由于多个恶意 POST 请求导致服务器每晚 OOM 崩溃?

由于多个恶意 POST 请求导致服务器每晚 OOM 崩溃?

因此,似乎每天晚上午夜左右,一些来自中国的服务器都会尝试访问我的 drupal 网站。从日志来看,它每 61 秒发出一次相同的请求(可能是为了避免被防火墙标记)。此请求是用户注册页面上的 POST 请求,无论该请求是什么,似乎都会占用 Apache 进程,因此每分钟都会生成一个新的 Apache 进程,直到服务器内存耗尽并进入昏迷状态。我当然已经在防火墙上阻止了 IP,但我想弄清楚为什么该请求会锁定 Apache。调试此问题的最佳方法是什么?

以下是 Apache 状态日志:

Srv PID Acc M   CPU SS  Req Conn    Child   Slot    Client  VHost   Request
0-0 7331    0/8/65  W   8.84    687 0   0.0 0.08    0.35    192.74.226.108  ---.org POST /user/register HTTP/1.1
1-0 6409    0/33/33 W   13.58   206 0   0.0 8.16    8.16    94.228.34.211   ---.org GET /clinic-design/forum/all/jweddingtonMD HTTP/1.1
2-0 6410    0/3/3   W   6.19    648 0   0.0 0.00    0.00    192.74.226.108  --.org  POST /user/register HTTP/1.1
3-0 6411    0/27/27 W   6.83    254 0   0.0 0.11    0.11    157.55.34.25    --.org  GET /chd/membership/individual-members HTTP/1.1
4-0 6412    0/25/25 W   13.34   201 0   0.0 0.17    0.17    192.74.226.108  --.org  POST /user/register HTTP/1.1
5-0 6417    0/3/3   W   8.10    566 0   0.0 0.03    0.03    192.74.226.108  --.org  POST /user/register HTTP/1.1
6-0 7531    0/0/19  W   6.05    323 0   0.0 0.00    0.06    192.74.226.108  --.org  POST /user/register HTTP/1.1
7-0 6428    0/19/19 W   11.50   223 0   0.0 0.44    0.44    192.74.226.108  --.org  POST /user/register HTTP/1.1
8-0 7447    0/6/13  W   1.98    444 0   0.0 0.04    0.04    192.74.226.108  --.org  POST /user/register HTTP/1.1
9-0 6842    0/38/38 W   13.33   262 0   0.0 0.38    0.38    192.74.226.108  --.org  POST /user/register HTTP/1.1
10-0    7499    0/0/14  W   0.00    405 0   0.0 0.00    0.05    192.74.226.108  --.org  POST /user/register HTTP/1.1
11-0    6845    0/22/22 W   11.11   505 0   0.0 0.23    0.23    192.74.226.108  --.org  POST /user/register HTTP/1.1
12-0    6953    1/64/64 W   14.08   930 0   0.0 0.83    0.83    192.74.226.108  --.org  POST /user/register HTTP/1.1
13-0    6954    0/10/10 W   3.09    282 0   0.0 0.47    0.47    192.74.226.108  --.org  POST /user/register HTTP/1.1
14-0    7502    0/0/74  W   0.00    384 0   0.0 0.00    0.98    192.74.226.108  --.org  POST /user/register HTTP/1.1
15-0    7191    0/52/113    W   26.77   466 0   0.0 0.53    1.06    192.74.226.108  --.org  POST /user/register HTTP/1.1
16-0    7010    0/77/77 W   11.89   869 0   0.0 0.58    0.58    192.74.226.108  --.org  POST /user/register HTTP/1.1
17-0    7023    0/67/67 W   8.52    892 0   0.0 0.80    0.80    192.74.226.108  --.org  POST /user/register HTTP/1.1
18-0    7358    0/0/37  W   7.63    809 0   0.0 0.00    0.56    192.74.226.108  --.org  POST /user/register HTTP/1.1
19-0    7437    0/17/79 W   10.23   161 0   0.0 0.16    4.08    157.55.34.25    --.org  GET /--/membership/individual-members HTTP/1.0
20-0    7100    0/74/74 W   6.51    831 0   0.0 0.79    0.79    192.74.226.108  --.org  POST /user/register HTTP/1.1
21-0    7192    0/44/47 W   5.94    626 0   0.0 1.40    1.40    192.74.226.108  --.org  POST /user/register HTTP/1.1
22-0    7126    0/37/37 W   10.65   770 0   0.0 3.15    3.15    192.74.226.108  --.org  POST /user/register HTTP/1.1
23-0    7183    1/20/20 W   5.27    952 0   0.0 0.03    0.03    192.74.226.108  --.org  POST /user/register HTTP/1.1
24-0    7503    0/4/34  W   3.14    206 0   0.0 0.00    0.20    66.249.73.106   --.org  GET /--/membership/student-members?order=city&sort=desc&last_n
25-0    7193    0/35/35 W   14.07   748 0   0.0 1.04    1.04    192.74.226.108  --.org  POST /user/register HTTP/1.1
26-0    7566    0/0/15  W   1.67    194 0   0.0 0.00    0.02    94.228.34.211   --.org  GET /clinic-design/forum?page=0%2C5 HTTP/1.1
27-0    7400    0/18/19 W   8.04    527 0   0.0 0.08    0.08    192.74.226.108  --.org  POST /user/register HTTP/1.1
