拒绝服务 - 如何防止这种情况

问题描述 投票:2回答:4

我一次只能从一个IP地址接收垃圾邮件(尽管这个IP地址每天都在变化),试图在我的网络服务器上猜测可执行文件。他们都追溯到同一个地方 - 腾讯云计算在中国。这些垃圾邮件尝试会导致服务器崩溃,导致网站无法访问。我怎么能阻止这个?

我曾尝试联系网络滥用电子邮件并致电我的ISP,看看他们能做些什么,但无济于事。

示例Apache日志如下所示。

[Thu Sep 20 22:47:34.169296 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/help.php' not found or unable to stat
[Thu Sep 20 22:47:34.418703 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/java.php' not found or unable to stat
[Thu Sep 20 22:47:34.682234 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/_query.php' not found or unable to stat
[Thu Sep 20 22:47:34.910484 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/test.php' not found or unable to stat
[Thu Sep 20 22:47:35.138673 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/db_cts.php' not found or unable to stat
[Thu Sep 20 22:47:35.369907 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/db_pma.php' not found or unable to stat
[Thu Sep 20 22:47:36.382860 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/logon.php' not found or unable to stat
[Thu Sep 20 22:47:37.920666 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/help-e.php' not found or unable to stat
[Thu Sep 20 22:47:38.149610 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/license.php' not found or unable to stat
[Thu Sep 20 22:47:38.382743 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/log.php' not found or unable to stat
[Thu Sep 20 22:47:38.616254 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/hell.php' not found or unable to stat
[Thu Sep 20 22:47:38.880654 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/pmd_online.php' not found or unable to stat
[Thu Sep 20 22:47:39.111538 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/x.php' not found or unable to stat
[Thu Sep 20 22:47:39.344646 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/shell.php' not found or unable to stat
[Thu Sep 20 22:47:40.321053 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/desktop.ini.php' not found or unable to stat
[Thu Sep 20 22:47:41.916380 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/z.php' not found or unable to stat
[Thu Sep 20 22:47:42.167929 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/lala.php' not found or unable to stat
[Thu Sep 20 22:47:42.429254 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/lala-dpr.php' not found or unable to stat
[Thu Sep 20 22:47:42.691206 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/wpo.php' not found or unable to stat
[Thu Sep 20 22:47:42.944551 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/text.php' not found or unable to stat
[Thu Sep 20 22:47:43.199610 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/wp-config.php' not found or unable to stat
[Thu Sep 20 22:47:43.455259 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/muhstik.php' not found or unable to stat
[Thu Sep 20 22:47:44.529700 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/muhstik2.php' not found or unable to stat
[Thu Sep 20 22:47:45.925214 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/muhstiks.php' not found or unable to stat
[Thu Sep 20 22:47:46.165955 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/muhstik-dpr.php' not found or unable to stat
[Thu Sep 20 22:47:46.424593 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/lol.php' not found or unable to stat
[Thu Sep 20 22:47:46.683114 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/uploader.php' not found or unable to stat
[Thu Sep 20 22:47:46.941768 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/cmd.php' not found or unable to stat
[Thu Sep 20 22:47:47.199412 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/cmx.php' not found or unable to stat
[Thu Sep 20 22:47:47.436995 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/cmv.php' not found or unable to stat
[Thu Sep 20 22:47:48.608073 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/cmdd.php' not found or unable to stat
[Thu Sep 20 22:47:49.941993 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/knal.php' not found or unable to stat
[Thu Sep 20 22:47:50.202085 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/cmd.php' not found or unable to stat
[Thu Sep 20 22:47:50.465856 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/shell.php' not found or unable to stat
[Thu Sep 20 22:47:50.719343 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/appserv.php' not found or unable to stat
[Thu Sep 20 22:47:53.919666 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/wuwu11.php' not found or unable to stat
[Thu Sep 20 22:47:54.135087 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/xw.php' not found or unable to stat
[Thu Sep 20 22:47:54.365319 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/xw1.php' not found or unable to stat
[Thu Sep 20 22:47:54.600458 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/9678.php' not found or unable to stat
[Thu Sep 20 22:47:54.844971 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/wc.php' not found or unable to stat
[Thu Sep 20 22:47:55.109660 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/xx.php' not found or unable to stat
[Thu Sep 20 22:47:55.364916 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/s.php' not found or unable to stat
[Thu Sep 20 22:47:55.581704 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/w.php' not found or unable to stat

