nginx log 분석 후 iptables 를 사용 하여 ddos 공격 을 방지 합 니 다.
8687 단어 nginxddos 공격 방지
/etc/nginx[root@test-host nginx]# more nginx.conf# For more information on configuration, see:# * Official English Documentation: http://nginx.org/en/docs/# * Official Russian Documentation: http://nginx.org/ru/docs/user nginx;worker_processes 2;#worker_cpu_affinity 2;error_log /var/log/nginx/error.log;#error_log /var/log/nginx/error.log notice;#error_log /var/log/nginx/error.log info;pid /var/run/nginx.pid;events { worker_connections 1024; use epoll;}http { include /etc/nginx/mime.types; #default_type application/octet-stream; default_type text/plain; server_names_hash_bucket_size 64; #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; log_format main '$http_x_forwarded_for $remote_addr $remote_user [$time_local] "$request" ' '$status $upstream_addr $body_bytes_sent "$http_referer" ' '"$http_user_agent" '; access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; #gzip on; gzip on; gzip_min_length 1k; gzip_buffers 16 64k; gzip_http_version 1.1; gzip_comp_level 6; gzip_types text/plain application/x-javascript text/css application/xml; gzip_vary on; # Load config files from the /etc/nginx/conf.d directory # The default server is in conf.d/default.conf include /etc/nginx/conf.d/*.conf;}[root@test-host nginx]#[root@test-host nginx]# [root@test-host nginx]# tail /var/log/nginx/access.log- 183.222.154.40 - [20/Jan/2015:11:32:01 +0800] "POST /index.php?m=awmembers&c=ajax&a=ajax_check_account HTTP/1.1" 200 10.80.124.46:8081 2 "http://www.jedy.com/index.php?m=awmembers&c=ajax&a=ajax_check_account" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)" - 116.207.86.146 - [20/Jan/2015:11:32:01 +0800] "GET /UpdateClientVersion.ini HTTP/1.1" 400 10.80.124.46:8081 39 "-" "UpdateClient_Updater" - 113.139.38.21 - [20/Jan/2015:11:32:01 +0800] "POST /index.php?m=awmembers&c=ajax&a=ajax_check_account HTTP/1.0" 200 10.80.124.46:8081 2 "http://www.jedy.com/index.php?m=awmembers&c=ajax&a=ajax_check_account" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)" - 190.75.114.131 - [20/Jan/2015:11:32:02 +0800] "POST /index.php?m=awmembers&c=ajax&a=ajax_check_account HTTP/1.0" 200 10.80.124.46:8081 2 "http://www.jedy.com/index.php?m=awmembers&c=ajax&a=ajax_check_account" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)" - 116.207.86.146 - [20/Jan/2015:11:32:02 +0800] "GET /api.php?op=game&target=popad&clientid=AM1AWBFBJQQBCYAAGElTRN1VdFlBStACCYFXbdAUDYgVQJQVUNVXSdwCDAQVAAQSJYFUTBgVEYQVEkwU HTTP/1.1" 302 10.80.124.46:8082 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)" - 186.94.184.28 - [20/Jan/2015:11:32:02 +0800] "POST /index.php?m=awmembers&c=ajax&a=ajax_check_account HTTP/1.0" 200 10.80.124.46:8081 2 "http://www.jedy.com/index.php?m=awmembers&c=ajax&a=ajax_check_account" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)" - 190.38.80.164 - [20/Jan/2015:11:32:02 +0800] "POST /index.php?m=awmembers&c=ajax&a=ajax_check_account HTTP/1.0" 200 10.80.124.46:8081 2 "http://www.jedy.com/index.php?m=awmembers&c=ajax&a=ajax_check_account" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)" - 27.192.40.74 - [20/Jan/2015:11:32:02 +0800] "POST /index.php?m=awmembers&c=ajax&a=ajax_check_account HTTP/1.0" 200 10.80.124.46:8081 2 "http://www.jedy.com/index.php?m=awmembers&c=ajax&a=ajax_check_account" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)" - 200.84.196.41 - [20/Jan/2015:11:32:02 +0800] "POST /index.php?m=awmembers&c=ajax&a=ajax_check_account HTTP/1.0" 200 10.80.124.46:8081 2 "http://www.jedy.com/index.php?m=awmembers&c=ajax&a=ajax_check_account" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)" 181.225.58.165 200.62.19.43 - [20/Jan/2015:11:32:02 +0800] "POST /index.php?m=awmembers&c=ajax&a=ajax_check_account HTTP/1.1" 200 10.80.124.46:8081 2 "http://www.jedy.com/index.php?m=awmembers&c=ajax&a=ajax_check_account" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)" [root@test-host nginx]# [root@test-host nginx]# [root@test-host nginx]# more ~/ddos.sh
