我的 HTTPS 服务器这几天都运行缓慢,所以我查看了日志文件(access.log,我用的是 apache2)。我发现我的服务器被大量 400 错误淹没了:
如果我更改 apache 配置以停止监听端口 443,则大量查询将停止(但我的网站将无法访问 x))
我尝试添加一些 iptables 规则。我通过示例尝试了这些规则:
/sbin/iptables -N SYN_FLOOD
/sbin/iptables -A INPUT -p tcp --syn -j SYN_FLOOD
/sbin/iptables -A SYN_FLOOD -m limit --limit 10/s --limit-burst 10 -j RETURN
/sbin/iptables -A SYN_FLOOD -j DROP
(来源)
当我添加最后一条规则(-A SYN_FLOOD -j DROP
)时,洪水停止了(太棒了!)但我的网站再次变得无法访问:/
我对服务器管理和 iptable 命令的了解非常有限...为什么我的网站在实施这些规则后变得无法访问?我应该修改什么?也许使用 iptable 不是解决我问题的好方法?
谢谢您的帮助/解释:)
编辑(在 petitradisgris 回答之后):
我今晚安装并配置了 fail2ban。我添加了这些 jails:
> cat /etc/fail2ban/jail.local
# detect password authentication failures
[apache]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 3
findtime = 600
bantime = 86400
# detect potential search for exploits and php vulnerabilities
[apache-noscript]
enabled = true
port = http,https
filter = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 3
findtime = 600
bantime = 86400
# detect Apache overflow attempts
[apache-overflows]
enabled = true
port = http,https
filter = apache-overflows
logpath = /var/log/apache*/*error.log
maxretry = 2
findtime = 600
bantime = 86400
# detect failures to find a home directory on a server
[apache-nohome]
enabled = true
port = http,https
filter = apache-nohome
logpath = /var/log/apache*/*error.log
maxretry = 2
findtime = 600
bantime = 86400
[apache-fakegooglebot]
enabled = true
port = http,https
logpath = %(apache_access_log)s
maxretry = 1
ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>
[apache-badbots]
# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.
enabled = true
port = http,https
logpath = %(apache_access_log)s
bantime = 48h
maxretry = 1
##To stop DOS attack from remote host.
[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/apache*/access.log
maxretry = 400
findtime = 400
bantime = 200
ignoreip = 127.0.0.1
action = iptables[name=HTTP, port=http, protocol=tcp]
[iptables-dropped]
enabled = true
filter = iptables-dropped
banaction = iptables-allports
port = all
logpath = /var/log/messages
bantime = 1800
maxretry = 3
我的监狱的配置似乎没问题:
> sudo fail2ban-client status
Status
|- Number of jail: 9
`- Jail list: apache, apache-badbots, apache-fakegooglebot, apache-nohome, apache-noscript, apache-overflows, http-get-dos, iptables-dropped, sshd
今天早上,fail2ban 禁止了 IP,但仅限于sshd
监狱中的 IP(奇怪……):
> sudo cat /var/log/fail2ban.log* | grep Ban
2022-06-13 07:07:59,185 fail2ban.actions [529]: NOTICE [sshd] Ban 23.94.194.115
2022-06-13 07:08:32,529 fail2ban.actions [529]: NOTICE [sshd] Ban 43.156.122.114
2022-06-13 07:09:10,601 fail2ban.actions [529]: NOTICE [sshd] Ban 182.156.209.222
2022-06-13 07:09:18,831 fail2ban.actions [529]: NOTICE [sshd] Ban 186.10.125.209
2022-06-13 07:09:30,867 fail2ban.actions [529]: NOTICE [sshd] Ban 139.59.21.115
2022-06-13 07:11:15,736 fail2ban.actions [529]: NOTICE [sshd] Ban 213.136.90.174
2022-06-13 07:11:45,799 fail2ban.actions [529]: NOTICE [sshd] Ban 154.194.12.69
2022-06-13 07:14:50,174 fail2ban.actions [529]: NOTICE [sshd] Ban 43.156.124.5
2022-06-13 07:18:09,188 fail2ban.actions [529]: NOTICE [sshd] Ban 118.27.106.123
