新服务器上的随机 IP 不断出现 SSL 握手错误

tag-icon tag-icon security ssl web-server log-files
新服务器上的随机 IP 不断出现 SSL 握手错误

我刚刚设置了一个新的服务器,目前为止我已完成以下工作:

  • 确保安全(无需 root 或密码登录、UFW 等)
  • 安装了 LEMP 堆栈。

在查看 nginx 错误日志后,我发现持续的错误,看起来像是试图破坏来自伊朗和俄罗斯 IP 的 SSL。例如:

2019/09/23 17:42:38 [crit] 6611#6611: *5000095 SSL_do_handshake() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long) while SSL handshaking, client: 5.234.166.113, server: 0.0.0.0:443
2019/09/23 17:42:40 [crit] 6611#6611: *5000225 SSL_do_handshake() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long) while SSL handshaking, client: 31.2.143.221, server: 0.0.0.0:443
2019/09/23 17:42:48 [crit] 6611#6611: *5001090 SSL_do_handshake() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long) while SSL handshaking, client: 89.36.99.104, server: 0.0.0.0:443
2019/09/23 17:42:49 [crit] 6611#6611: *5001232 SSL_do_handshake() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long) while SSL handshaking, client: 86.57.113.197, server: 0.0.0.0:443
2019/09/23 17:42:50 [crit] 6611#6611: *5001276 SSL_do_handshake() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long) while SSL handshaking, client: 5.121.174.179, server: 0.0.0.0:443
2019/09/23 17:43:00 [crit] 6611#6611: *5002221 SSL_do_handshake() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long) while SSL handshaking, client: 5.74.187.51, server: 0.0.0.0:443
2019/09/23 17:43:00 [crit] 6611#6611: *5002250 SSL_do_handshake() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long) while SSL handshaking, client: 178.236.102.93, server: 0.0.0.0:443
2019/09/23 17:43:01 [crit] 6611#6611: *5002327 SSL_do_handshake() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long) while SSL handshaking, client: 5.106.78.245, server: 0.0.0.0:443
2019/09/23 17:43:05 [crit] 6611#6611: *5002733 SSL_do_handshake() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long) while SSL handshaking, client: 178.236.102.93, server: 0.0.0.0:443
2019/09/23 17:43:12 [crit] 6611#6611: *5003431 SSL_do_handshake() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long) while SSL handshaking, client: 5.212.171.209, server: 0.0.0.0:443
2019/09/23 17:43:19 [crit] 6611#6611: *5004092 SSL_do_handshake() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long) while SSL handshaking, client: 5.115.250.119, server: 0.0.0.0:443
2019/09/23 17:43:29 [crit] 6611#6611: *5005018 SSL_do_handshake() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long) while SSL handshaking, client: 158.58.64.8, server: 0.0.0.0:443
2019/09/23 17:43:34 [crit] 6611#6611: *5005514 SSL_do_handshake() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long) while SSL handshaking, client: 31.59.166.195, server: 0.0.0.0:443
2019/09/23 17:43:37 [crit] 6611#6611: *5005762 SSL_do_handshake() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long) while SSL handshaking, client: 31.2.170.98, server: 0.0.0.0:443
2019/09/23 17:43:37 [crit] 6611#6611: *5005792 SSL_do_handshake() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long) while SSL handshaking, client: 31.59.166.195, server: 0.0.0.0:443

这是因为我的主机公司为我分配了一个肮脏的 IP,而该 IP 是以前攻击的目标,还是有更无害的原因?

无论如何,除非我能解决这个问题,否则日志很快就会被填满。

答案1

这似乎不是一个安全问题。请看一下这个答案: https://stackoverflow.com/a/28010608/9361998

作为一种解决方法(如果你想停止这些请求),你可以使用以下脚本禁止 IP 地址

注意:务必以 root 身份运行

这个理论非常简单:

  1. 读取nginx并过滤ssl握手错误
  2. 创建一个 Python 脚本,能够根据阈值(硬编码)创建“iptables ban”命令

如果你安装了python,你可以运行这个简单的脚本

import sys
import re

# Save the input data into a string
raw = sys.stdin.read().strip()

BAN_COUNT = 3
# Split the lines of the log
data = raw.split("\n")
to_ban = {}
# Iterate the lines
for item in data:
    # Extract IP
    ip = re.findall(r"[0-9]+(?:\.[0-9]+){3}", item)
    # Due to the filter, we can have only 1 IP
    if len(ip) == 1:
        # print("Found IP to BAN -> {}".format(ip[0]))
        # If IP alredy found increase counter
        if ip[0] in to_ban:
            to_ban[ip[0]] += 1
        # First time that we encounter the IP, create new entry in dict
        else:
            to_ban[ip[0]] = 1
# Create iptables mask for ban
for keys in to_ban.keys():
    if to_ban[keys] >= BAN_COUNT:
        # BAN MASK
        # Use this for ban
        # ban_mask = 'iptables -A INPUT -s {} -j DROP'.format(keys)
        # Use this for test purpouse
        ban_mask = 'echo "iptables -A INPUT -s {} -j DROP"'.format(keys)
        print(ban_mask)

现在我们有了一个 python 脚本,它可以获取输入行、提取 ip、计算它们在文本中比较的次数并打印 iptables 命令来禁止该 ip,我们就可以解析日志了nginx

将脚本另存为ban.py

cat /var/log/nginx | egrep "1408F0C6" | python ban.py | xargs command

通过这种方法,您将禁止每个出现握手错误的 IP。

相关内容