拒绝服务 - 如何防止这种情况

Denial of Service - how to prevent this

我每次都收到来自单个 IP 地址的垃圾邮件尝试(尽管这个 IP 地址每天都在变化)试图幸运地猜测我的网络服务器上的可执行文件。它们都追溯到同一个地方——中国的腾讯云计算。这些垃圾邮件尝试不断使服务器崩溃,导致网站无法访问。 我怎样才能阻止它?

我已经尝试联系网络滥用电子邮件并致电我的 ISP 以查看他们是否可以采取任何措施,但无济于事。

A​​pache 日志示例如下所示。

[Thu Sep 20 22:47:34.169296 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/help.php' not found or unable to stat
[Thu Sep 20 22:47:34.418703 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/java.php' not found or unable to stat
[Thu Sep 20 22:47:34.682234 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/_query.php' not found or unable to stat
[Thu Sep 20 22:47:34.910484 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/test.php' not found or unable to stat
[Thu Sep 20 22:47:35.138673 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/db_cts.php' not found or unable to stat
[Thu Sep 20 22:47:35.369907 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/db_pma.php' not found or unable to stat
[Thu Sep 20 22:47:36.382860 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/logon.php' not found or unable to stat
[Thu Sep 20 22:47:37.920666 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/help-e.php' not found or unable to stat
[Thu Sep 20 22:47:38.149610 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/license.php' not found or unable to stat
[Thu Sep 20 22:47:38.382743 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/log.php' not found or unable to stat
[Thu Sep 20 22:47:38.616254 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/hell.php' not found or unable to stat
[Thu Sep 20 22:47:38.880654 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/pmd_online.php' not found or unable to stat
[Thu Sep 20 22:47:39.111538 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/x.php' not found or unable to stat
[Thu Sep 20 22:47:39.344646 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/shell.php' not found or unable to stat
[Thu Sep 20 22:47:40.321053 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/desktop.ini.php' not found or unable to stat
[Thu Sep 20 22:47:41.916380 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/z.php' not found or unable to stat
[Thu Sep 20 22:47:42.167929 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/lala.php' not found or unable to stat
[Thu Sep 20 22:47:42.429254 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/lala-dpr.php' not found or unable to stat
[Thu Sep 20 22:47:42.691206 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/wpo.php' not found or unable to stat
[Thu Sep 20 22:47:42.944551 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/text.php' not found or unable to stat
[Thu Sep 20 22:47:43.199610 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/wp-config.php' not found or unable to stat
[Thu Sep 20 22:47:43.455259 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/muhstik.php' not found or unable to stat
[Thu Sep 20 22:47:44.529700 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/muhstik2.php' not found or unable to stat
[Thu Sep 20 22:47:45.925214 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/muhstiks.php' not found or unable to stat
[Thu Sep 20 22:47:46.165955 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/muhstik-dpr.php' not found or unable to stat
[Thu Sep 20 22:47:46.424593 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/lol.php' not found or unable to stat
[Thu Sep 20 22:47:46.683114 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/uploader.php' not found or unable to stat
[Thu Sep 20 22:47:46.941768 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/cmd.php' not found or unable to stat
[Thu Sep 20 22:47:47.199412 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/cmx.php' not found or unable to stat
[Thu Sep 20 22:47:47.436995 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/cmv.php' not found or unable to stat
[Thu Sep 20 22:47:48.608073 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/cmdd.php' not found or unable to stat
[Thu Sep 20 22:47:49.941993 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/knal.php' not found or unable to stat
[Thu Sep 20 22:47:50.202085 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/cmd.php' not found or unable to stat
[Thu Sep 20 22:47:50.465856 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/shell.php' not found or unable to stat
[Thu Sep 20 22:47:50.719343 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/appserv.php' not found or unable to stat
[Thu Sep 20 22:47:53.919666 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/wuwu11.php' not found or unable to stat
[Thu Sep 20 22:47:54.135087 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/xw.php' not found or unable to stat
[Thu Sep 20 22:47:54.365319 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/xw1.php' not found or unable to stat
[Thu Sep 20 22:47:54.600458 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/9678.php' not found or unable to stat
[Thu Sep 20 22:47:54.844971 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/wc.php' not found or unable to stat
[Thu Sep 20 22:47:55.109660 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/xx.php' not found or unable to stat
[Thu Sep 20 22:47:55.364916 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/s.php' not found or unable to stat
[Thu Sep 20 22:47:55.581704 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/w.php' not found or unable to stat

