我的 Apache 2.4 服务器从多个 IP 地址在日志中获得了此条目。对于 88.* 地址,我看到了 178 个条目。时间间隔在 120 到 123 秒之间,通常为 122。
88.207.37.105 - - [20/May/2017:18:11:47 +0000] "POST / HTTP/1.1" 200 23110 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko"
88.207.37.105 - - [20/May/2017:18:13:49 +0000] "POST / HTTP/1.1" 200 19641 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko"
88.207.37.105 - - [20/May/2017:18:15:51 +0000] "POST / HTTP/1.1" 200 19629 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko"
88.207.37.105 - - [20/May/2017:18:17:53 +0000] "POST / HTTP/1.1" 200 23136 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko"
88.207.37.105 - - [20/May/2017:18:19:55 +0000] "POST / HTTP/1.1" 200 19661 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko"
88.207.37.105 - - [20/May/2017:18:21:56 +0000] "POST / HTTP/1.1" 200 19639 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko"
88.207.37.105 - - [20/May/2017:18:23:59 +0000] "POST / HTTP/1.1" 200 23136 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko"
88.207.37.105 - - [20/May/2017:18:26:01 +0000] "POST / HTTP/1.1" 200 19628 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko"
我见过的地址是:
45.46.40.146
88.207.37.105
70.127.16.147
104.236.51.98
73.54.23.213
76.194.129.233
182.65.9.117
这是试图引发慢蜂;如果是,为什么只有 178 个查询?这是某种探测吗?如何使用 fail2ban 检测这个问题?
我是否需要更多信息来诊断发生了什么?
我假设它没有负面影响,但它填满了我的日志(我得到的有效流量很少,几乎完全是恶意探测而不是有效流量;我希望看到尽可能少的恶意探测)。
更新
我已经实现了 POST 日志记录,并制定了 fail2ban 规则:
^.“POST / HTTP/1.1” 200 \d+ “-”。
当我得到这样的打击时:
75.166.150.58 - - [26/May/2017:20:19:57 +0000] "POST / HTTP/1.1" 200 22730 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E)"
75.166.150.58 - - [26/May/2017:20:21:58 +0000] "POST / HTTP/1.1" 200 19730 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E)"
我在 POST 日志中看到这一点:
[Fri May 26 20:19:56.910629 2017] [dumpio:trace7] [pid 24686:tid 140320582878976] mod_dumpio.c(140): [client 75.166.150.58:57994] mod_dumpio: dumpio_in [init-blocking] 0 readbytes
[Fri May 26 20:19:56.910713 2017] [dumpio:trace7] [pid 24686:tid 140320582878976] mod_dumpio.c(151): [client 75.166.150.58:57994] mod_dumpio: dumpio_in - 20014
[Fri May 26 20:19:56.910726 2017] [dumpio:trace7] [pid 24686:tid 140320582878976] mod_dumpio.c(140): [client 75.166.150.58:57994] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:19:56.910729 2017] [dumpio:trace7] [pid 24686:tid 140320582878976] mod_dumpio.c(151): [client 75.166.150.58:57994] mod_dumpio: dumpio_in - 103
[Fri May 26 20:19:57.373663 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(140): [client 75.166.150.58:57995] mod_dumpio: dumpio_in [init-blocking] 0 readbytes
[Fri May 26 20:19:57.600659 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(140): [client 75.166.150.58:57995] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:19:57.830272 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(63): [client 75.166.150.58:57995] mod_dumpio: dumpio_in (data-TRANSIENT): 17 bytes
[Fri May 26 20:19:57.830323 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(103): [client 75.166.150.58:57995] mod_dumpio: dumpio_in (data-TRANSIENT): POST / HTTP/1.1\r\n
[Fri May 26 20:19:57.830340 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(140): [client 75.166.150.58:57995] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:19:57.830350 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(63): [client 75.166.150.58:57995] mod_dumpio: dumpio_in (data-TRANSIENT): 49 bytes
[Fri May 26 20:19:57.830356 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(103): [client 75.166.150.58:57995] mod_dumpio: dumpio_in (data-TRANSIENT): Content-Type: application/x-www-form-urlencoded\r\n
[Fri May 26 20:19:57.830364 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(140): [client 75.166.150.58:57995] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:19:57.830384 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(63): [client 75.166.150.58:57995] mod_dumpio: dumpio_in (data-TRANSIENT): 105 bytes
[Fri May 26 20:19:57.830390 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(103): [client 75.166.150.58:57995] mod_dumpio: dumpio_in (data-TRANSIENT): User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E)\r\n
