我受到了攻击,我的网站不断收到数千个这样的请求
GET /?HMPCL=INQUVOBHZ HTTP/1.1
我安装了 mod-security、waf comodo 和 csf。即使 mod-security 阻止了这些,并添加了 csf.deny ips 仍然设法访问 Web 服务器,我不知道它们是如何被阻止的。我应该怎么做才能防止这种情况发生。我认为这是某种洪水
我尝试重新启动服务器、刷新 csf、重新启动 csf、lfd、iptables,但没有成功。
我很绝望,我的网络服务器经常崩溃。
[root@luka ~]# iptables -S | grep 62.116.184.40
-A DENYIN -s 62.116.184.40/32 ! -i lo -j DROP
-A DENYOUT -d 62.116.184.40/32 ! -o lo -j LOGDROPOUT
[root@luka ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- ns3-coloc.hetzner.de anywhere tcp dpt:domain
ACCEPT udp -- ns3-coloc.hetzner.de anywhere udp dpt:domain
ACCEPT tcp -- ns3-coloc.hetzner.de anywhere tcp spt:domain
ACCEPT udp -- ns3-coloc.hetzner.de anywhere udp spt:domain
ACCEPT tcp -- ns2-coloc.hetzner.de anywhere tcp dpt:domain
ACCEPT udp -- ns2-coloc.hetzner.de anywhere udp dpt:domain
ACCEPT tcp -- ns2-coloc.hetzner.de anywhere tcp spt:domain
ACCEPT udp -- ns2-coloc.hetzner.de anywhere udp spt:domain
LOCALINPUT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
INVALID tcp -- anywhere anywhere
tcp -- anywhere anywhere tcp dpt:http state NEW recent: SET name: 80 side: source
PORTFLOOD tcp -- anywhere anywhere tcp dpt:http state NEW recent: UPDATE seconds: 5 hit_count: 20 name: 80 side: source
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp-data
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:6216
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imap
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:urd
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:submission
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:tsrmagt
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:tpcsrvr
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:idware-router
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:autodesk-nlm
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:infowave
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:radsec
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:gnunet
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:eli
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:nbx-ser
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:nbx-dir
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:24565
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:24566
ACCEPT tcp -- anywhere anywhere state NEW tcp dpts:60000:65000
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:irdmi
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:vcom-tunnel
ACCEPT udp -- anywhere anywhere state NEW udp dpt:ftp-data
ACCEPT udp -- anywhere anywhere state NEW udp dpt:ftp
ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain
ACCEPT icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5
ACCEPT icmp -- anywhere anywhere icmp echo-reply limit: avg 1/sec burst 5
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
LOGDROPIN all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere ns3-coloc.hetzner.de tcp dpt:domain
ACCEPT udp -- anywhere ns3-coloc.hetzner.de udp dpt:domain
ACCEPT tcp -- anywhere ns3-coloc.hetzner.de tcp spt:domain
ACCEPT udp -- anywhere ns3-coloc.hetzner.de udp spt:domain
ACCEPT tcp -- anywhere ns2-coloc.hetzner.de tcp dpt:domain
ACCEPT udp -- anywhere ns2-coloc.hetzner.de udp dpt:domain
ACCEPT tcp -- anywhere ns2-coloc.hetzner.de tcp spt:domain
ACCEPT udp -- anywhere ns2-coloc.hetzner.de udp spt:domain
LOCALOUTPUT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp spt:domain
ACCEPT udp -- anywhere anywhere udp spt:domain
ACCEPT all -- anywhere anywhere
INVALID tcp -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp-data
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:6216
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:time