更新:其他日志

[Tue Sep 25 07:59:21.537385 2018] [core:notice] [pid 28393] AH00094: Command line: '/usr/sbin/apache2' 
[Tue Sep 25 08:32:08.233864 2018] [autoindex:error] [pid 29290] [client 192.141.161.31:41020] AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html,index.cgi,index.pl,index.php,index.xhtml,index.htm) found, and server-generated directory index forbidden by Options directive  
[Tue Sep 25 08:51:23.208687 2018] [autoindex:error] [pid 29759] [client 81.199.17.114:33476] AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html,index.cgi,index.pl,index.php,index.xhtml,index.htm) found, and server-generated directory index forbidden by Options directive   
[Tue Sep 25 09:07:45.829806 2018] [autoindex:error] [pid 30004] [client 157.119.212.30:38609] AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html,index.cgi,index.pl,index.php,index.xhtml,index.htm) found, and server-generated directory index forbidden by Options directive  
[Tue Sep 25 09:33:49.984459 2018] [autoindex:error] [pid 30699] [client 187.10.199.101:35686] AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html,index.cgi,index.pl,index.php,index.xhtml,index.htm) found, and server-generated directory index forbidden by Options directive  
[Tue Sep 25 11:24:46.399677 2018] [autoindex:error] [pid 794] [client 31.7.122.119:57011] AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html,index.cgi,index.pl,index.php,index.xhtml,index.htm) found, and server-generated directory index forbidden by Options directive      
[Tue Sep 25 11:53:06.380975 2018] [autoindex:error] [pid 1362] [client 84.22.54.93:37588] AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html,index.cgi,index.pl,index.php,index.xhtml,index.htm) found, and server-generated directory index forbidden by Options directive      
[Tue Sep 25 12:22:27.732958 2018] [mpm_prefork:notice] [pid 28393] AH00169: caught SIGTERM, shutting down                                                                                                     
[Tue Sep 25 12:22:51.582214 2018] [:notice] [pid 2041] FastCGI: process manager initialized (pid 2041) 
[Tue Sep 25 12:22:51.892511 2018] [mpm_prefork:notice] [pid 2040] AH00163: Apache/2.4.10 (Raspbian) mod_fastcgi/mod_fastcgi-SNAP-0910052141 mpm-itk/2.4.7-02 PHP/5.6.36-0+deb8u1 OpenSSL/1.0.1t configured -- resuming normal operations                                                                             
[Tue Sep 25 12:22:51.892924 2018] [core:notice] [pid 2040] AH00094: Command line: '/usr/sbin/apache2'  
[Tue Sep 25 12:23:01.247551 2018] [core:error] [pid 2040] AH00046: child process 2046 still did not exit, sending a SIGKILL                                                                                   
[Tue Sep 25 12:23:01.247755 2018] [core:error] [pid 2040] AH00046: child process 2047 still did not exit, sending a SIGKILL                                                                                   
[Tue Sep 25 12:23:02.249062 2018] [mpm_prefork:notice] [pid 2040] AH00169: caught SIGTERM, shutting down
apache denial-of-service
4个回答
2
投票

我有一个基于Node的HTTP服务器在Raspberry Pi3B +上运行 - 我很清楚这个探测器。每个IP探测器仅使用IP地址,因此如果您查看HTTP标头“主机” - 它将是您的域的IP地址,或者更糟糕的是字面上的localhost。

我今晚捕获的这个特殊探测器是通过尝试溢出缓冲区而在WebDAV上以攻击向量开始的。 WebDAV使用唯一的HTTP标头 - PROPFIND。整个捕获不适合一个图像,但下一部分使用localhost并进一步探测WebDAV。

Probe begins by trying WebDAV exploit.然后探针开始检查PHP脚本,这是您在Apache日志中显示的内容。

合法的流量不会这样做 - 它使用域的主机名,合法的机器人在用户代理头中有自己的名字,所以一点点的HTTP头分析有很长的路要走。 ;-)

normal bingbot request headers

此外 - 您遇到的崩溃发生在扫描的最后一位,这不是GET - 它是一个POST。 (CGI =通用网关接口 - POST)。请注意,GET的一连串间隔是24秒......有趣的是 - 这个扫描仪可能会同时探测数千个IP - 考虑到探测源,你可能不会抱怨滥用。最好的建议是完全忽略它。在Node中,我可以破坏连接,甚至将IP列入黑名单,但是 - 我运行了很多自己的分析代码来支持它,所以我不知道Apache在这方面提供了什么。

This is the tail end of the attack you have described as captured by my server tonight.