[Fri May 26 20:19:57.830398 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(140): [client 75.166.150.58:57995] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:19:57.830404 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(63): [client 75.166.150.58:57995] mod_dumpio: dumpio_in (data-TRANSIENT): 20 bytes
[Fri May 26 20:19:57.830409 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(103): [client 75.166.150.58:57995] mod_dumpio: dumpio_in (data-TRANSIENT): Host: 13.55.51.221\r\n
[Fri May 26 20:19:57.830426 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(140): [client 75.166.150.58:57995] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:19:57.830428 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(63): [client 75.166.150.58:57995] mod_dumpio: dumpio_in (data-TRANSIENT): 21 bytes
[Fri May 26 20:19:57.830430 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(103): [client 75.166.150.58:57995] mod_dumpio: dumpio_in (data-TRANSIENT): Content-Length: 544\r\n
[Fri May 26 20:19:57.830432 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(140): [client 75.166.150.58:57995] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:19:57.830434 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(63): [client 75.166.150.58:57995] mod_dumpio: dumpio_in (data-TRANSIENT) : 25 bytes
[Fri May 26 20:19:57.830436 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(103): [client 75.166.150.58:57995] mod_dumpio: dumpio_in (data-TRANSIENT): Cache-Control: no-cache\r\n
[Fri May 26 20:19:57.830438 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(140): [client 75.166.150.58:57995] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:19:57.830440 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(63): [client 75.166.150.58:57995] mod_dumpio: dumpio_in (data-TRANSIENT): 2 bytes
[Fri May 26 20:19:57.830441 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(103): [client 75.166.150.58:57995] mod_dumpio: dumpio_in (data-TRANSIENT): \r\n
[Fri May 26 20:19:57.830996 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(140): [client 75.166.150.58:57995] mod_dumpio: dumpio_in [readbytes-blocking] 544 readbytes
[Fri May 26 20:19:57.831005 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(63): [client 75.166.150.58:57995] mod_dumpio: dumpio_in (data-TRANSIENT): 544 bytes
[Fri May 26 20:19:57.831008 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(103): [client 75.166.150.58:57995] mod_dumpio: dumpio_in (data-TRANSIENT): Q6cMwNqbbGnrLl5JAdX4KhADlS5VgjCYjCiQAosXQIQWNQ4M96ktsXrihilXG9pJ6rx0F57/kgU/Den505ArYlds3entwcRvBrfSrRMpK0E/7MZ/g6/oRplLH1Vdd/BfftglJ/Ohi+/1U5WdkGVBgJb55AQ0UykVQc4+xeC+vAukp9TSc4xXa4J4xsDheaMKiHtxpLR1R8Ui805Y/lzdaYNYrlCvSH023W/EXfQ/5dDbfc5zm6d0tSEeENYwVaygD/T0kcDGuFAISYDYkXmMxuHUxO77cNCOMNEfZYEn9WiFxFZnYOb+fVLUxvkBeTpQhIBULjZqZ3Zm+UU/R4fvxqfxfdteCOBA+s90CyEZ4cNs/qOpygOiKlX67ckDmxpP08dDvKwbMeekL4+lNqgdI8u5TDN6Q1abl13KeEm+DvAfoTYCMvVnGLmcXClXX3e+nxnANdkcsd/JvjGdj8/JH+51EZLQi4a49T0hZxLZ8QNJOZKDsZRkibJBIj2xDAMctlu28GjbcVfOowAgF5PWS/jGC1MQAIA=
[Fri May 26 20:19:57.942403 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(140): [client 75.166.150.58:57995] mod_dumpio: dumpio_in [speculative-nonblocking] 1 readbytes
[Fri May 26 20:19:57.943753 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(151): [client 75.166.150.58:57995] mod_dumpio: dumpio_in - 11
[Fri May 26 20:21:58.710000 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(140): [client 75.166.150.58:58268] mod_dumpio: dumpio_in [init-blocking] 0 readbytes
[Fri May 26 20:21:58.933562 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(140): [client 75.166.150.58:58268] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:21:58.943419 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(63): [client 75.166.150.58:58268] mod_dumpio: dumpio_in (data-TRANSIENT): 17 bytes
[Fri May 26 20:21:58.943436 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(103): [client 75.166.150.58:58268] mod_dumpio: dumpio_in (data-TRANSIENT): POST / HTTP/1.1\r\n
[Fri May 26 20:21:58.943445 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(140): [client 75.166.150.58:58268] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:21:58.943448 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(63): [client 75.166.150.58:58268] mod_dumpio: dumpio_in (data-TRANSIENT): 49 bytes