#!/bin/sh
date1=`date +%d/%b/%Y:%H:%M -d "1 minute ago"`
access=`more /var/log/nginx/access.log | grep $date1 |awk '{print $1,$2}' | sort -nr`
add1=`echo "$access" | awk '{print $1}'|grep -v - | sort -nr |uniq -c|sort -nr|head -1`
add2=`echo "$access" | awk '{print $2}'|grep -v - | sort -nr |uniq -c|sort -nr|head -1`
echo "$add1"
echo "$add2"
if [ -n "$add1" ]
then
NUM1=`echo "$add1" |awk '{print $1}'`
IP1=`echo "$add1" |awk '{print $2}'`
if [ $NUM1 -gt 1000 ]
then
echo "`date` IP:$IP1 is over $NUM1, BAN IT!" >>/root/ddos.log
/sbin/iptables -I DROP_WEB 1 -s $IP1 -j DROP
fi
fi
NUM2=`echo "$add2" |awk '{print $1}'`
IP2=`echo "$add2" |awk '{print $2}'`
#result2=`echo "$NUM2 > 1000" | bc`
#if [ $result2 = 1 ]
if [ $NUM2 -gt 1000 ]
then
echo "`date` IP:$IP2 is over $NUM2, BAN IT!" >>/root/ddos.log
/sbin/iptables -I DROP_WEB 1 -s $IP2 -j DROP
fi[root@test-host nginx]#[root@test-host nginx]# [root@test-host nginx]# crontab -l*/1 * * * * /root/ddos.sh#0 * * * * /root/nginx-log.sh[root@test-host nginx]# [root@test-host nginx]# [root@test-host ~]# iptables -nvLChain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 306M 283G DROP_WEB all -- * * 0.0.0.0/0 0.0.0.0/0 269 173K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 33255 13M ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 10 0 0 ACCEPT tcp -- * * 192.168.0.0/16 0.0.0.0/0 \##\###\\###\\##\##\\##\\###\\##\\###\\\####\\####\\###\###\###\##\###\####\\####\\####\\####\#####\#####\###\###\####\####\####\\##\####\\#####\\\######\\\\#####\\\########\\\\\#############\\\\\\\\###\#\##\##\##\\##\##\##\\###\\##\\###\##\###\\###\##\###\####\###\##\##\##\###\\###\###\####\#####\\#####\####\####\###\###\###\###\##\####\\\#####\\\#####\\\\\####\\#####\#####\\\\\#############\\\\\\##\#\#\#\#\#\#\#\#\#\# 76 3916 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 #conn/32 > 100 reject-with icmp-port-unreachable 338M 306G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 15124 814K LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 recent: CHECK seconds: 6 hit_count: 20 name: webpool side: source LOG flags 4 level 5 prefix `DDOS:' 191K 11M DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 recent: CHECK seconds: 6 hit_count: 20 name: webpool side: source 10M 547M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 recent: SET name: webpool side: source 43799 3012K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedChain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedChain OUTPUT (policy ACCEPT 62M packets, 39G bytes) pkts bytes target prot opt in out source destination Chain DROP_WEB (1 references) pkts bytes target prot opt in out source destination [root@test-host ~]#
이 내용에 흥미가 있습니까?
현재 기사가 여러분의 문제를 해결하지 못하는 경우 AI 엔진은 머신러닝 분석(스마트 모델이 방금 만들어져 부정확한 경우가 있을 수 있음)을 통해 가장 유사한 기사를 추천합니다:
간단! Certbot을 사용하여 웹 사이트를 SSL(HTTPS)화하는 방법초보자가 인프라 주위를 정돈하는 것은 매우 어렵습니다. 이번은 사이트를 간단하게 SSL화(HTTP에서 HTTPS통신)로 변경하는 방법을 소개합니다! 이번에는 소프트웨어 시스템 Nginx CentOS7 의 환경에서 S...
텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
CC BY-SA 2.5, CC BY-SA 3.0 및 CC BY-SA 4.0에 따라 라이센스가 부여됩니다.
좋은 웹페이지 즐겨찾기