28-0    7401    0/0/0   W   0.00    709 0   0.0 0.00    0.00    192.74.226.108  --.org  POST /user/register HTTP/1.1
29-0    7402    0/2/2   W   0.00    588 0   0.0 0.00    0.00    192.74.226.108  --.org  POST /user/register HTTP/1.1
30-0    7569    0/2/6   W   0.00    141 0   0.0 0.00    0.00    192.74.226.108  --.org  POST /user/register HTTP/1.1
31-0    7465    0/5/6   W   3.15    345 0   0.0 0.05    0.05    192.74.226.108  --.org  POST /user/register HTTP/1.1
32-0    7466    0/8/8   W   5.56    163 0   0.0 0.14    0.14    192.74.226.108  --.org  POST /user/register HTTP/1.1
33-0    7574    0/2/2   W   0.02    123 0   0.0 0.00    0.00    46.227.71.215   --.org  GET /aggregator/sources/1?page=1 HTTP/1.1
34-0    7577    0/7/7   W   2.10    41  0   0.0 0.00    0.00    192.74.226.108  --.org  POST /user/register HTTP/1.1
35-0    7581    0/0/0   W   0.00    168 0   0.0 0.00    0.00    113.212.69.10   --.org  GET /?q=user HTTP/1.1
36-0    7586    0/0/0   W   0.00    139 0   0.0 0.00    0.00    67.195.115.123  ---.org GET /--/conferences-events/calendar-events/environmental-stand
37-0    7587    0/0/0   W   0.00    138 0   0.0 0.00    0.00    146.251.88.193  --.org  GET /edac HTTP/1.1
38-0    7616    0/0/0   W   0.00    135 0   0.0 0.00    0.00    67.227.237.76   --.org  POST /sites/all/modules/civicrm/bin/civimail.cronjob.php HTTP/1
39-0    7617    0/1/1   W   0.00    102 0   0.0 0.01    0.01    192.74.226.108  --.org  POST /user/register HTTP/1.1
40-0    7618    0/0/0   W   0.00    134 0   0.0 0.00    0.00    157.55.32.142   --.org  GET /--/programs/awards-recognition/changemaker-award/2003-cha
41-0    7628    0/0/0   W   0.00    106 0   0.0 0.00    0.00    146.251.88.193  --.org  GET /edac HTTP/1.1
42-0    7629    0/0/0   W   0.00    105 0   0.0 0.00    0.00    157.55.32.142   --.org  GET /--/about/meet-team/ellen-taylor-aia-mba-edac HTTP/1.1
43-0    7641    0/5/5   _   1.92    9   0   0.0 0.00    0.00    66.249.73.75    store.--.org    GET /publications.html?SID=259b106f3c06e307ec810593e4b15edf&lim
44-0    7642    0/1/1   W   0.00    75  0   0.0 0.00    0.00    157.55.32.142   --.org  GET /--/resources/webinars?page=1 HTTP/1.1
45-0    7644    0/0/0   W   0.00    80  0   0.0 0.00    0.00    192.74.226.108  --.org  POST /user/register HTTP/1.1
46-0    7647    0/1/1   W   0.01    62  0   0.0 0.00    0.00    146.251.88.193  --.org  GET /edac HTTP/1.1
47-0    7660    0/0/0   W   0.00    73  0   0.0 0.00    0.00    67.195.115.123  --.org  GET /--/conferences-events/calendar-events/environmental-stand
48-0    7661    0/2/2   W   0.00    15  0   0.0 0.00    0.00    157.55.32.142   --.org  GET /--/programs/awards-recognition/changemaker-award/2003-cha
49-0    7662    0/0/0   W   0.00    45  0   0.0 0.00    0.00    157.55.32.142   --.org  GET /node/146/nurture-collegiate-healthcare-design-compet?page=
50-0    7663    0/0/0   W   0.00    53  0   0.0 0.00    0.00    67.195.115.123  --.org  GET /--/conferences-events/calendar-events/environmental-stand
51-0    7667    0/0/0   W   0.00    32  0   0.0 0.00    0.00    67.195.115.123  --.org  GET /--/conferences-events/calendar-events/environmental-stand
52-0    7669    0/0/0   W   0.00    26  0   0.0 0.00    0.00    66.249.73.106   --.org  GET /clinic-design/design-process/pre-design/plan-program-d HTT
53-0    7670    0/0/0   W   0.00    25  0   0.0 0.00    0.00    199.21.99.99    --.org  GET /resources/pubs/ HTTP/1.1
54-0    7671    0/0/0   W   0.00    19  0   0.0 0.00    0.00    192.74.226.108  --.org  POST /user/register HTTP/1.1
55-0    7673    0/1/1   W   0.00    9   0   0.0 0.00    0.00    67.195.115.123  --.org  GET /--/conferences-events/calendar-events/environmental-stand
56-0    7675    0/0/0   W   0.00    0   0   0.0 0.00    0.00    127.0.0.1   host.--.org GET /whm-server-status HTTP/1.1

