在过去的 14 天里,我的网站受到了来自世界各地数百万个 WordPress 安装的攻击,.htaccess 可以应对这种情况,但我正在尝试在遇到 htaccess 之前找到某种方法来阻止它们。(RewriteCond %{HTTP_USER_AGENT} ^WordPress [NC,OR])
我尝试在我的 nginx 配置中放入一些代码来阻止 wordpress 用户代理,这导致 apache 无法启动,所以我恢复了代码。
这是配置:
user nobody;
#noneedformoreworkersintheproxymode
worker_processes 2;
error_log /var/log/nginx/error.loginfo;
worker_rlimit_nofile 20480;
events {
worker_connections 5120;#increaseforbusierservers
useepoll;#youshoulduseepollhereforLinuxkernels 2.6.x
}
http {
server_name_in_redirectoff;
server_names_hash_max_size 10240;
server_names_hash_bucket_size 1024;
include mime.types;
default_type application/octet-stream;
server_tokensoff;
#remove/commentoutdisable_symlinksif_not_owner;ifyougetPermissiondeniederror
#disable_symlinksif_not_owner;
sendfileon;
tcp_nopushon;
tcp_nodelayon;
keepalive_timeout 5;
gzipon;
gzip_varyon;
gzip_disable "MSIE [1-6]\.";
gzip_proxiedany;
gzip_http_version 1.0;
gzip_min_length 1000;
gzip_comp_level 6;
gzip_buffers 16 8k;
fastcgi_buffers 8 16k;
fastcgi_buffer_size 32k;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
#Youcanremoveimage/pngimage/x-iconimage/gifimage/jpegifyouhaveslowCPU
gzip_types text/plaintext/xmltext/cssapplication/x-javascriptapplication/xmlapplication/javascriptapplication/xml+rsstext/javascriptapplication/atom+xml;
ignore_invalid_headerson;
client_header_timeout 3m;
client_body_timeout 3m;
send_timeout 3m;
reset_timedout_connectionon;
connection_pool_size 256;
client_header_buffer_size 256k;
large_client_header_buffers 4 256k;
client_max_body_size 200M;
client_body_buffer_size 128k;
request_pool_size 32k;
output_buffers 4 32k;
postpone_output 1460;
proxy_temp_path /tmp/nginx_proxy/;
proxy_cache_path /var/cache/nginxlevels=1:2keys_zone=microcache:5mmax_size=1000m;
client_body_in_file_onlyon;
log_formatbytes_log "$msec $bytes_sent .";
log_formatcustom_microcache '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"nocache:$no_cache';
include "/etc/nginx/vhosts/*";
}
我们有 Mod Security,这是配置。
http://pastebin.com/raw.php?i=Z5Lx3WkH(太长,无法插入)
如果您知道如何阻止 WordPress 用户代理,请告诉我好吗?这将对我大有裨益。ModSecurity 目前正在阻止一些 IP,但还不够,每秒有 251+ 个 IP,而且它们还在不断变化。
CentOS 6.5 转换为 CloudLinux 6.5 x86_64
答案1
您可以iptables匹配数据包中包含的字符串..该字符串可以是用户代理标头。
问题在于 HTTP 请求可能跨越多个数据包。如果发生这种情况,它将做两件事……它仍将访问您的服务器,并且它将建立 TCP 连接,这可能会阻碍您阻止下一个请求的努力。
有几种方法可以解决这个问题。一种方法是要求用户代理最初打开连接。
请考虑以下几点:
# allow already established connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
# send brand new connections to the WORDPRESS chain
iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j WORDPRESS
# drop everything else (ie INVALID or RELATED)
iptables -A INPUT -p tcp --dport 80 -j DROP
#### WORDPRESS chain. Only handles brand new connections to TCP 80
# drop anything with the offending user-agent
# optionally duplicate this line to bludgeon additional UAs
iptables -A WORDPRESS -m string --string "User-Agent: WordPress" --algo bm --to 65535 -j DROP
# allow that which has a user-agent. (that wasn't the offending ua)
iptables -A WORDPRESS -m string --string "User-Agent:" --algo bm --to 65535 -j ACCEPT
# drop that which has no user-agent, such as a 2nd packet within an HTTP request
# not a problem for legit traffic, since the first packet would have had a UA and
# thereby established the connection and avoided the whole WORDPRESS chain..
iptables -A WORDPRESS -j DROP
当然,还有其他方法。
例如:您可以匹配 UA 字符串,记录然后删除。然后您可以将日志输入到 fail2ban。等等。
答案2
在您的 nginx 目录中创建一个文件,其中包含所有您不喜欢的必需 UserAgent。
/etc/nginx/conf/blockuseragent.conf:
if ($http_user_agent ~* ("Wordpress|w0RdPress|multipleitemsexample") ) {
return 403; #Return anything you want.
}
在您的虚拟主机文件中,在“server {”打开块后添加以下内容:
include /etc/nginx/conf/blockuseragent.conf;
并重新加载。
(我更喜欢 Joe 使用的 iptables 方法,但这会阻止 nginx 中的 UserAgents,而 nginx 可以部署到多个前端 nginx 服务器)