms)
50% 1
66% 1
75% 1
80% 2
90% 2
95% 2
98% 2
99% 2
100% 2 (longest request)
View nginx logs
172.16.1.10

[[email protected] ~]# tail /usr/local/nginx/logs/access.log
172.16.1.100 – – [26/Jul/2020:05:58:24 +0800] “GET / HTTP/1.0” 200 612 “-” “ApacheBench/2.3”
172.16.1.100 – – [26/Jul/2020:05:58:24 +0800] “GET / HTTP/1.0” 200 612 “-” “ApacheBench/2.3”
172.16.1.100 – – [26/Jul/2020:05:58:24 +0800] “GET / HTTP/1.0” 200 612 “-” “ApacheBench/2.3”
172.16.1.100 – – [26/Jul/2020:05:58:24 +0800] “GET / HTTP/1.0” 200 612 “-” “ApacheBench/2.3”
172.16.1.100 – – [26/Jul/2020:05:58:24 +0800] “GET / HTTP/1.0” 200 612 “-” “ApacheBench/2.3”
172.16.1.100 – – [26/Jul/2020:05:58:24 +0800] “GET / HTTP/1.0” 200 612 “-” “ApacheBench/2.3”
172.16.1.100 – – [26/Jul/2020:05:58:24 +0800] “GET / HTTP/1.0” 200 612 “-” “ApacheBench/2.3”
172.16.1.100 – – [26/Jul/2020:05:58:24 +0800] “GET / HTTP/1.0” 200 612 “-” “ApacheBench/2.3”
172.16.1.100 – – [26/Jul/2020:05:58:24 +0800] “GET / HTTP/1.0” 200 612 “-” “ApacheBench/2.3”
172.16.1.100 – – [26/Jul/2020:05:58:24 +0800] “GET / HTTP/1.0” 200 612 “-” “ApacheBench/2.3”
It can be seen that 172.16.1.100 accesses nginx 10 times in one second, and then disable this problem IP

Restrict IP access through iptables
172.16.1.10

[[email protected] ~]# iptables -I INPUT -s 172.16.1.100 -ptcp –dport 80 -j DROP
172.16.1.100

[[email protected] ~]# curl 172.16.1.10
curl: (7) Failed connect to 172.16.1.10:80; connection timed out
At this time, 172.16.1.100 can no longer access nginx

Nginx profile restrictions
172.16.1.10
Linux Security: prohibit frequently accessed IP access to nginx Linux Security: prohibit frequently accessed IP access to nginx
172.16.1.100

[[email protected] ~]# curl -I 172.16.1.10
HTTP/1.1 403 Forbidden
Server: nginx/1.11.2
Date: Sat, 25 Jul 2020 23:12:06 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

summary
The above are two simple methods to restrict IP access, and there are many methods that can use tools to restrict IP access.