在 AWS EC2 上部署服务器后,我经常收到一些奇怪的可疑请求,这些请求看起来很恶意。有人在寻找 wordpress、phpmyadmin、AWS 元数据和其他我从未拥有的东西。我设法用 阻止了大部分这些请求return 444
,但其中一些请求仍然通过,导致 NGINX 对其回答 400 或 404。但我不想回答,我只想拒绝它们。我应该在配置中做什么?
以下是我的配置和部分access.log
意外请求
#first site - accept only Host === first-domain.com
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name first-domain.com;
location / {
proxy_pass "backend.first-domain.com";
}
resolver 8.8.8.8;
}
#redirect all http to https if Host one of [first-domain.com, second-domain.com]
server {
listen 80;
listen [::]:80;
server_name first-domain.com second-domain.com;
return 301 https://$host$request_uri;
}
#second site - accept only Host === second-domain.com
#and location is /resource or matches to some_regexp
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name second-domain.com;
location = /resource {
if ($arg_somearg = '') {
return 400;
}
proxy_pass "backend.second-domain.com";
}
location ~ ^some_regexp$ {
proxy_pass "backend.second-domain.com";
}
location / {
return 444;
}
resolver 8.8.8.8;
}
#reject all other connection attempts
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 default_server;
listen [::]:443 default_server;
server_name "";
return 444;
}
来自 access.log:
44.224.22.196 - - [18/Feb/2020:01:15:33 +0000] "CONNECT 3.122.236.218:80 HTTP/1.0" 400 182 "-" "-"
44.224.22.196 - - [18/Feb/2020:01:15:34 +0000] "CONNECT 3.122.236.218:80 HTTP/1.0" 400 182 "-" "-"
44.224.22.196 - - [18/Feb/2020:01:15:34 +0000] "CONNECT 3.122.236.218:80 HTTP/1.0" 400 182 "-" "-"
44.224.22.196 - - [18/Feb/2020:01:15:34 +0000] "CONNECT 3.122.236.218:80 HTTP/1.0" 400 182 "-" "-"
44.224.22.196 - - [18/Feb/2020:01:15:34 +0000] "CONNECT 3.122.236.218:80 HTTP/1.0" 400 182 "-" "-"
44.224.22.196 - - [18/Feb/2020:01:15:35 +0000] "\x16\x03\x01\x00\xD2\x01\x00\x00\xCE\x03\x03%\xAE\xD1\xED\xB8\xEC\x9Dn\xF6\x90H:F\xFE\xA65\xF3\xBB\x1E\xBEb\x94\xD3b`\x88|;\x89\x8Ed]\x00\x00b\xC00\xC0,\xC0/\xC0+\x00\x9F\x00\x9E\xC02\xC0.\xC01\xC0-\x00\xA5\x00\xA1\x00\xA4\x00\xA0\xC0(\xC0$\xC0\x14\xC0" 400 182 "-" "-"
44.224.22.196 - - [18/Feb/2020:01:15:35 +0000] "\x16\x03\x01\x00\xD2\x01\x00\x00\xCE\x03\x03\x99\x87$\xB0]M \xE4\x00\xF3e\xDB\x03\x1F\xBA\xC5\x16\xD5\x15\xAF\xF1\xBD\xD6\xD0\xA4\xB8b\xF8\xA3y\xBEB\x00\x00b\xC00\xC0,\xC0/\xC0+\x00\x9F\x00\x9E\xC02\xC0.\xC01\xC0-\x00\xA5\x00\xA1\x00\xA4\x00\xA0\xC0(\xC0$\xC0\x14\xC0" 400 182 "-" "-"
44.224.22.196 - - [18/Feb/2020:01:15:35 +0000] "\x16\x03\x01\x00\xD2\x01\x00\x00\xCE\x03\x030\xEBp\x09\xE5\x17\xCB\xA36AV\xBE\x02\xF5(M2\xC13d1\xD6L\x90~\xF9*\xE8\xFE\xC3\x094\x00\x00b\xC00\xC0,\xC0/\xC0+\x00\x9F\x00\x9E\xC02\xC0.\xC01\xC0-\x00\xA5\x00\xA1\x00\xA4\x00\xA0\xC0(\xC0$\xC0\x14\xC0" 400 182 "-" "-"
44.224.22.196 - - [18/Feb/2020:01:15:36 +0000] "\x16\x03\x01\x00\xD2\x01\x00\x00\xCE\x03\x03L\xF86\x8F\xEE\xB2u\x99\xD2\xC68b\xD8\xD7\x8C\xE5=\x0Bt\x95\x8D\x0C\xDD\x00\xFFn\xEC\x88(\xBE\x061\x00\x00b\xC00\xC0,\xC0/\xC0+\x00\x9F\x00\x9E\xC02\xC0.\xC01\xC0-\x00\xA5\x00\xA1\x00\xA4\x00\xA0\xC0(\xC0$\xC0\x14\xC0" 400 182 "-" "-"
44.224.22.196 - - [18/Feb/2020:01:15:36 +0000] "\x16\x03\x01\x00\xD2\x01\x00\x00\xCE\x03\x03" 400 182 "-" "-"
41.216.186.89 - - [18/Feb/2020:01:28:23 +0000] "\x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr" 400 182 "-" "-"
61.219.11.153 - - [18/Feb/2020:02:44:56 +0000] "GET / HTTP/1.1" 400 182 "-" "-"
157.55.39.6 - - [18/Feb/2020:03:52:53 +0000] "GET /robots.txt HTTP/1.1" 404 5 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
207.46.13.48 - - [18/Feb/2020:03:52:57 +0000] "GET / HTTP/1.1" 404 5 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
41.216.186.89 - - [18/Feb/2020:05:05:47 +0000] "\x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr" 400 182 "-" "-"
157.55.39.6 - - [18/Feb/2020:05:19:13 +0000] "GET /robots.txt HTTP/1.1" 301 194 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
157.55.39.6 - - [18/Feb/2020:05:19:14 +0000] "GET /robots.txt HTTP/1.1" 404 5 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
207.46.13.48 - - [18/Feb/2020:05:19:18 +0000] "GET / HTTP/1.1" 301 194 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
答案1
您看到这些的原因显然是因为您location /
默认将所有内容传递到了后端。
您没有说明如何阻止不良请求,因此我假设您在 Nginx 配置中创建了一个手动阻止 URL 的黑名单。默认情况下,您会接受所有请求,然后阻止所有可能 URL 的特定(非常小)子集。这可能不是一个可管理的长期解决方案。
如果可行,使用 Web 服务器配置作为 URL 白名单既简单又有效。仅接受对已知良好 URL 的请求,并拒绝其余请求。例如,如果您正在为 API 端点提供服务,则只能接受对端点 /api/v1/
或任何端点的请求。创建一个位置块,将这些请求传递到后端,然后阻止所有其他请求
location / {
return 404;
}
对于标准网站,随着网站的发展或变化,您可能无法想出一个合理的方法来维护 Nginx 配置中的白名单。在这种情况下,有出色的 WAF 解决方案可用,例如 ModSecurity 和 fail2ban。ModSecurity 和 fail2ban 具有非常不同的优势,因此它们可以很好地互补。Fail2ban 的配置要简单得多。您可能满足于让 fail2ban 阻止具有过多 4xx 响应的 IP。
https://www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-source-nginx/