2022-06-13 07:18:55,509 fail2ban.actions [529]: NOTICE [sshd] Ban 104.248.89.194
2022-06-13 07:19:05,742 fail2ban.actions [529]: NOTICE [sshd] Ban 23.94.194.115
2022-06-13 07:19:11,811 fail2ban.actions [529]: NOTICE [sshd] Ban 43.154.104.24
2022-06-13 07:19:45,166 fail2ban.actions [529]: NOTICE [sshd] Ban 178.35.169.154
2022-06-13 07:20:36,453 fail2ban.actions [529]: NOTICE [sshd] Ban 139.59.21.115
2022-06-13 07:20:55,694 fail2ban.actions [529]: NOTICE [sshd] Ban 43.156.122.114
2022-06-13 07:21:33,806 fail2ban.actions [529]: NOTICE [sshd] Ban 186.10.125.209
2022-06-13 07:22:10,109 fail2ban.actions [529]: NOTICE [sshd] Ban 27.74.254.115
2022-06-13 07:22:56,385 fail2ban.actions [529]: NOTICE [sshd] Ban 213.136.90.174
2022-06-13 07:24:10,698 fail2ban.actions [529]: NOTICE [sshd] Ban 154.194.12.69
2022-06-13 07:25:34,062 fail2ban.actions [529]: NOTICE [sshd] Ban 104.248.62.102
2022-06-13 07:26:21,350 fail2ban.actions [529]: NOTICE [sshd] Ban 43.154.171.84
2022-06-13 07:29:57,842 fail2ban.actions [529]: NOTICE [sshd] Ban 118.27.106.123
2022-06-13 07:31:46,106 fail2ban.actions [529]: NOTICE [sshd] Ban 139.59.21.115
2022-06-13 07:33:49,576 fail2ban.actions [529]: NOTICE [sshd] Ban 27.74.254.115
2022-06-13 07:33:50,797 fail2ban.actions [529]: NOTICE [sshd] Ban 186.10.125.209
2022-06-13 07:34:22,899 fail2ban.actions [529]: NOTICE [sshd] Ban 213.136.90.174
2022-06-13 07:37:13,410 fail2ban.actions [529]: NOTICE [sshd] Ban 104.248.62.102
2022-06-13 07:38:07,498 fail2ban.actions [529]: NOTICE [sshd] Ban 43.154.171.84
2022-06-13 07:38:16,138 fail2ban.actions [529]: NOTICE [sshd] Ban 177.229.215.234
2022-06-13 07:40:44,582 fail2ban.actions [529]: NOTICE [sshd] Ban 104.248.89.194
2022-06-13 07:45:30,321 fail2ban.actions [529]: NOTICE [sshd] Ban 27.74.254.115
2022-06-13 07:46:31,019 fail2ban.actions [529]: NOTICE [sshd] Ban 186.10.125.209
2022-06-13 07:48:59,939 fail2ban.actions [529]: NOTICE [sshd] Ban 104.248.62.102
2022-06-13 07:49:51,227 fail2ban.actions [529]: NOTICE [sshd] Ban 43.154.171.84
2022-06-13 07:50:01,263 fail2ban.actions [529]: NOTICE [sshd] Ban 177.229.215.234
2022-06-13 07:50:59,390 fail2ban.actions [529]: NOTICE [sshd] Ban 46.19.137.50
2022-06-13 07:57:09,964 fail2ban.actions [529]: NOTICE [sshd] Ban 27.74.254.115
2022-06-13 08:01:50,508 fail2ban.actions [529]: NOTICE [sshd] Ban 43.154.171.84
2022-06-13 08:02:04,542 fail2ban.actions [529]: NOTICE [sshd] Ban 177.229.215.234
2022-06-13 08:02:39,206 fail2ban.actions [529]: NOTICE [sshd] Ban 104.248.89.194
2022-06-13 08:14:18,245 fail2ban.actions [529]: NOTICE [sshd] Ban 43.129.209.91
2022-06-13 08:16:07,008 fail2ban.actions [529]: NOTICE [sshd] Ban 167.99.158.168
2022-06-13 08:16:50,289 fail2ban.actions [529]: NOTICE [sshd] Ban 43.128.101.73
2022-06-13 08:24:37,536 fail2ban.actions [529]: NOTICE [sshd] Ban 104.248.89.194
2022-06-13 08:25:21,615 fail2ban.actions [529]: NOTICE [sshd] Ban 43.129.209.91
洪水总是在这里……
sudo tail -f /var/log/apache2/site1_access.log /var/log/apache2/site2_access.log /var/log/apache2/site2_access.log
...
