PHP Simple anti-CC script Attack experience summary _php tutorial

The author summarizes some problems in the CC script attack and some solutions to anti-CC script attacks, a friend of the need to refer to.

1, log into the VPS Control Panel, ready to restart the VPS at any time.
2, close Web server first, the high load will make the subsequent operation difficult, or even directly unable to login to SSH.
3, just in case, set the Web server system to run automatically after startup is removed.
(If you have been unable to log in to the system, and the load is too high after restarting the boot has been unable to log on, you can contact the Administrator on the machine to seal off the VPS IP or 80 port, on the master machine with Virtual Console login into the system, and then perform 2&3 operation, then the solution)

Two, identify the attacker's IP

1, create the file ip.php at the root of the website, write the following content.

The code is as follows

Copy Code

$real _ip = getenv (' http_x_forwarded_for '); if (Isset ($real _ip)) { Shell_exec ("Echo $real _ip >> real_ip.txt"); Shell_exec ("Echo $_server[' remote_addr '] >> proxy.txt"); }else{ Shell_exec ("Echo $_server[' remote_addr '] >> ips.txt"); } Echo ' Server is under attack, is collecting the source of the attack, please visit the site after 5 minutes, more than 5 minutes to visit the site may be used as the source of the attack to seal off the IP. Thank you for your cooperation! '; ?>

2, set pseudo-static, all access under the site is rewrite to ip.php.
Nginx Rules:

The code is as follows	Copy Code
Rewrite (. *)/ip.php; LIGHTTPD Rules: Url.rewrite = ( "^/(. +)/?$" = "/ip.php" )

3, start Web server to start collecting IP
After you finish setting up 1 and 2, start Web Server and start logging IP information.
The collection time is recommended for 3-5 minutes, and then the Web Server is shut down again.
Real_ip.txt, this file has more than 80% of the IP stored in the same, this IP is the attacker to implement the platform's IP.
Proxy.txt, this file holds the IP of the proxy server that the attacker calls, and it needs to be sealed off.
Ips.txt, this record is the IP that does not show proxy server characteristics, according to the number of visits to determine whether the attack source.

Third, the supplement to the previous paragraph
If web logs are enabled on the VPS, you can see how fast the log file is growing to determine which site is being attacked.
If logging is not enabled and the number of sites is small, it is also convenient to temporarily enable logging.
If the log is not enabled and the number of sites is too large, you can use a temporary Web server configuration file, do not bind the virtual host, and set up a default site. Then add the following line to the ip.php.

The code is as follows	Copy Code
Shell_exec ("Echo $_server[' Http_host '] >> domain.txt");

Domain.txt will save the domain name that has been visited, the site that the CC attacks will occupy the majority.

Four, start plugging IP
Create a file ban.php

code as follows

copy code

$threshold = 10; $ips = array_count_values (file (' Ips.txt ')); $ban _num = 0; foreach ($ips as $ip = = $num) { if ($num > $threshold) { $ip = Trim ($IP); $cmd = "Iptables-i input-p tcp--dport 80-s $ip-j DROP"; Shell_exec ($cmd); echo "$ip baned!n"; $ban _num + +; } } $proxy _arr = array_unique (file (' Proxy.txt ')); foreach ($proxy _arr as $proxy) { Proxy = Trim ($proxy); $cmd = "Iptables-i input-p tcp--dport 80-s $proxy-j DROP"; Shell_exec ($cmd); echo "$proxy baned!n"; $ban _num + +; } echo "Total: $ban _num ipsn"; ?>

Execute the script with the following command (make sure the PHP command is in path)

PHP ban.php
This script relies on the results saved in Ips.txt in the second paragraph, when the number of IP accesses recorded exceeds 10, it is masked as the source of the attack. If it is a proxy server, the number of times you are not judged is directly blocked.
After the end of the IP, all the site settings back to normal, the site can continue to run normally.

http://www.bkjia.com/PHPjc/629653.html www.bkjia.com true http://www.bkjia.com/PHPjc/629653.html techarticle The author summarizes some problems in the CC script attack and some solutions to anti-CC script attacks, a friend of the need to refer to. 1, log into the VPS Control Panel, ready to heavy at any time ...