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:nicname
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:auth
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:submission
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:rsync
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:gnunet
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:eli
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:sep
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:sms-chat
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:24565
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:24566
ACCEPT tcp -- anywhere anywhere state NEW tcp dpts:60000:65000
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:irdmi
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:vcom-tunnel
ACCEPT udp -- anywhere anywhere state NEW udp dpt:ftp-data
ACCEPT udp -- anywhere anywhere state NEW udp dpt:ftp
ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain
ACCEPT udp -- anywhere anywhere state NEW udp dpt:auth
ACCEPT udp -- anywhere anywhere state NEW udp dpt:ntp
ACCEPT udp -- anywhere anywhere state NEW udp dpt:rsync
ACCEPT udp -- anywhere anywhere state NEW udp dpt:6277
ACCEPT udp -- anywhere anywhere state NEW udp dpt:24441
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
LOGDROPOUT all -- anywhere anywhere
Chain ALLOWDYNIN (1 references)
target prot opt source destination
ACCEPT all -- 212.178.246.86 anywhere
ACCEPT all -- 173.249.178.212.adsl.dyn.beotel.net anywhere
Chain ALLOWDYNOUT (1 references)
target prot opt source destination
ACCEPT all -- anywhere 212.178.246.86
ACCEPT all -- anywhere 173.249.178.212.adsl.dyn.beotel.net
Chain ALLOWIN (1 references)
target prot opt source destination
ACCEPT tcp -- secure.comodo.net anywhere tcp dpt:https
ACCEPT tcp -- secure.comodo.net anywhere tcp dpt:http
ACCEPT tcp -- secure.comodo.net anywhere tcp dpt:https
ACCEPT tcp -- secure.comodo.net anywhere tcp dpt:http
ACCEPT tcp -- no-dns-yet.ccanet.co.uk anywhere tcp dpt:https
ACCEPT tcp -- no-dns-yet.ccanet.co.uk anywhere tcp dpt:http
ACCEPT tcp -- no-dns-yet.ccanet.co.uk anywhere tcp dpt:https
ACCEPT tcp -- no-dns-yet.ccanet.co.uk anywhere tcp dpt:http
ACCEPT all -- 212.178.244.42 anywhere
Chain ALLOWOUT (1 references)
target prot opt source destination
ACCEPT all -- anywhere 212.178.244.42
Chain DENYIN (1 references)
target prot opt source destination
DROP all -- mail.lp-advogados.com anywhere
DROP all -- oxid5.topconcepts.de anywhere
DROP all -- 93.188.164.24 anywhere
DROP all -- opus15.register.it anywhere
DROP all -- lysander.instanthosting.com.au anywhere
Chain DENYOUT (1 references)
target prot opt source destination
LOGDROPOUT all -- anywhere mail.lp-advogados.com
LOGDROPOUT all -- anywhere oxid5.topconcepts.de
LOGDROPOUT all -- anywhere 93.188.164.24
LOGDROPOUT all -- anywhere opus15.register.it
LOGDROPOUT all -- anywhere lysander.instanthosting.com.au
Chain INVALID (2 references)
target prot opt source destination
INVDROP all -- anywhere anywhere state INVALID
INVDROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
INVDROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
INVDROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
INVDROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
INVDROP tcp -- anywhere anywhere tcp flags:FIN,RST/FIN,RST
INVDROP tcp -- anywhere anywhere tcp flags:FIN,ACK/FIN
INVDROP tcp -- anywhere anywhere tcp flags:PSH,ACK/PSH
INVDROP tcp -- anywhere anywhere tcp flags:ACK,URG/URG
INVDROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
Chain INVDROP (10 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain LOCALINPUT (1 references)
target prot opt source destination
ALLOWDYNIN all -- anywhere anywhere
