Record a fight against the automatic forum posting Machine

I helped my friend maintain the server of his website. Recently, the traffic surge and the server pressure surge. Let's look at the nginx log. There are a large number of POST requests for several specific php requests. One IP address will POST four or five requests in one second. Basically, reg. php, login. php, and article_add.php. Apparently, a group of bots or individuals installed with Automatic posting machines are launching attacks.

It's nice to say, that is, to post advertisements. If it's hard to say something, it's hard to say something about Trojans. Although php on the Forum and backend of this website does not have any vulnerabilities that can be exploited by the registration and posting machine, it is completely a white brush, but it also consumes a considerable amount of system resources and bandwidth. Every request will go to the backend to call mysql or something. Normal access is very slow, and traffic is limited.

I installed FreeBSD on the server, which is very stable. It is easier to compile and load ipfw on the kernel. At the beginning, however, I was too small to look at these grandchildren. I tried to manually block them. After filtering out the IP addresses, I ran the ipfw ip address manually. The result was over an hour, simply write two scripts to do this and put them in the crontab to run automatically.

Script 1: filter the automatically published IP Address -- tail. sh

 
 

  
  
#!/bin/sh 
  
  
 
  
  
tail -F /var/log/nginx-access.log | grep -E "/member/article_add.php|/member/login.php|/include/vdimgck.php" | awk '{print $1}' | grep -v your_admin_ip >> /usr/local/etc/nginx/ipfw.rules.tmp & 
 
 

For details, tail-F is a continuously rolling log.-F indicates that the file name is rolled regardless of whether the log is rotate or not. It is different from-f. Then, grep regular matches multiple filtering conditions, prints ip addresses with awk, removes your remote management ip address, and appends the ip address to a temporary file named ipfw. rules. tmp.

The script can be executed once without repeated execution.

 

Script 2: remove the IP address of the registration machine and put it in the ipfw script-ipfw. sh

 

 
 

  
  
#!/bin/sh 
  
  
cat /usr/local/etc/nginx/ipfw.rules.tmp | sort -u > /usr/local/etc/nginx/ipfw.rules 
  
  
 
  
  
ipfw -f flush 
  
  
 
  
  
ipfw add 00100 allow ip from any to any via lo0 
  
  
ipfw add 00200 deny ip from any to 127.0.0.0/8 
  
  
ipfw add 00300 deny ip from 127.0.0.0/8 to any 
  
  
ipfw add 00400 deny ip from any to ::1 
  
  
ipfw add 00500 deny ip from ::1 to any 
  
  
ipfw add 00600 allow ipv6-icmp from :: to ff02::/16 
  
  
ipfw add 00700 allow ipv6-icmp from fe80::/10 to fe80::/10 
  
  
ipfw add 00800 allow ipv6-icmp from fe80::/10 to ff02::/16 
  
  
ipfw add 00900 allow ipv6-icmp from any to any ip6 icmp6types 1 
  
  
ipfw add 01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136 
  
  
 
  
  
ipfw add 10010 deny udp from any to any 80 
  
  
 
  
  
seq=10100 
  
  
for i in $(cat /usr/local/etc/nginx/ipfw.rules); do 
  
  
        ipfw add $seq deny all from $i to any 80 
  
  
        seq=$(($seq+1)) 
  
  
done 
 
 

Explain it one by one

02. Sort the temporary files generated by the script for a lifetime and re-import them to the new file. Replace the second row with the following line to block the IP address segments of class C)

 
 

  
  
cat /usr/local/etc/nginx/ipfw.rules.tmp | awk -F'.' '{print $1"."$2"."$3".0/24"}' | sort -u > /usr/local/etc/nginx/ipfw.rules 
 
 

04. Force Delete All ipfw rules

06-15. Original default ipfw rules. Row 04 is deleted and needs to be supplemented.

17. Rejecting port 80 udp connections is the so-called Aladdin DDoS attack.

19. Rule serial number, starting from 10100

20. List of IP addresses after deduplication

21. Add ipfw to rule $ seq sequence number, deny all connections from $ I to any port 80

22. Serial number accumulation.

Ipfw can add multiple ip addresses in a rule sequence number. The reason why the serial number is accumulated is that ipfw deletes a rule according to the rule sequence number rather than the ip address. All are put in one, and all are deleted as soon as they are deleted. If a specific ip address needs to access the website, you only need to delete the corresponding serial number.

The script is put into the crontab and runs once every 12 hours. In fact, I run it several times manually. After more than two hours, nearly 300 ip addresses have been blocked, with the largest number of ip addresses in Putian, Fujian, followed by the IP addresses in Xiamen, Quanzhou, and Fuzhou. There are also some other provinces, but few.

 

Google checked that Putian, Xiamen, and Quanzhou in Fujian are the largest distribution centers in China for spam and spam posts. If you see the IP addresses in these three locations, you can directly block the IP segments, such as 27.159.0.0/16.

 

Familiar with iptables, and changed the script to iptables, which can be used in linux.

These forums are so annoying to automatically register and post machines.

Note: The tail content can be directly printed on the screen, but there is a buffer for writing to the disk, that is, the buffer for system input and output, this buffer will be written to the disk and flushed off until it reaches 16 kb. Therefore, if the attack ip address is small, the temporary file created at the beginning will not receive the content immediately. It will take a while.

 

This article is from the "practice test truth" blog. For more information, contact the author!