我在同一台服务器上托管三个不同的网站。以下是今天早上 Apache 日志的摘录:
### SITE 1 ###
[Fri Dec 13 09:15:49 2013] [error] [client 85.17.87.36] script not found or unable to stat: /var/www/vhosts/site1.com/cgi-bin/php.cgi
[Fri Dec 13 09:15:49 2013] [error] [client 85.17.87.36] script not found or unable to stat: /var/www/vhosts/site1.com/cgi-bin/php4
[Fri Dec 13 09:23:21 2013] [error] [client 113.53.238.155] script not found or unable to stat: /var/www/vhosts/site1.com/cgi-bin/php
[Fri Dec 13 09:23:22 2013] [error] [client 113.53.238.155] script not found or unable to stat: /var/www/vhosts/site1.com/cgi-bin/php5
[Fri Dec 13 09:23:22 2013] [error] [client 113.53.238.155] script not found or unable to stat: /var/www/vhosts/site1.com/cgi-bin/php-cgi
[Fri Dec 13 09:23:23 2013] [error] [client 113.53.238.155] script not found or unable to stat: /var/www/vhosts/site1.com/cgi-bin/php.cgi
[Fri Dec 13 09:23:24 2013] [error] [client 113.53.238.155] script not found or unable to stat: /var/www/vhosts/site1.com/cgi-bin/php4
[Fri Dec 13 09:47:03 2013] [error] [client 172.246.127.26] File does not exist: /var/www/vhosts/site1.com/httpdocs/install
[Fri Dec 13 09:47:08 2013] [error] [client 172.246.127.26] File does not exist: /var/www/vhosts/site1.com/httpdocs/phpbb3
### SITE 2 ###
[Fri Dec 13 09:24:39 2013] [error] [client 107.20.169.255] script not found or unable to stat: /var/www/vhosts/site2.com/cgi-bin/php
[Fri Dec 13 09:24:39 2013] [error] [client 107.20.169.255] script not found or unable to stat: /var/www/vhosts/site2.com/cgi-bin/php5
[Fri Dec 13 09:24:39 2013] [error] [client 107.20.169.255] script not found or unable to stat: /var/www/vhosts/site2.com/cgi-bin/php-cgi
[Fri Dec 13 09:24:39 2013] [error] [client 107.20.169.255] script not found or unable to stat: /var/www/vhosts/site2.com/cgi-bin/php.cgi
[Fri Dec 13 09:24:40 2013] [error] [client 107.20.169.255] script not found or unable to stat: /var/www/vhosts/site2.com/cgi-bin/php4
### SITE 3 ###
[Fri Dec 13 09:24:40 2013] [error] [client 107.20.169.255] script not found or unable to stat: /var/www/vhosts/site3.com/cgi-bin/php
[Fri Dec 13 09:24:40 2013] [error] [client 107.20.169.255] script not found or unable to stat: /var/www/vhosts/site3.com/cgi-bin/php5
[Fri Dec 13 09:24:40 2013] [error] [client 107.20.169.255] script not found or unable to stat: /var/www/vhosts/site3.com/cgi-bin/php-cgi
[Fri Dec 13 09:24:40 2013] [error] [client 107.20.169.255] script not found or unable to stat: /var/www/vhosts/site3.com/cgi-bin/php.cgi
[Fri Dec 13 09:24:40 2013] [error] [client 107.20.169.255] script not found or unable to stat: /var/www/vhosts/site3.com/cgi-bin/php4
如您所见,一些攻击者正在探测服务器上可能安装的软件是否存在,也许是为了寻找漏洞。我经常看到这样的事情。一个问题是,这些日志没有显示他们何时成功。在一个案例中,同一个 IP 地址甚至同时探测两个不同的站点。这一次请求似乎来自云端,但情况并非总是如此。
当 IP 地址来自中国或俄罗斯等地时,我会手动拒绝整个范围并重新启动 Apache。但是当 IP 地址位于美国时,我无法拒绝整个范围,因为理论上合法客户可能会使用它们。
我不知道这是否可行,但我愿意动态地当请求某些 URL 路径时阻止 IP 地址。
例如,如果某个 IP 地址请求 /cgi-bin/php-cgi,则会自动被拒绝
拒绝可能是暂时的。Apache 会自动处理此问题,无需重新启动。
这样的事可能吗?
答案1
一个相当简单的解决方案是失败2ban监控您的日志并将 IP 添加到您的防火墙。