ALLOWIN all -- anywhere anywhere
DENYIN all -- anywhere anywhere
Chain LOCALOUTPUT (1 references)
target prot opt source destination
ALLOWDYNOUT all -- anywhere anywhere
ALLOWOUT all -- anywhere anywhere
DENYOUT all -- anywhere anywhere
Chain LOGDROPIN (1 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpt:telnet
DROP udp -- anywhere anywhere udp dpt:telnet
DROP tcp -- anywhere anywhere tcp dpt:bootps
DROP udp -- anywhere anywhere udp dpt:bootps
DROP tcp -- anywhere anywhere tcp dpt:bootpc
DROP udp -- anywhere anywhere udp dpt:bootpc
DROP tcp -- anywhere anywhere tcp dpt:sunrpc
DROP udp -- anywhere anywhere udp dpt:sunrpc
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP udp -- anywhere anywhere udp dpt:auth
DROP tcp -- anywhere anywhere tcp dpts:epmap:netbios-ssn
DROP udp -- anywhere anywhere udp dpts:epmap:netbios-ssn
DROP tcp -- anywhere anywhere tcp dpt:microsoft-ds
DROP udp -- anywhere anywhere udp dpt:microsoft-ds
DROP tcp -- anywhere anywhere tcp dpt:isakmp
DROP udp -- anywhere anywhere udp dpt:isakmp
DROP tcp -- anywhere anywhere tcp dpt:login
DROP udp -- anywhere anywhere udp dpt:login
DROP tcp -- anywhere anywhere tcp dpt:efs
DROP udp -- anywhere anywhere udp dpt:efs
LOG tcp -- anywhere anywhere limit: avg 30/min burst 5 LOG level warning prefix "Firewall: *TCP_IN Blocked* "
LOG udp -- anywhere anywhere limit: avg 30/min burst 5 LOG level warning prefix "Firewall: *UDP_IN Blocked* "
LOG icmp -- anywhere anywhere limit: avg 30/min burst 5 LOG level warning prefix "Firewall: *ICMP_IN Blocked* "
DROP all -- anywhere anywhere
Chain LOGDROPOUT (6 references)
target prot opt source destination
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 30/min burst 5 LOG level warning uid prefix "Firewall: *TCP_OUT Blocked* "
LOG udp -- anywhere anywhere limit: avg 30/min burst 5 LOG level warning uid prefix "Firewall: *UDP_OUT Blocked* "
LOG icmp -- anywhere anywhere limit: avg 30/min burst 5 LOG level warning uid prefix "Firewall: *ICMP_OUT Blocked* "
DROP all -- anywhere anywhere
Chain PORTFLOOD (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 30/min burst 5 LOG level warning prefix "Firewall: *Port Flood* "
DROP all -- anywhere anywhere
当我用 csf -g 检查时
csf -g 62.116.184.40
Chain num pkts bytes target prot opt in out source destination
DENYIN 2 0 0 DROP all -- !lo * 62.116.184.40 0.0.0.0/0
DENYOUT 2 0 0 LOGDROPOUT all -- * !lo 0.0.0.0/0 62.116.184.40
ip6tables:
Chain num pkts bytes target prot opt in out source destination
No matches found for 62.116.184.40 in ip6tables
csf.deny: 62.116.184.40 # lfd: (mod_security) mod_security (id:970901) triggered by 62.116.184.40 (DE/Germany/oxid5.topconcepts.de): 5 in the last 3600 secs - Thu Feb 9 04:26:53 2017
IP 被“阻止”,但在 apache 中
2-0 - 0/0/1 . 0.01 103 28139 0.0 0.00 0.00 62.116.184.40 http/1.1 mysite.rs:80 GET /?XZFSTJMSOK=SPZZNDNPS HTTP/1.1
以下是来自 mod_security 的信息
Request: GET /?TZSVUEJUU=JWJYEUW
Action Description: Access denied with redirection to http://www.example.com/ using status 302 (phase 4).
Justification: Pattern match "^5\\d{2}$" at RESPONSE_STATUS.
我如何阻止包含^5\\d{2}$在 Apache 中的请求?
新信息:
不知怎么的,我设法自己执行了这种攻击,但我使用的这种方法只是发送 get 请求/没有查询字符串。mod security 检测到并阻止了我。因此 iptables 肯定在工作,但也许它无法处理太多的 ip,因为 apache 崩溃了,所以它无法计算所有 ip。如何防止 apache 崩溃
答案1
快速而粗略地尝试使用 iptables 进行速率限制:
iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 100 -j DROP
显然您需要对此进行调整。它说的是“允许端口 80 上的 TCP 连接,但如果在 60 秒内从同一源发生了 99 个连接,则丢弃后续连接”。
答案2
我设法通过将 csf 设置为以下选项来保护自己:
CONNLIMIT = 80;5
CT_LIMIT = 20
CT_INTERVAL = 10
PORTFLOOD = 80;tcp;10;3,443;tcp;10;3
另外,我调整了 apache(降低了设置),这样它就不会因为内存使用率过高而崩溃。我还将 MPM 从 prefork 切换到 EVENT。CSF 中另一个有用的选项是PT_USERKILL = On
这将终止超载进程,这些进程使用了超过 300MB,因此这对我来说很有用,而不会影响正常运行。
现在我的网站速度有点慢,但 5 分钟内 csf 就将其全部阻止了。征服!