防御僵尸网络-如何分析apache日志?

tag-icon tag-icon apache-2.2 log-files botnet
防御僵尸网络-如何分析apache日志?

大约 24 小时前,我的网站遭受了 DDOS 攻击。Apache 日志如下:

190.56.92.50 - - [10/Nov/2011:19:09:16 +0200] "GET /browse.php HTTP/1.0" 403 1207 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3a) Gecko/20030105 Phoenix/0.5"
79.162.132.75 - - [10/Nov/2011:19:09:16 +0200] "GET /browse.php HTTP/1.0" 403 1207 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.6) Gecko/20060728 SeaMonkey/1.0.4"
178.95.250.125 - - [10/Nov/2011:19:09:16 +0200] "GET /browse.php HTTP/1.0" 403 1207 "-" "Microsoft Internet Explorer/4.0b1 (Windows 95)"
41.224.117.207 - - [10/Nov/2011:19:09:16 +0200] "GET /browse.php HTTP/1.0" 403 1207 "-" "Mozilla/4.1 (compatible; MSIE 5.0; Symbian OS; Nokia 6600;452) Opera 6.20 [ru]"
95.133.12.150 - - [10/Nov/2011:19:09:16 +0200] "GET /browse.php HTTP/1.0" 403 1207 "-" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)"
78.139.156.77 - - [10/Nov/2011:19:09:16 +0200] "GET /browse.php HTTP/1.0" 403 1207 "-" "Opera/9.60 (Windows NT 5.1; U; en) Presto/2.1.1"
91.86.86.111 - - [10/Nov/2011:19:09:16 +0200] "GET /browse.php HTTP/1.0" 403 1207 "-" "Mozilla/4.0 (compatible; MSIE 5.0; SunOS 5.9 sun4u; X11)"
46.73.152.227 - - [10/Nov/2011:19:09:16 +0200] "GET /browse.php HTTP/1.0" 403 1207 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
178.212.247.179 - - [10/Nov/2011:19:09:16 +0200] "GET /browse.php HTTP/1.0" 403 1207 "-" "Mozilla/4.0 (compatible; MSIE 6.0; ; Linux armv5tejl; U) Opera 8.02 [en_US] Maemo browser 0.4.31 N770/SU-18"
189.243.119.252 - - [10/Nov/2011:19:09:16 +0200] "GET /browse.php HTTP/1.0" 403 1207 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Symbian OS; Nokia 6600/5.27.0; 6329) Opera 8.00 [ru]"
187.159.55.110 - - [10/Nov/2011:19:09:16 +0200] "GET /browse.php HTTP/1.0" 403 1207 "-" "Mozilla/2.0 (compatible; MSIE 3.01; Windows 98)"
79.162.132.75 - - [10/Nov/2011:19:09:16 +0200] "GET /browse.php HTTP/1.0" 403 1207 "-" "Opera/9.0 (Windows NT 5.1; U; en)"
46.118.8.181 - - [10/Nov/2011:19:09:16 +0200] "GET /browse.php HTTP/1.0" 403 1207 "-" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)"
213.110.96.153 - - [10/Nov/2011:19:09:16 +0200] "GET /browse.php HTTP/1.0" 403 1207 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Symbian OS; Nokia 6630/4.03.38; 6937) Opera 8.50 [es]"
46.201.147.160 - - [10/Nov/2011:19:09:16 +0200] "GET /browse.php HTTP/1.0" 403 1207 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 8.50"
201.230.239.84 - - [10/Nov/2011:19:09:16 +0200] "GET /browse.php HTTP/1.0" 403 1207 "-" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)"
201.230.239.84 - - [10/Nov/2011:19:09:16 +0200] "GET /browse.php HTTP/1.0" 403 1207 "-" "Opera/9.01 (X11; Linux i686; U; en)"
31.223.223.66 - - [10/Nov/2011:19:09:16 +0200] "GET /browse.php HTTP/1.0" 403 1207 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5"

如您所见,所有请求都发往同一个 url: browse.php,但当然来自不同的 IP 和用户代理。我已拒绝访问browse.php.htaccess因此攻击不会通过使网络服务器过载而影响其他页面/网站。

现在我有过去 24 小时的 apache 访问日志,大小为1.4GB。

我如何根据日志获取按访问次数browse.php和错误次数排序的 IP 列表403 Forbidden

答案1

尝试: cat logfile | grep -P 'browse\.php\S* HTTP\/1\.\d"\s403' | cut -f1 -d" " | sort | uniq -c | sort -n

答案2

尝试安装 fail2ban 并为 apache 配置它。Fail2ban 实际上会阻止机器人的多个并行请求,并且可以轻松配置它以阻止基于特殊正则表达式的请求。

我曾经尝试手动阻止它们,但这非常麻烦,因为它们有数百万个,而且通过自制脚本手动阻止它们会很累。

相关内容