[Fri May 26 20:21:58.943451 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(103): [client 75.166.150.58:58268] mod_dumpio: dumpio_in (data-TRANSIENT): Content-Type: application/x-www-form-urlencoded\r\n
[Fri May 26 20:21:58.943454 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(140): [client 75.166.150.58:58268] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:21:58.943456 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(63): [client 75.166.150.58:58268] mod_dumpio: dumpio_in (data-TRANSIENT) : 105 bytes
[Fri May 26 20:21:58.943459 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(103): [client 75.166.150.58:58268] mod_dumpio: dumpio_in (data-TRANSIENT): User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E)\r\n
[Fri May 26 20:21:58.943462 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(140): [client 75.166.150.58:58268] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:21:58.943464 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(63): [client 75.166.150.58:58268] mod_dumpio: dumpio_in (data-TRANSIENT): 20 bytes
[Fri May 26 20:21:58.943467 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(103): [client 75.166.150.58:58268] mod_dumpio: dumpio_in (data-TRANSIENT): Host: 13.55.51.221\r\n
[Fri May 26 20:21:58.943469 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(140): [client 75.166.150.58:58268] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:21:58.943471 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(63): [client 75.166.150.58:58268] mod_dumpio: dumpio_in (data-TRANSIENT): 21 bytes
[Fri May 26 20:21:58.943473 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(103): [client 75.166.150.58:58268] mod_dumpio: dumpio_in (data-TRANSIENT): Content-Length: 588\r\n
[Fri May 26 20:21:58.943476 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(140): [client 75.166.150.58:58268] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:21:58.943478 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(63): [client 75.166.150.58:58268] mod_dumpio: dumpio_in (data-TRANSIENT): 25 bytes
[Fri May 26 20:21:58.943480 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(103): [client 75.166.150.58:58268] mod_dumpio: dumpio_in (data-TRANSIENT): Cache-Control: no-cache\r\n
[Fri May 26 20:21:58.943482 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(140): [client 75.166.150.58:58268] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:21:58.943484 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(63): [client 75.166.150.58:58268] mod_dumpio: dumpio_in (data-TRANSIENT): 2 bytes
[Fri May 26 20:21:58.943492 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(103): [client 75.166.150.58:58268] mod_dumpio: dumpio_in (data-TRANSIENT): \r\n
[Fri May 26 20:21:58.943625 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(140): [client 75.166.150.58:58268] mod_dumpio: dumpio_in [readbytes-blocking] 588 readbytes
[Fri May 26 20:21:58.943632 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(63): [client 75.166.150.58:58268] mod_dumpio: dumpio_in (data-TRANSIENT): 588 bytes
[Fri May 26 20:21:58.943634 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(103): [client 75.166.150.58:58268] mod_dumpio: dumpio_in (data-TRANSIENT): EaxYwY/ObMZzC55ZNfIqJ7jo01xnYm4mllgnEYQLf0GZjMuL31ox6b6iKMdQfnql6Y1hIUq6dP701/FdlAX/NMgSnKD6Zn0onykSEVVykGwjiBZjhAcM02dW2VDUTb/eZ40NzWmkPrDJi8czUCkTXodfwV8y7Bya0STzhYj4D8gC99qAG30UImObAiDHNIkLheNyDX7lK4lbjunEBYRsPfUgkT1g62GKZRYkmM34JDo74NpsWx/5SHbSR0xX4fOxUzGrmBlY0EhlOjcZ6J0NZ0y42ix0jamuC7L2xHzAJ70w+Wxld7x/lGoLbYWfJcZwBIqwgiSNQDQo8okaJR5pK2Wd68G14PEhxeZpKoYhmjF7S9USjgKhtKA2fs+DegUtuobw57IagY+5ZPVihlOQyXXPR49Nny/VXZcZ6iqbxlbyZGqEQkCg+VLqPVO52YKG/opFtUTFTHr8o/rGO7/aUnUfagbdlbw8MFpAcVdz1R1D59RZ1sYCyRO5tEEc4EFd8rhwvXarXzpHWbNlnVJF6oTFUTjgP/QgKYuZT3uv3bGwLY0Kn9Ivg0K7EwC5rqoJOjoHJrCGjUM=
[Fri May 26 20:21:59.054773 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(140): [client 75.166.150.58:58268] mod_dumpio: dumpio_in [speculative-nonblocking] 1 readbytes
[Fri May 26 20:21:59.056133 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(151): [client 75.166.150.58:58268] mod_dumpio: dumpio_in - 11
75.166.150.58 尝试使用我的服务器对 13.55.51.221 执行什么操作(rdns 查找无结果)?它成功了吗?
答案1
这确实像是在进行探测。如果您的网络服务器及其上的应用程序是最新的,那么您几乎已经尽了一切努力。这正是您绝对希望记录的内容。只需获取允许搜索日志和直方图的日志解决方案即可。
是否可以使用 fail2ban 取决于合法流量。如果 300 分钟内合法流量未达到 150+ 次查询,则可以配置 fail2ban 而不会影响合法流量。