Linux server uses php and cron to automatically block attacker ip addresses

I haven't written anything for a long time, mainly because it's so busy recently that an idiot uses webbench to attack the company's server every day.

As the saying goes, I have been ill for a long time. Today, my Mongolian doctor will share the automatic Attack Protection Section.

First, let me talk about the general deployment of the attacked website. this website is mainly for nginx + mysql + php. Two servers are deployed on the web and database respectively. The web only enables the port 80 operating system as centos, while the database server is on the Intranet, the attacker's method is actually very simple. Using the webbench website stress testing tool to send a large number of requests to the server, the database will respond after each request is sent in the past, and then the read content will finally be displayed, this may cause a large amount of data exchange between the database and the web, or even cause mysql to reach the upper limit of the number of connections, and the request is rejected. In addition, the attacker takes a lot of time and keeps changing the floating ip address, therefore, it is meaningless to block the ip address directly using the firewall.

At the beginning, my practice was to use php to obtain the attacker's agent header and determine whether webbench was visiting. If it was a die, it would be effective if it was not in the request database, the database will no longer exceed the limit, but the other party frequently sends requests, causing serious consumption of network bandwidth. It seems that we have to think of other methods, and finally come up with a solution and the actual test is feasible, therefore, to share with you, my practice is actually very simple: Use php to get the User agent header and determine whether it is a webpipeline source. If so, write a shell file on the server, the content of this file is the rule for blocking IP addresses. Then, use the chmod function to modify the file so that it can be executed. Then, use the cron service to read the file and execute the file to block the ip address, the whole process is completely automated without human intervention. In addition, when blocking, I am sent an email notifying me that I have been killed.

The specific implementation code is as follows:

IF (isSet ($ _ SERVER ['HTTP _ USER_AGENT ']) And Trim ($ _ SERVER ['HTTP _ USER_AGENT'])! = '') {$ _ SERVER ['HTTP _ USER_AGENT '] = StrToLower ($ _ SERVER ['HTTP _ USER_AGENT']); IF (StriStr ($ _ SERVER ['HTTP _ USER_AGENT '], 'website ')! = False) {$ p = '/home/www/webshells. sh'; $ _ SERVER ['remote _ ADDR '] = isSet ($ _ SERVER ['remote _ ADDR'])? $ _ SERVER ['remote _ ADDR ']: 'unknow'; File_Put_Contents ($ p ,"#! /Bin/bash \ niptables-I INPUT-s {$ _ SERVER ['remote _ ADDR ']}-j DROP; \ n ", LOCK_EX); Chmod ($ p, 0755); chown ($ p, 'www '); Function sMail ($ to, $ tit, $ msg) {IF (Filter_var ($ to, FILTER_VALIDATE_EMAIL) = '') {throw new Exception ('email address verification failed! ') ;}$ Tit =' =? UTF-8? B? '. Base64_Encode ($ tit ).'? = '; $ Msg = str_replace ("\ n. "," \ n .. ", $ msg); // If a period is found at the beginning of a line in Windows, it will be deleted. to avoid this problem, replace a period with two periods: Return Mail ($, $ tit, $ msg, 'From: No-reply@adm.bossadm.com.tw '. "\ n ". 'content-Type: text/html; charset = UTF-8 ');} sMail ('see7di @ gmail.com', '[WebBench started again by http://www.7di.net ]! ', Date ('Y-m-d H: I: s', time ()). "{$ _ SERVER ['remote _ ADDR ']}"); Header ('location: http: // 127.0.0.1'); Die ();}}

Later, I made another optimization and added some emails to the shell file. I no longer used php to send emails, because it will fill your mailbox, modify the token of the previous Shard:

IF(isSet($_SERVER['HTTP_USER_AGENT']) And Trim($_SERVER['HTTP_USER_AGENT'])!='') {$_SERVER['HTTP_USER_AGENT']=StrToLower($_SERVER['HTTP_USER_AGENT']);IF(StriStr($_SERVER['HTTP_USER_AGENT'],'webbench')!==False) {$p='/home/www/webbench.sh';$_SERVER['REMOTE_ADDR']=isSet($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : 'unknow';File_Put_Contents($p,"#!/bin/bash\niptables -I INPUT -s {$_SERVER['REMOTE_ADDR']} -j DROP;\necho \"{$_SERVER['REMOTE_ADDR']} - `date`\" | mail -s \"WebBench-www.7di.net\" see7di@gmail.com\n",LOCK_EX);Chmod($p,0755);chown($p,'www');Header('Location:http://127.0.0.1');Die();}}