Linux Nginx VPS Under simple solution cc attack _nginx

One, prepare to work

1, login into the VPS Control Panel, ready to reboot the VPS at any time.

2, shut down the Web server first, too much load will cause the subsequent operation is difficult, or even directly unable to login SSH.

3, just in case, the setting of the Web server system started automatically run away.

(If you can not log in to the system, and restart after the overload caused by the boot has been unable to log on, you can contact the Administrator on the machine tool to seal off the IP or 80-port of the VPS, in the Machine tool with Virtual Console login system, and then carry out 2&3 operation, after the solution

Second, identify the attacker IP

1, create the file ip.php in the root directory of the website, and write the following content.

<?php $real _ip = getenv (' http_x_forwarded_for '); if (Isset ($real _ip)) { Shell_exec ("Echo $real _ip > Real_ip.txt"); Shell_exec ("Echo $_server[' remote_addr ']> proxy.txt"); }else{ Shell_exec ("Echo $_server[' Remote_addr"] > Ips.txt ")" } Echo ' Server is under attack, is collecting the attack source, please visit this station in 5 minutes, visit this station in 5 minutes several times may be treated as the source of the attack to seal off the IP. Thank you for your cooperation! '; ?>

2, set pseudo static, all the visits under the website are rewrite to ip.php.

Nginx Rules: Rewrite (. *)/ip.php; LIGHTTPD Rules: Url.rewrite = ( "^/(. +)/?$" => "/ip.php" )

3, start Web server to start collecting IP

After you have set up 1 and 2, start the Web Server and start recording IP information.

The collection time is recommended for 3-5 minutes, and then the Web Server is closed again.

Real_ip.txt, this file contains more than 80% of the IP stored in the same, this IP is the attacker to implement the platform IP.

Proxy.txt, this file holds the IP of the proxy server invoked by the attacker, and needs to be sealed off.

Ips.txt, this record is not showing the characteristics of the proxy server IP, based on the number of visits to determine whether the source of the attack.

Third, the supplementary to the previous paragraph

If web logs are enabled on a VPS, you can view the growth of the log file to determine which site is being attacked.

If logging is not enabled and the number of sites is small, it is also convenient to temporarily enable logging.

If logging is not enabled and there are too many sites, you can use a temporary Web server configuration file, do not bind a virtual host, and set up a default site. Then add the following line to the ip.php.

Shell_exec ("Echo $_server[' http_host ']>> domain.txt");

Domain.txt will save the visited domain name, the CC attack site will occupy the vast majority.

Four, start plugging IP

Create a file ban.php

? $threshold = 10; $ips = array_count_values (file (' Ips.txt ')); $ban _num = 0; foreach ($ips as $ip => $num) { if ($num > $threshold) { $ip = Trim ($IP); $cmd = "Iptables-i input-p tcp--dport 80-s $ip-j DROP"; Shell_exec ($cmd); echo "$ip baned!"; $ban _num + +; } } $proxy _arr = array_unique (file (' Ips.txt ')) ' foreach ($proxy _arr as $proxy) { $proxy = Trim ($proxy); $cmd = "Iptables-i input-p tcp--dport 80-s $ip-j DROP"; Shell_exec ($cmd); echo "$ip baned!"; $ban _num + +; } echo "Total: $ban _num IPs"; ?>

Execute the script with the following command (make sure the PHP command is in path)

PHP ban.php

This script relies on the results saved in Ips.txt in the second paragraph, where the number of IP accesses recorded is more than 10 times and is blocked as an attack source. If it is a proxy server, then do not judge the number of times directly sealed off.

After the completion of IP, all the Web site settings back to normal, the site can continue to run normally.

Five, some details

In order to keep the description of the operation as concise as possible, did not add too much explanation in the above content, stay in this paragraph of unified narration.

1, about the nature of "proxy Server"

Two values associated with the Tcp&http protocol, REMOTE_ADDR and Http_x_forwarded_for.

(1) Remote_addr always take away from the Web server the closest one host IP, if not using the proxy, this value is the visitor's own IP, if the use of proxy, this value is the proxy server IP, if the connection through multiple proxy servers, This value is the IP of the last proxy server before reaching the Web server.

REMOTE_ADDR is determined by the TCP/IP layer and cannot be modified without forgery.

(2) Http_x_forwarded_for, because this value belongs to the HTTP part, not TCP/IP, so this value, regardless of what it is, does not affect the transmission of data. In fact, under normal circumstances, this value is null if the visitor accesses the Web server directly, and this value is set by the proxy server as the visitor's IP through the transparent proxy, which may be either empty or random for the proxy server's IP when connected through an anonymous proxy.

Http_x_forwarded_for can be arbitrarily modified. Most proxy servers are transparent proxies, which means that the value is set to the IP of the original visitor.

2, about solving the CC attack level problem

Arrange by processing efficiency from high to low.

(as this article is for the VPS server to write, and VPS simply is the server low-end alternatives, memory and CPU resources generally low, of course, the higher the processing efficiency, the better.) ）

(1) Network transport layer. This is the iptables used in this article, the tool itself is working in the system kernel, when establishing network connection directly to the attacker's connection to the. After the attack source is disposed of at this level, the resources consumed are almost negligible.

(2) The Web server layer, most Web servers can set IP that is blocked from being accessed. The meaning of the solution on this level is similar to the above, but the efficiency is worse.

(3) script layer, from the script to develop the appropriate strategy to filter out the source of the attack. There are many popular solutions at this level on the web, but they are not suitable for VPS, and setting the difficulty may be several times or dozens of times times more difficult.

3, why not collect IP from log?

Mainly consider two points, one is that most VPS users because the hard disk space is too small, often clear log is cumbersome, and directly prohibit the log.

Second, if you collect IP from the log, the script complexity is much higher, and may be based on the situation to make some adjustments, considering that the majority of people will read this article may not master more technology, the purpose of this article is step-by-step according to this article to operate, you can solve the problem.