User loginНа сайте
3g
asus
aveo
bit
bluetooth
canon
cms
crypt
d-link
dd-wrt
ddos
deb
debian
drupal
ericsson
exim
flash
g505s
gprs
gpt
grub
gsm
hdd
huawei
ifconfig
javascript
jQuery
k800i
kvm
libvirt
linux
m51tr
mac
mdadm
modem
mustek
myisam
mysql
mysqli
mysqlnd
mysqltuner
nginx
openvpn
parted
PEOPLEnet
php
powermust
pppd
pptp
pro57t
proxmox
raid
rescue
router
rsync
samsung
sony
squeeze
subversion
ups
usb
video
virsh
vpn
wifi
windows
x50n
xorg
МТС
авто
аудио
железо
книги
незаконченное
новый
покупка
разработка
сайт
сканер
телефон
|
Отражение простой DDOS-атаки на php-скриптыnginx перестал отвечать и netstat -ptn показывал много закрывающихся соединений с php-fpm. Беглый просмотр логов сервера показал поток бестолковых запросов к php: 2.224.32.185 - - [28/Feb/2012:10:40:00 +0200] "GET /yishuejkijfyecdcftanqqxelejjbjzdukdiyfdmavm.php HTTP/1.1" 404 3919 "http://yishuejkijfyecdcftanqqxelejjbjzdukdiyfdmavm.php" "Netscape/4.33b1 (C-MindSpring)" "-" 113.162.244.184 - - [28/Feb/2012:10:40:00 +0200] "GET /iacjjlxiqcjxuitfmlkiyygmy.php HTTP/1.1" 404 8906 "http://iacjjlxiqcjxuitfmlkiyygmy.php" "Opera/10.10 (Windows NT 5.2; US; cz) Presto/2.1.11" "-" 113.162.244.184 - - [28/Feb/2012:10:40:00 +0200] "GET /iacjjlxiqcjxuitfmlkiyygmy.php HTTP/1.1" 404 8913 "http://iacjjlxiqcjxuitfmlkiyygmy.php" "Opera/10.10 (Windows NT 5.2; US; cz) Presto/2.1.11" "-" 2.224.32.185 - - [28/Feb/2012:10:40:00 +0200] "GET /yishuejkijfyecdcftanqqxelejjbjzdukdiyfdmavm.php HTTP/1.1" 404 3919 "http://yishuejkijfyecdcftanqqxelejjbjzdukdiyfdmavm.php" "Netscape/4.33b1 (C-MindSpring)" "-" 2.224.32.185 - - [28/Feb/2012:10:40:00 +0200] "GET /yishuejkijfyecdcftanqqxelejjbjzdukdiyfdmavm.php HTTP/1.1" 404 3919 "http://yishuejkijfyecdcftanqqxelejjbjzdukdiyfdmavm.php" "Netscape/4.33b1 (C-MindSpring)" "-" 46.218.210.228 - - [28/Feb/2012:10:40:00 +0200] "GET /luiklsiuitaygvhiqmhcqyctkdlhfmefgduig.php HTTP/1.1" 404 3919 "http://luiklsiuitaygvhiqmhcqyctkdlhfmefgduig.php" "Mozilla/3.3 (Macintosh; N; PPC; en) Gecko/235312" "-" 2.8.8.127 - - [28/Feb/2012:10:40:00 +0200] "GET /as3egimynczuijjijjkqiqqnajcfss3q.php HTTP/1.1" 404 8913 "http://as3egimynczuijjijjkqiqqnajcfss3q.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" "-" 2.8.8.127 - - [28/Feb/2012:10:40:00 +0200] "GET /as3egimynczuijjijjkqiqqnajcfss3q.php HTTP/1.1" 404 8913 "http://as3egimynczuijjijjkqiqqnajcfss3q.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" "-" 2.8.8.127 - - [28/Feb/2012:10:40:00 +0200] "GET /as3egimynczuijjijjkqiqqnajcfss3q.php HTTP/1.1" 404 8913 "http://as3egimynczuijjijjkqiqqnajcfss3q.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" "-" 85.223.179.254 - - [28/Feb/2012:10:40:00 +0200] "GET /miixvkibusns3muuidkjjyaxxixchkqgiis3y.php HTTP/1.1" 404 847 "http://miixvkibusns3muuidkjjyaxxixchkqgiis3y.php" "Mozilla/3.2 (Macintosh; N; PPC; en) Gecko/278672" "-" 178.123.0.195 - - [28/Feb/2012:10:40:00 +0200] "GET /uidmaqcmuiqaxvan.php HTTP/1.1" 404 8906 "http://uidmaqcmuiqaxvan.php" "-" "-" 178.123.0.195 - - [28/Feb/2012:10:40:00 +0200] "GET /uidmaqcmuiqaxvan.php HTTP/1.1" 404 8913 "http://uidmaqcmuiqaxvan.php" "-" "-" 93.88.87.146 - - [28/Feb/2012:10:40:00 +0200] "GET /blchmmygitck.php HTTP/1.1" 404 3919 "http://blchmmygitck.php" "Mozilla/4.2 (compatible; MSIE 8.0; Windows NT 5.1; SV2)" "-" 77.209.90.178 - - [28/Feb/2012:10:40:00 +0200] "GET /ebgbintsdzkqfuis3xuihmvntjjxdmykxdnqdlkjjccs3.php HTTP/1.1" 404 3919 "http://ebgbintsdzkqfuis3xuihmvntjjxdmykxdnqdlkjjccs3.php" "Netscape/5.432b1 (C-MindSpring)" "-" 95.135.79.196 - - [28/Feb/2012:10:40:00 +0200] "GET /btjidzxtjuficdkgmvs3mgm.php HTTP/1.1" 404 8906 "http://btjidzxtjuficdkgmvs3mgm.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" "-" 87.19.247.183 - - [28/Feb/2012:10:40:00 +0200] "GET /cmcnyamsndmihxzuis3qxyihsummfitmfcu.php HTTP/1.1" 404 8906 "-" "Mozilla/4.2 (compatible; MSIE 8.0; Windows NT 5.1; SV2)" "-" 85.223.179.254 - - [28/Feb/2012:10:40:00 +0200] "GET /ktuimnsjlczt.php HTTP/1.1" 404 8906 "http://ktuimnsjlczt.php" "Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.8" "-" 95.135.79.196 - - [28/Feb/2012:10:40:00 +0200] "GET /btjidzxtjuficdkgmvs3mgm.php HTTP/1.1" 404 8906 "http://btjidzxtjuficdkgmvs3mgm.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" "-" 86.50.124.25 - - [28/Feb/2012:10:40:00 +0200] "GET /zgtciljjxdizilntfiys3fjkkgcyynunmuiank.php HTTP/1.1" 404 8913 "http://zgtciljjxdizilntfiys3fjkkgcyynunmuiank.php" "Mozilla/2.1 (Macintosh; N; PPC; en) Gecko/138822" "-" 85.223.179.254 - - [28/Feb/2012:10:40:00 +0200] "GET /ktuimnsjlczt.php HTTP/1.1" 404 8906 "http://ktuimnsjlczt.php" "Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.8" "-" 86.50.124.25 - - [28/Feb/2012:10:40:00 +0200] "GET /zgtciljjxdizilntfiys3fjkkgcyynunmuiank.php HTTP/1.1" 404 8906 "http://zgtciljjxdizilntfiys3fjkkgcyynunmuiank.php" "Mozilla/2.1 (Macintosh; N; PPC; en) Gecko/138822" "-" 178.195.120.37 - - [28/Feb/2012:10:40:00 +0200] "GET /xxnxcuiv.php HTTP/1.1" 404 1499 "http://xxnxcuiv.php" "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT 5.1; SV1)" "-" 95.135.79.196 - - [28/Feb/2012:10:40:00 +0200] "GET /btjidzxtjuficdkgmvs3mgm.php HTTP/1.1" 404 8906 "http://btjidzxtjuficdkgmvs3mgm.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" "-" 85.223.179.254 - - [28/Feb/2012:10:40:00 +0200] "GET /ktuimnsjlczt.php HTTP/1.1" 404 8906 "http://ktuimnsjlczt.php" "Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.8" "-" 86.50.124.25 - - [28/Feb/2012:10:40:00 +0200] "GET /zgtciljjxdizilntfiys3fjkkgcyynunmuiank.php HTTP/1.1" 404 8913 "http://zgtciljjxdizilntfiys3fjkkgcyynunmuiank.php" "Mozilla/2.1 (Macintosh; N; PPC; en) Gecko/138822" "-" 95.135.79.196 - - [28/Feb/2012:10:40:00 +0200] "GET /btjidzxtjuficdkgmvs3mgm.php HTTP/1.1" 404 8906 "http://btjidzxtjuficdkgmvs3mgm.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" "-" 86.50.124.25 - - [28/Feb/2012:10:40:00 +0200] "GET /zgtciljjxdizilntfiys3fjkkgcyynunmuiank.php HTTP/1.1" 404 8906 "http://zgtciljjxdizilntfiys3fjkkgcyynunmuiank.php" "Mozilla/2.1 (Macintosh; N; PPC; en) Gecko/138822" "-" 95.135.79.196 - - [28/Feb/2012:10:40:00 +0200] "GET /btjidzxtjuficdkgmvs3mgm.php HTTP/1.1" 404 8906 "http://btjidzxtjuficdkgmvs3mgm.