180.190.87.231 - - [13/Jun/2022:08:30:15 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
111.71.212.176 - - [13/Jun/2022:08:30:15 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
39.112.83.149 - - [13/Jun/2022:08:30:15 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
115.186.169.59 - - [13/Jun/2022:08:30:15 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
61.15.198.157 - - [13/Jun/2022:08:30:15 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
183.222.197.241 - - [13/Jun/2022:08:30:15 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
114.45.171.90 - - [13/Jun/2022:08:30:15 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
61.62.148.146 - - [13/Jun/2022:08:30:15 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
1.173.221.202 - - [13/Jun/2022:08:30:15 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
27.82.146.136 - - [13/Jun/2022:08:30:15 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
27.109.247.56 - - [13/Jun/2022:08:30:15 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
180.177.24.124 - - [13/Jun/2022:08:30:15 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
116.49.174.155 - - [13/Jun/2022:08:30:15 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
61.231.235.55 - - [13/Jun/2022:08:30:15 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
14.192.212.91 - - [13/Jun/2022:08:30:15 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
219.91.104.20 - - [13/Jun/2022:08:30:15 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
60.49.40.31 - - [13/Jun/2022:08:30:15 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
60.49.40.31 - - [13/Jun/2022:08:30:15 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
171.97.223.126 - - [13/Jun/2022:08:30:15 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
61.38.43.211 - - [13/Jun/2022:08:30:16 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
120.231.123.126 - - [13/Jun/2022:08:30:16 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
221.184.60.12 - - [13/Jun/2022:08:30:16 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
113.43.210.22 - - [13/Jun/2022:08:30:16 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
180.190.87.231 - - [13/Jun/2022:08:30:16 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
115.43.157.151 - - [13/Jun/2022:08:30:16 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
122.100.135.240 - - [13/Jun/2022:08:30:16 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
117.183.115.211 - - [13/Jun/2022:08:30:16 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
223.86.195.24 - - [13/Jun/2022:08:30:16 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
122.100.145.152 - - [13/Jun/2022:08:30:16 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
112.120.167.195 - - [13/Jun/2022:08:30:16 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
36.229.143.45 - - [13/Jun/2022:08:30:16 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
110.26.97.247 - - [13/Jun/2022:08:30:16 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
121.171.109.192 - - [13/Jun/2022:08:30:16 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
113.254.111.51 - - [13/Jun/2022:08:30:16 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
112.104.89.188 - - [13/Jun/2022:08:30:16 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
14.192.212.91 - - [13/Jun/2022:08:30:16 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
36.238.159.112 - - [13/Jun/2022:08:30:16 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
219.91.104.20 - - [13/Jun/2022:08:30:16 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
198.16.63.120 - - [13/Jun/2022:08:30:16 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
115.87.13.52 - - [13/Jun/2022:08:30:16 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
61.231.235.55 - - [13/Jun/2022:08:30:16 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
121.6.78.165 - - [13/Jun/2022:08:30:16 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
121.109.135.202 - - [13/Jun/2022:08:30:16 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
183.227.201.149 - - [13/Jun/2022:08:30:16 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
61.38.43.211 - - [13/Jun/2022:08:30:16 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
112.120.167.195 - - [13/Jun/2022:08:30:16 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
180.94.189.179 - - [13/Jun/2022:08:30:16 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
59.149.254.6 - - [13/Jun/2022:08:30:16 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
...
我发现了“fail2ban”,也许是 jails 的 ma 配置中缺失或有错误?
答案1
尝试在你的 Linux 系统中安装“fail2ban”软件:此链接中的教程
默认配置应该有帮助。
如果没有,您可以轻松编写一些特定规则来智能地阻止这些流量(禁止 IP 执行太多类似的特定请求)。
编辑:这里有一个可能适合您的问题的监狱的例子:
[ban-400]
logpath = /var/log/f2b-400.log
filter =
port = 80,443
failregex = ^<ADDR> \S+ \S+(?: \[\])? "[^"]*" 400\s
enabled = true
然而:
- 出现 400 错误的实际请求对我来说似乎是有效的,所以根据我的理解,它们应该返回 200。
- 这些 IP 可能来自网络抓取工具(网络浏览器)和其他类似的东西...所以您不想禁止旨在通过网络浏览器引用您的 IP...对吗?
因此,您应该考虑解决此错误 400 问题,其中您的 apache2 应该报告 200 状态代码。您是否在配置中禁用了 http1.0?
编辑:关于您的 iptable SYN_FLOOD。
问题在于,SYN 请求是合法通信的一部分。
此外,由于您使用的是 TCP,因此 SYN 请求(可能还有 SYN/ACK)会被多次发送到服务器,直到得到响应。
因此,服务器将计算每个主机(每秒)的 SYN 请求数,并且 iptables 规则将阻止它们......