Example of nginx ip blacklist dynamic ban

When a website is maliciously requested, blacklisting IP addresses is an important measure. If you have to configure nginx every time you blacklist a request, it is too low. We need to control the nginx IP blacklist more conveniently.

1. Solution

The blacklist is persisted to mysql (the common solution is redis, but it is not conducive to control, such as: different IP settings with different validity periods, IP CRUD, statistics, etc.);

Through lua-nginx-module, a memory block (lua_shared_dict) is opened in nginx, and lua regularly refreshes the blacklist from mysql to lua_shared_dict;

All requests must be checked against the IP in lua_shared_dict.

2. Installation

2.1 Install luajit

cd LuaJIT-2.0.5
make
make install PREFIX=/usr/local/luajit

2.2. When installing nginx, compile the lua module into it

export LUAJIT_LIB=/usr/local/luajit/lib
export LUAJIT_INC=/usr/local/luajit/include/luajit-2.1
 
./configure --prefix=/nginx \
--with-ld-opt="-Wl,-rpath,/usr/local/luajit/lib" \
--add-module=/opt/ngx_devel_kit-0.3.1rc1 \
--add-module=/opt/lua-nginx-module-0.10.14rc3
 
make -j2
make install
ln -s /nginx/sbin/nginx /usr/sbin/nginx

3. Configuration

3.1 nginx configuration

http {
  server_tokens off;
  lua_package_path "/usr/local/lib/lua/?.lua;;";
  lua_shared_dict ip_blacklist 4m;
}
 
server {
  set $real_ip $remote_addr;
  if ( $http_x_forwarded_for ~ "^(\d+\.\d+\.\d+\.\d+)" ) {
    set $real_ip $1;
  }
 
  # Management information, visit this URL to view the IP blacklist information in nginx location /get-ipblacklist-info {
    access_by_lua_file conf/lua/get_ipblacklist_info.lua;
  }
 
  # Synchronize URL, call the URL through the scheduled task, and implement the scheduled refresh of IP blacklist from mysql to nginx location /sync-ipblacklist {
   access_by_lua_file conf/lua/sync_ipblacklist.lua;
  }
 
  # Production domain name configuration, all locations that need IP blacklist control must contain the following statement location / {
   access_by_lua_file conf/lua/check_realip.lua;
  }
 
}

The nginx server configures the following crrontab

* * * * * /usr/bin/curl -o /dev/null -s http://127.0.0.1/sync-ipblacklist > /dev/null 2>&1

3.2 Lua script

sync_ipblacklist.lua

local mysql_host = "ip of mysql server"
local mysql_port = 3306
local database = "dbname"
local username = "user"
local password = "password"
 
--update ip_blacklist from mysql once every cache_ttl seconds
local cache_ttl = 1
local mysql_connection_timeout = 1000
 
local client_ip = ngx.var.real_ip
local ip_blacklist = ngx.shared.ip_blacklist
local last_update_time = ip_blacklist:get("last_update_time");
 
if last_update_time == nil or last_update_time < ( ngx.now() - cache_ttl ) then
 
 local mysql = require "resty.mysql";
 local red = mysql:new();
 
 red:set_timeout(mysql_connect_timeout);
 
 local ok, err, errcode, sqlstate = red:connect{
     host = mysql_host,
     port = mysql_port,
     database = database,
     user = username,
     password = password,
     charset = "utf8",
     max_packet_size = 1024 * 1024,
    }
 if not ok then
 ngx.log(ngx.ERR, "mysql connection error while retrieving ip_blacklist: " .. err);
 else
 new_ip_blacklist, err, errcode, sqlstate = red:query("select ip_addr from ip_blacklist where status = 0 order by create_time desc limit 10000", 100)
 if not new_ip_blacklist then
  ngx.log(ngx.ERR, "bad result. errcode: " .. errcode .. " sqlstate: " .. sqlstate .. " err: " .. err);
  return
 end
 
 ip_blacklist:flush_all();
 for k1, v1 in pairs(new_ip_blacklist) do
  for k2, v2 in pairs(v1) do
  ip_blacklist:set(v2,true);
  end
 end
 
 ip_blacklist:set("last_update_time", ngx.now());
 end
end
 
ngx.say("sync successful");