更新:额外的日志

[Tue Sep 25 07:59:21.537385 2018] [core:notice] [pid 28393] AH00094: Command line: '/usr/sbin/apache2' 
[Tue Sep 25 08:32:08.233864 2018] [autoindex:error] [pid 29290] [client 192.141.161.31:41020] AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html,index.cgi,index.pl,index.php,index.xhtml,index.htm) found, and server-generated directory index forbidden by Options directive  
[Tue Sep 25 08:51:23.208687 2018] [autoindex:error] [pid 29759] [client 81.199.17.114:33476] AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html,index.cgi,index.pl,index.php,index.xhtml,index.htm) found, and server-generated directory index forbidden by Options directive   
[Tue Sep 25 09:07:45.829806 2018] [autoindex:error] [pid 30004] [client 157.119.212.30:38609] AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html,index.cgi,index.pl,index.php,index.xhtml,index.htm) found, and server-generated directory index forbidden by Options directive  
[Tue Sep 25 09:33:49.984459 2018] [autoindex:error] [pid 30699] [client 187.10.199.101:35686] AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html,index.cgi,index.pl,index.php,index.xhtml,index.htm) found, and server-generated directory index forbidden by Options directive  
[Tue Sep 25 11:24:46.399677 2018] [autoindex:error] [pid 794] [client 31.7.122.119:57011] AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html,index.cgi,index.pl,index.php,index.xhtml,index.htm) found, and server-generated directory index forbidden by Options directive      
[Tue Sep 25 11:53:06.380975 2018] [autoindex:error] [pid 1362] [client 84.22.54.93:37588] AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html,index.cgi,index.pl,index.php,index.xhtml,index.htm) found, and server-generated directory index forbidden by Options directive      
[Tue Sep 25 12:22:27.732958 2018] [mpm_prefork:notice] [pid 28393] AH00169: caught SIGTERM, shutting down                                                                                                     
[Tue Sep 25 12:22:51.582214 2018] [:notice] [pid 2041] FastCGI: process manager initialized (pid 2041) 
[Tue Sep 25 12:22:51.892511 2018] [mpm_prefork:notice] [pid 2040] AH00163: Apache/2.4.10 (Raspbian) mod_fastcgi/mod_fastcgi-SNAP-0910052141 mpm-itk/2.4.7-02 PHP/5.6.36-0+deb8u1 OpenSSL/1.0.1t configured -- resuming normal operations                                                                             
[Tue Sep 25 12:22:51.892924 2018] [core:notice] [pid 2040] AH00094: Command line: '/usr/sbin/apache2'  
[Tue Sep 25 12:23:01.247551 2018] [core:error] [pid 2040] AH00046: child process 2046 still did not exit, sending a SIGKILL                                                                                   
[Tue Sep 25 12:23:01.247755 2018] [core:error] [pid 2040] AH00046: child process 2047 still did not exit, sending a SIGKILL                                                                                   
[Tue Sep 25 12:23:02.249062 2018] [mpm_prefork:notice] [pid 2040] AH00169: caught SIGTERM, shutting down  

in China.

你无法阻止它。

您可以添加防火墙规则以阻止来自该 IP 的流量;然而它是无用的,因为它只会从另一个 IP 出现,最终您将拥有数千个丢弃规则,这将影响性能。

限制来自单个 IP 的请求将减少服务器负载,但不会停止扫描。如果你确实想走 "blocking" 路,fail2ban 效果很好。

大多数情况下,您的代码只需要能够处理这个问题。

如果您的网络应用是内部应用或受众有限,您可以丢弃除授权地址以外的所有流量。

这不是 "denial of service",而是针对可能漏洞利用的非常常见的扫描。 IP 在中国,这无关紧要 - 虽然不必为该地区提供服务,但可以拒绝为他们提供服务。

您可以 .htaccess 文件(或 vhost 配置);这至少会使服务器不响应:

deny from 192.144.156.249

可以拒绝来自整个子网的请求...这可能有助于完全摆脱它们:

deny from 192.144.

添加类似的防火墙规则,甚至不会让这些请求到达服务器。

区分 IP 流量几乎不在应用程序代码的职责范围内。

我在 Raspberry Pi3B+ 上有一个基于节点的 HTTP 服务器 运行ning -- 我很了解这个探测器。每个 IP 探测器仅使用 IP 地址,因此如果您查看 HTTP header 'host'——它将是您域的 IP 地址,或者更糟的是字面上的 localhost

我今晚捕捉到的这个特殊探测开始于 WebDAV 上的一个攻击向量,它试图溢出缓冲区。 WebDAV 使用独特的 HTTP header -- PROPFIND。整个捕获不适合一张图像,但下一部分使用本地主机并进一步探测 WebDAV。

然后探测器开始检查 PHP 脚本,这就是您在 Apache 日志中显示的内容。

合法流量不会那样做——它使用域的主机名,合法机器人在 user-agent header 中有他们的名字,所以一点 HTTP header 分析就可以了很长的路要走。 ;-)

