如何使用 fail2ban 来阻止这些?
45.154.255.147 - - [25/May/2021:08:32:40 -0700] "GET /search.php?q=xgp%2F%2A%2A%2Fbangla%2F%2A%2A%2Fcom%27%20PROCEDURE%20ANALYSE%28EXTRACTVALUE%281915%2CCONCAT%280x5c%2C0x71707a6271%2C%28SELECT%20%28CASE%20WHEN%20%281915%3D1915%29%20THEN%201%20ELSE%200%20END%29%29%2C0x7176767071%29%29%2C1%29%20AND%20%27uOyt%27%3D%27uOyt HTTP/1.1" 200 11884 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0b11pre) Gecko/20110129 Firefox/4.0b11pre"
46.232.249.138 - - [25/May/2021:08:36:28 -0700] "GET /search.php?q=xgp%2F%2A%2A%2Fbangla%2F%2A%2A%2Fcom%27%29%20PROCEDURE%20ANALYSE%28EXTRACTVALUE%281915%2CCONCAT%280x5c%2C0x71707a6271%2C%28SELECT%20%28CASE%20WHEN%20%281915%3D1915%29%20THEN%201%20ELSE%200%20END%29%29%2C0x7176767071%29%29%2C1%29%20AND%20%28%27BInS%27%20LIKE%20%27BInS HTTP/1.1" 200 10092 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0b11pre) Gecko/20110129 Firefox/4.0b11pre"
45.129.56.200 - - [25/May/2021:08:36:37 -0700] "GET /search.php?q=xgp%2F%2A%2A%2Fbangla%2F%2A%2A%2Fcom%27%20PROCEDURE%20ANALYSE%28EXTRACTVALUE%281915%2CCONCAT%280x5c%2C0x71707a6271%2C%28SELECT%20%28CASE%20WHEN%20%281915%3D1915%29%20THEN%201%20ELSE%200%20END%29%29%2C0x7176767071%29%29%2C1%29%20AND%20%27htVh%27%20LIKE%20%27htVh HTTP/1.1" 200 11910 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0b11pre) Gecko/20110129 Firefox/4.0b11pre"
23.129.64.232 - - [25/May/2021:08:36:39 -0700] "GET /search.php?q=xgp%2F%2A%2A%2Fbangla%2F%2A%2A%2Fcom%22%29%20PROCEDURE%20ANALYSE%28EXTRACTVALUE%281915%2CCONCAT%280x5c%2C0x71707a6271%2C%28SELECT%20%28CASE%20WHEN%20%281915%3D1915%29%20THEN%201%20ELSE%200%20END%29%29%2C0x7176767071%29%29%2C1%29%20AND%20%28%22CSNy%22%3D%22CSNy HTTP/1.1" 200 10054 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0b11pre) Gecko/20110129 Firefox/4.0b11pre"
23.129.64.232 - - [25/May/2021:08:36:45 -0700] "GET /search.php?q=xgp%2F%2A%2A%2Fbangla%2F%2A%2A%2Fcom%22%20PROCEDURE%20ANALYSE%28EXTRACTVALUE%281915%2CCONCAT%280x5c%2C0x71707a6271%2C%28SELECT%20%28CASE%20WHEN%20%281915%3D1915%29%20THEN%201%20ELSE%200%20END%29%29%2C0x7176767071%29%29%2C1%29%20AND%20%22NYRo%22%3D%22NYRo HTTP/1.1" 200 10043 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0b11pre) Gecko/20110129 Firefox/4.0b11pre"
创立于此:
sudo grep "EXTRACTVALUE" /var/log/httpd/access.log
答案1
嗯,正则表达式可能是这样的:
^<ADDR> \S+ \S+ \[\] "GET /search\.php\?[^"]*EXTRACTVALUE[^"]*"
但不建议这样做:
- 服务现在似乎响应 200,因此它看起来像是有效的请求(没有参数验证?);
- 它可能会影响合法用户(意外地在查询中发送一些“邪恶”的词语);
- 入侵者可以通过改变sql语句轻松的避开禁令(切换到其他函数、将EXTRACTVALUE拆分成两个词、切换到包含
q
未记录参数的POST http方法等); - 正确预防 SQL 注入会让这种“攻击”变得毫无意义和无用
如果确实需要,最好在服务端(例如在search.php
其使用的 API 中)防止此类“攻击”,并通过验证对此类 URL 参数使用 50x 代码进行响应。然后检查 50x 代码的 fail2ban 过滤器也可以禁止它。