get_ipblacklist_info.lua

-- Call URL to view blacklist information -- 10,000 IPs consume less than 1.5M ngx.shared memory -- Getting all KEYs will block other normal requests from accessing ngx.shared memory, so only a few keys can be displayed require "resty.core.shdict"
ngx.say("total space: " .. ngx.shared.ip_blacklist:capacity() .. "<br/>");
ngx.say("free space: " .. ngx.shared.ip_blacklist:free_space() .. "<br/>");
ngx.say("last update time: " .. os.date("%Y%m%d_%H:%M:%S",ngx.shared.ip_blacklist:get("last_update_time")) .. "<br/>");
ngx.say("first 100 keys: <br/>");
ngx.say("--------------------------<br/>");
ip_blacklist = ngx.shared.ip_blacklist:get_keys(100);
for key, value in pairs(ip_blacklist) do
 ngx.say(key .. ": " .. value .. "<br/>");
end

check_realip.lua

if ngx.shared.ip_blacklist:get(ngx.var.real_ip) then
 return ngx.exit(ngx.HTTP_FORBIDDEN);
end

3.3 Database Design

CREATE TABLE `ip_blacklist` (
 `id` int(11) NOT NULL AUTO_INCREMENT,
 `ip_addr` varchar(15) COLLATE utf8mb4_bin DEFAULT NULL,
 `status` int(11) DEFAULT '0' COMMENT '0: valid, 1: invalid',
 `effective_hour` decimal(11,2) DEFAULT '24' COMMENT 'Effective period, unit: hours',
 `ip_source` varchar(255) COLLATE utf8mb4_bin DEFAULT NULL COMMENT 'Blacklist source',
 `create_time` datetime DEFAULT CURRENT_TIMESTAMP,
 `modify_time` datetime DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
 `remark` varchar(255) COLLATE utf8mb4_bin DEFAULT NULL COMMENT 'Remarks',
 PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_bin;
 
 
CREATE PROCEDURE proc_ip_blacklist_status_update()
-- Change the expired IP status to invalid begin 
 update ip_blacklist
 set status=1
 where date_add(create_time,INTERVAL effective_hour hour) < now();
 commit;
end;
 
 
CREATE EVENT job_ip_blacklist_status_update
ON SCHEDULE EVERY 1 MINUTE
ON COMPLETION PRESERVE
ENABLE
DO
call proc_ip_blacklist_status_update();

4 CRUD

Blacklists can be generated manually, automatically, or both.

The automatic way is to analyze the elk log through python and automatically write the malicious IP into mysql. This is a big topic and will not be covered here.

The manual method is to manually check the elk request log, find the malicious IP, and manually fill in mysql. Here is an open source CRUD tool with a nice user experience (much better than directly navicat). Of course, you can also write it yourself...

Project address: https://github.com/jonseg/crud-admin-generator

The power of the project lies in the fact that all tables help you generate menus, and then the CRUD of these tables can be used directly.

For specific operations, please refer to the official instructions and I will not go into details.

The above example of nginx ip blacklist dynamic ban is all the content that the editor shares with you. I hope it can give you a reference. I also hope that you will support 123WORDPRESS.COM.

You may also be interested in:

How to recompile Nginx and add modules
Nginx dynamically forwards to upstream according to the path in the URL
Nginx uses Lua+Redis to dynamically block IP
Detailed explanation of several ways to write Nginx dynamic DNS reverse proxy
How to dynamically add modules to Nginx

<<: How to implement parallel downloading of large files in JavaScript

>>: mysql 5.7.23 winx64 decompression version installation tutorial

Writing methods that should be prohibited in native JS

Example of nginx ip blacklist dynamic ban

Writing methods that should be prohibited in native JS

React's component collaborative use implementation

How to change $ to # in Linux

Advanced and summary of commonly used sql statements in MySQL database

How to check the version of Kali Linux system

MySQL 8.0.17 decompression version installation and configuration method graphic tutorial

Vue implementation counter case

A look into tool-based websites: the definition of tool-based websites and typical case analysis (pictures and text)

A thorough understanding of js native syntax prototype, proto and constructor

Detailed explanation of the use of MySQL mysqldump

Recommend

Problem record of using vue+echarts chart

mysql data insert, update and delete details

An example of how Vue implements four-level navigation and verification code

Steps for customizing node installation to change the default installation path of npm global modules

How to use watch listeners in Vue2 and Vue3

How to build a standardized vmware image for kubernetes under rancher

Graphical instructions for uploading and downloading files to a remote Linux host based on SecureCRT

JavaScript Design Pattern Command Pattern

Analysis of the reasons why MySQL's index system uses B+ tree

Problems encountered in the execution order of AND and OR in SQL statements

Summary of coalesce() usage tips in MySQL

Limiting the number of short-term accesses to a certain IP based on Nginx

How to use mixins in Vue

Vue implements custom "modal pop-up window" component example code

Create a movable stack widget function using flutter