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" "-" 95.135.79.196 - - [28/Feb/2012:10:40:00 +0200] "GET /btjidzxtjuficdkgmvs3mgm.php HTTP/1.1" 404 8913 "http://btjidzxtjuficdkgmvs3mgm.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" "-" 186.53.18.178 - - [28/Feb/2012:10:40:00 +0200] "GET /tymtcylldtnienjjcfijjs3.php HTTP/1.1" 404 3919 "http://tymtcylldtnienjjcfijjs3.php" "Opera/8.0 (Windows NT 5.1; W; ch) Presto/3.2.15 Version/10.12" "-" 95.135.79.196 - - [28/Feb/2012:10:40:00 +0200] "GET /btjidzxtjuficdkgmvs3mgm.php HTTP/1.1" 404 8913 "http://btjidzxtjuficdkgmvs3mgm.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" "-" 113.165.218.105 - - [28/Feb/2012:10:40:00 +0200] "GET /dybm.php HTTP/1.1" 404 3919 "http://dybm.php" "Mozilla/4.1 (compatible; MSIE 7.1; Windows NT 5.1; SV1)" "-" 84.77.106.119 - - [28/Feb/2012:10:40:00 +0200] "GET /gjjcdis3.php HTTP/1.1" 404 2743 "http://gjjcdis3.php" "Mozilla/3.4 (compatible; MSIE 7.4; Windows NT 5.1; SV1)" "-" 113.165.218.105 - - [28/Feb/2012:10:40:00 +0200] "GET /dybm.php HTTP/1.1" 404 3919 "http://dybm.php" "Mozilla/4.1 (compatible; MSIE 7.1; Windows NT 5.1; SV1)" "-" 113.165.218.105 - - [28/Feb/2012:10:40:00 +0200] "GET /dybm.php HTTP/1.1" 404 3919 "http://dybm.php" "Mozilla/4.1 (compatible; MSIE 7.1; Windows NT 5.1; SV1)" "-" 113.165.218.105 - - [28/Feb/2012:10:40:00 +0200] "GET /dybm.php HTTP/1.1" 404 3919 "http://dybm.php" "Mozilla/4.1 (compatible; MSIE 7.1; Windows NT 5.1; SV1)" "-" 113.165.218.105 - - [28/Feb/2012:10:40:00 +0200] "GET /dybm.php HTTP/1.1" 404 3919 "http://dybm.php" "Mozilla/4.1 (compatible; MSIE 7.1; Windows NT 5.1; SV1)" "-" 113.165.218.105 - - [28/Feb/2012:10:40:00 +0200] "GET /zcfs3mfcnfxsdkjjmqyuijsuikymtggyakidxied.php HTTP/1.1" 404 3919 "http://zcfs3mfcnfxsdkjjmqyuijsuikymtggyakidxied.php" "-" "-" 113.165.218.105 - - [28/Feb/2012:10:40:00 +0200] "GET /zcfs3mfcnfxsdkjjmqyuijsuikymtggyakidxied.php HTTP/1.1" 404 3919 "http://zcfs3mfcnfxsdkjjmqyuijsuikymtggyakidxied.php" "-" "-" 87.19.247.183 - - [28/Feb/2012:10:40:00 +0200] "GET /ktdljkvaxjikcfkqd.php HTTP/1.1" 404 8913 "http://ktdljkvaxjikcfkqd.php" "Opera/9.1 (Windows NT 4.0; U; en) Presto/2.1.15 Version/10.11" "-" 79.25.119.54 - - [28/Feb/2012:10:40:00 +0200] "GET /kluicddvzxuitkljble.php HTTP/1.1" 404 8913 "http://kluicddvzxuitkljble.php" "Opera/9.1 (Windows NT 4.0; U; en) Presto/2.1.15 Version/10.11" "-" 79.25.119.54 - - [28/Feb/2012:10:40:00 +0200] "GET /kluicddvzxuitkljble.php HTTP/1.1" 404 8913 "http://kluicddvzxuitkljble.php" "Opera/9.1 (Windows NT 4.0; U; en) Presto/2.1.15 Version/10.11" "-" Задача свелась к парсингу лога, выбору IP-адресов с более чем N неудачных запросов к .php-файлам и отправке их в бан: echo "iptables -t filter -N in_www_ban" echo "iptables -t filter -A INPUT -j in_www_ban" cat www.access.log | perl -ne 'if ( /"GET \/[a-z0-9]+\.php HTTP\/1\.1" 404 /g ) { print $_ ; } ' | cut -f 1 -d " " | sort | uniq -c | \ ( read a b while [ -n "$a" ] do if [ "$a" -gt 10 ] then echo "# Ban $b ($a)" echo "iptables -t filter -A in_www_ban -s $b -j DROP" fi read a b done ) |