答案1

修改注册页面,将 $_POST 转储到日志文件。然后你就能看到他们发送的内容了。

答案2

我也见过同样的机器人,我也通过编写自己的机器人来解决这个问题失败2ban监禁他们。

此配置经过调整,在一小时内尝试六次后,将阻止一天。投入生产几个月后,它尚未阻止合法的注册尝试。但是,它确实发送了大量邮件,因此您可能需要调整它...

如果您的日志文件有任何不寻常之处(例如,不是 Apache 组合样式),则可能需要稍微调整正则表达式。

/etc/fail2ban/jail.conf部分内容包括:

[drupal-user-register]
enabled  = true
filter   = drupal-user-register
action   = iptables-multiport[name=DrupalRegBots, port="http,https"]
           sendmail-buffered[name=DrupalRegBots, lines=5, [email protected]]
logpath  = /var/log/nginx/example.com-access.log
           /var/log/nginx/example.com-ssl-access.log
bantime  = 86400
findtime = 3600
maxretry = 6

/etc/fail2ban/filter.d/drupal-user-register.conf包含:

# Fail2Ban configuration file
#
# Author: Michael Hampton
#
# $Revision$
#

[Definition]

# Option:  failregex
# Notes.:  regex to Drupal match user registration page attempts
# Values:  TEXT
#
failregex = ^<HOST> .*(GET|POST) /user/register .*$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

答案3

状态Wsending reply。Apache 服务器很容易永远停留在这种状态;只是无法及时确认它发送的数据包,并使接收窗口变得非常小。

考虑在前面运行像 Varnish 这样的反向代理,这样 Apache 之外的其他东西就可以处理与真实客户端打交道的棘手业务。

相关内容