此外 -- 您遇到的崩溃发生在扫描的最后一位,这不是 GET -- 它是 POST。 (CGI = 通用网关接口 -- POST)。 请注意,GET 的一连串间隔为 24 秒......有趣的是——这个扫描器可能同时探测数千个 IP——考虑到探测的来源,抱怨滥用可能对你没有好处。 最好的建议是完全忽略它。在 Node 中,我可以破坏连接甚至将 IP 列入黑名单,但是 -- 我 运行 很多我自己的分析代码来支持它,所以我不知道 Apache 在这方面提供了什么。

我创建了一个每 1 分钟运行一次的脚本,并检测 error.log 和 access.log 中的各种故障 它还检查 "Failed to" 的星号消息文件 当找到超过 20 次失败尝试的 IP 时,它会将其添加到 ufw。 到目前为止 - 它就像一个魅力。

这是脚本:

#!/bin/bash
clear
#ban IPs:
bip() {
echo "" > tmpIPs
ufw status | grep DENY | awk ' !="Anywhere" {print }' | sort > tmpinc
exst=$(ufw status | grep "Anywhere                   DENY" | awk '{print }' | sort | uniq)
cat $cTarget | while read line
do
 add=$(cat tmpinc | grep $line)
 if [ "$add" != "$line" ]
  then
   ip=$(echo $line | cut -d '.' -f 1,2,3)
   if [ $ip != $ignorIP ]
    then
    echo $line >> tmpIPs
   fi
  fi
done

lAdd=$(cat tmpIPs)
cat tmpIPs | while read line
do
 if [ "$line" != "" ]
  then
  /usr/sbin/ufw insert 1 deny from $line to any  >> $cBanIpLog
  /usr/sbin/ufw insert 1 deny to $line from any >> $cBanIpLog
  echo "       Banned $line" >> $cBanIpLog
  fi
done
rm tmpIPs
}

nMax=5 # Maximum failes
cTarget="/tmp/_ban.ip" # Temporary storage file
cLogFile="/var/log/apache2/access.log" # apache2 access log file
cLogFile1="/var/log/apache2/error.log" # apache2 error.log
cLogFile2="/var/log/asterisk/messages" # asterisk log file
cBanLog="/var/log/banips.log"          #This script log file
cBanIpLog="/var/log/banIP.log"
ignorIP="192.168.1" #IP to ignor, usually home network
dt=$(date +%Y-%m-%d)

echo "Banning IP run at $(date)
Maximum offends: $nMax
Checking logs
        $cLogFile
        $cLogFile1
        $cLogFile11
        $cLogFile12
        " > $cBanIpLog

#Get the bastards out of apache2 and asterisk:
#apache2 access.log
grep 404 $cLogFile | cut -d ' ' -f 1,4 | cut -d ':' -f 1,2,3 | tr -d '[' | sort | uniq -c | sort -rn | awk '  > '"$nMax"' {print }' | uniq -c | awk '{print }' > $cTarget.tmp
#apache2 error.log
grep "not found or unable to stat" $cLogFile1 | awk '{print ,,,,}' | cut -d ':' -f 1 | sort | uniq -c | awk '  > '"$nMax"' {print }' >> $cTarget.tmp
#asterisk messages
grep "failed for" $cLogFile2 | awk -F'failed for' '{print }' | awk -F' ' '{print }' | awk -F':' '{print }'  | tr -d "'" | sort | uniq -c | sort -nr | awk '  > '"$nMax"' {print }' >> $cTarget.tmp
#asterisk messages
grep "rejected because extension not found" /var/log/asterisk/messages | awk -F'(' '{print }' | awk -F':' '{print }' | sort | uniq -c | awk '  > '"$nMax"' {print }' >> $cTarget.tmp
#Check myAnt logons
#grep LogonERR /var/www/html/_Public/sys_logs/_qryLogIn.log | awk '{print }' | sort | uniq -c | sort -nr | awk ' > $nMax {print }' >> $cTarget.tmp

#Leave uniq ips
cat $cTarget.tmp | sort | uniq > $cTarget
rm $cTarget.tmp

#Banning
bip
if [ "$lAdd" != "" ]
then
 #Conclude:
 /bin/systemctl restart ufw
 /bin/systemctl status ufw >> $cBanIpLog
 /usr/sbin/ufw status >> $cBanIpLog
 cat $cBanLog | sort | uniq | sort >> /var/log/banips.tmp
 rm $cBanLog
 mv /var/log/banips.tmp $cBanLog
 cat $cBanLog | nl >> $cBanIpLog
 echo "Log file at $cBanIpLog
 nano $cBanLog
 Finished banning $(date)
 " >> $cBanIpLog
 #echo nano /var/log/banips.log
 clear
 cat $cBanIpLog
fi