防止censys，fofa，shodan，鹰图等扫描

开启ssl_reject_handshake插件，需要Nginx 版本高于等于 1.19.4

server {
    listen 443 ssl default_server;
    #如果有IPv6地址需加入下面这行，否则不用下面这行
    listen [::]:443 ssl default_server;
    ssl_reject_handshake on;
}

#常规的443端口，包含正确的域名和证书。对于携带正确 Hostname 的请求，服务器会继续做后续处理
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name example.com;
    ssl_certificate example.com.crt;
    ssl_certificate_key example.com.key;
}

设置IP白名单

for i in `curl https://www.cloudflare.com/ips-v4`;
    do iptables -I INPUT -p tcp -m multiport --dports http,https -s $i -j ACCEPT;
done


for i in `curl https://www.cloudflare.com/ips-v6`;
    do ip6tables -I INPUT -p tcp -m multiport --dports http,https -s $i -j ACCEPT;
done

iptables -A INPUT -p tcp -m multiport --dports http,https -j DROP
ip6tables -A INPUT -p tcp -m multiport --dports http,https -j DROP

#在nginx.conf server模块添加禁止非 Mozilla/ 请求头的访问
if ($http_user_agent !~* "Mozilla/") {
    return 403;
}
#server字段屏蔽censys爬虫
if ($http_user_agent ~* "^(?=.*censys)") {
    return 444;
}

或者在Cloudflare防火墙创建阻止规则

Mozilla/5.0 (compatible; CensysInspect/1.1;

只是转载一下，参考https://hostalk.net/posts/nginx_cdn.html

另外一键脚本如下：

#!/bin/bash

# Cloudflare IP ranges (IPv4 and IPv6)
CF_IPV4_RANGES=$(curl -s https://www.cloudflare.com/ips-v4)
CF_IPV6_RANGES=$(curl -s https://www.cloudflare.com/ips-v6)

# Add IPv4 ranges to UFW
for ip in $CF_IPV4_RANGES; do
    sudo ufw allow from $ip to any port 80,443 proto tcp
done

# Add IPv6 ranges to UFW
for ip in $CF_IPV6_RANGES; do
    sudo ufw allow from $ip to any port 80,443 proto tcp
done

# Allow SSH (port 22)
sudo ufw allow 22

# Enable UFW
sudo ufw enable

# Display UFW status
sudo ufw status

转自：https://www.nodeseek.com/post-39970-1