4
投票

在中国。

你不能阻止它。

您可以添加防火墙规则以丢弃来自该IP的流量;但它没用,因为它只会从另一个IP出现,最终你会有数千个丢弃规则,这将影响性能。

限制来自单个IP的请求将减少服务器负载,但不会停止扫描。如果你确实想要沿着“封锁”道路走下去,那么fail2ban运行良好。

大多数情况下,您的代码只需要能够处理这个问题。

如果您的网络应用是内置的或受众有限,则可以删除除授权地址之外的所有流量。

1
投票

我创建了一个每1分钟运行一次的脚本,并在error.log和access.log中检测所有类型的failes它还检查星号消息le为“Failed to”当找到一个超过20次尝试的IP时,它将它添加到UFW。到目前为止 - 它的作用就像一个魅力。

这是脚本:

#!/bin/bash
clear
#ban IPs:
bip() {
echo "" > tmpIPs
ufw status | grep DENY | awk '$1 !="Anywhere" {print $1}' | sort > tmpinc
exst=$(ufw status | grep "Anywhere                   DENY" | awk '{print $3}' | sort | uniq)
cat $cTarget | while read line
do
 add=$(cat tmpinc | grep $line)
 if [ "$add" != "$line" ]
  then
   ip=$(echo $line | cut -d '.' -f 1,2,3)
   if [ $ip != $ignorIP ]
    then
    echo $line >> tmpIPs
   fi
  fi
done

lAdd=$(cat tmpIPs)
cat tmpIPs | while read line
do
 if [ "$line" != "" ]
  then
  /usr/sbin/ufw insert 1 deny from $line to any  >> $cBanIpLog
  /usr/sbin/ufw insert 1 deny to $line from any >> $cBanIpLog
  echo "       Banned $line" >> $cBanIpLog
  fi
done
rm tmpIPs
}

nMax=5 # Maximum failes
cTarget="/tmp/_ban.ip" # Temporary storage file
cLogFile="/var/log/apache2/access.log" # apache2 access log file
cLogFile1="/var/log/apache2/error.log" # apache2 error.log
cLogFile2="/var/log/asterisk/messages" # asterisk log file
cBanLog="/var/log/banips.log"          #This script log file
cBanIpLog="/var/log/banIP.log"
ignorIP="192.168.1" #IP to ignor, usually home network
dt=$(date +%Y-%m-%d)

echo "Banning IP run at $(date)
Maximum offends: $nMax
Checking logs
        $cLogFile
        $cLogFile1
        $cLogFile11
        $cLogFile12
        " > $cBanIpLog

#Get the bastards out of apache2 and asterisk:
#apache2 access.log
grep 404 $cLogFile | cut -d ' ' -f 1,4 | cut -d ':' -f 1,2,3 | tr -d '[' | sort | uniq -c | sort -rn | awk ' $1 > '"$nMax"' {print $2}' | uniq -c | awk '{print $2}' > $cTarget.tmp
#apache2 error.log
grep "not found or unable to stat" $cLogFile1 | awk '{print $1,$2,$3,$5,$10}' | cut -d ':' -f 1 | sort | uniq -c | awk ' $1 > '"$nMax"' {print $6}' >> $cTarget.tmp
#asterisk messages
grep "failed for" $cLogFile2 | awk -F'failed for' '{print $2}' | awk -F' ' '{print $1}' | awk -F':' '{print $1}'  | tr -d "'" | sort | uniq -c | sort -nr | awk ' $1 > '"$nMax"' {print $2}' >> $cTarget.tmp
#asterisk messages
grep "rejected because extension not found" /var/log/asterisk/messages | awk -F'(' '{print $2}' | awk -F':' '{print $1}' | sort | uniq -c | awk ' $1 > '"$nMax"' {print $2}' >> $cTarget.tmp
#Check myAnt logons
#grep LogonERR /var/www/html/_Public/sys_logs/_qryLogIn.log | awk '{print $3}' | sort | uniq -c | sort -nr | awk '$1 > $nMax {print $2}' >> $cTarget.tmp

#Leave uniq ips
cat $cTarget.tmp | sort | uniq > $cTarget
rm $cTarget.tmp

#Banning
bip
if [ "$lAdd" != "" ]
then
 #Conclude:
 /bin/systemctl restart ufw
 /bin/systemctl status ufw >> $cBanIpLog
 /usr/sbin/ufw status >> $cBanIpLog
 cat $cBanLog | sort | uniq | sort >> /var/log/banips.tmp
 rm $cBanLog
 mv /var/log/banips.tmp $cBanLog
 cat $cBanLog | nl >> $cBanIpLog
 echo "Log file at $cBanIpLog
 nano $cBanLog
 Finished banning $(date)
 " >> $cBanIpLog
 #echo nano /var/log/banips.log
 clear
 cat $cBanIpLog
fi
0
投票

这不是“拒绝服务”,而是对可能的漏洞进行相当普遍的扫描。知识产权在中国,至少无关紧要 - 虽然不必服务于该领土,但人们可以拒绝为他们服务。

你可以使用.htaccess文件(或vhost配置);这至少会使服务器无法响应:

deny from 192.144.156.249

一个人可以拒绝来自整个子网的请求......这可能有助于完全摆脱它们:

deny from 192.144.

添加类似的防火墙规则,甚至不会让这些请求到达服务器。

告诉IP流量分开几乎不在应用程序代码的责任范围内。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.