Linux server uses php and cron to automatically block attacker ip addresses

I haven't written anything for a long time, mainly because it's so busy recently that an idiot uses webbench to attack the company's server every day. as the saying goes, I have been ill for a long time. Today, my Mongolian doctor will share the automatic Attack Protection Section. first, let me talk about the general deployment of the attacked website. this website is mainly for nginx + mysql + php. Two servers are deployed on the web and database respectively. The web only enables the port 80 operating system as centos, while the database server is on the Intranet, the attacker's method is actually very simple. Using the webbench website stress testing tool to send a large number of requests to the server, the database will respond after each request is sent in the past, and then the read content will finally be displayed, this may cause a large amount of data exchange between the database and the web, or even cause mysql to reach the upper limit of the number of connections, and the request is rejected. In addition, the attacker takes a lot of time and keeps changing the floating ip address, therefore, it is meaningless to block the ip address directly using the firewall. at the beginning, my approach was to use php to obtain the attacker's agent header and determine if webbench was visiting. If it was a die, it would not be in the request database, It is indeed effective, and the database will not exceed the limit. However, when the other party sends requests frequently, the network bandwidth is seriously consumed. It seems that you have to think about other methods, finally, I thought of a solution and the actual test found that it was feasible. So I shared it with you. In fact, my practice is very simple: Use php to get the User agent header and determine whether it is a webpipeline source, if yes, write a shell file on the server. The file content is the rule for blocking IP addresses, and then use the chmod function to modify the file for execution, use the cron service to read the file and block the ip address. The whole process is automated without human intervention. In addition, send me an email to notify me that I have been killed, that's all. the specific implementation code is as follows :? IF (isSet ($ _ SERVER ['HTTP _ USER_AGENT ']) And Trim ($ _ SERVER ['HTTP _ USER_AGENT'])! = '') {$ _ SERVER ['HTTP _ USER_AGENT '] = StrToLower ($ _ SERVER ['HTTP _ USER_AGENT']); IF (StriStr ($ _ SERVER ['HTTP _ USER_AGENT '], 'website ')! = False) {$ p = '/home/www/webshells. sh'; $ _ SERVER ['remote _ ADDR '] = isSet ($ _ SERVER ['remote _ ADDR'])? $ _ SERVER ['remote _ ADDR ']: 'unknow'; <span style = "color: # ff0000;"> File_Put_Contents ($ p ,"#! /Bin/bash \ niptables-I INPUT-s {$ _ SERVER ['remote _ ADDR ']}-j DROP; \ n ", LOCK_EX ); </span> Chmod ($ p, 0755); chown ($ p, 'www '); <span style = "color: # ff0000;"> Function sMail ($, $ tit, $ msg) {IF (Filter_var ($ to, FILTER_VALIDATE_EMAIL) = '') {throw new Exception ('! ') ;}$ Tit =' =? UTF-8? B? '. Base64_Encode ($ tit ).'? = '; $ Msg = str_replace ("\ n. "," \ n .. ", $ msg); // If a period is found at the beginning of a line in Windows, it will be deleted. to avoid this problem, replace a period with two periods: Return Mail ($, $ tit, $ msg, 'From: No-reply@adm.bossadm.com.tw '. "\ n ". 'content-Type: text/html; charset = UTF-8 ');} sMail ('see7di @ gmail.com', '[WebBench started again- http://www.7di.net ]! ', Date ('Y-m-d H: I: s', time ()). "{$ _ SERVER ['remote _ ADDR ']}"); </span> Header ('location: http://127.0.0.1 '); Die () ;}} then I made another consolidation and added some emails to the shell file. I no longer used php to send emails, because it will blow up your mailbox and change the token on the top :? IF (isSet ($ _ SERVER ['HTTP _ USER_AGENT ']) And Trim ($ _ SERVER ['HTTP _ USER_AGENT'])! = '') {$ _ SERVER ['HTTP _ USER_AGENT '] = StrToLower ($ _ SERVER ['HTTP _ USER_AGENT']); IF (StriStr ($ _ SERVER ['HTTP _ USER_AGENT '], 'website ')! = False) {$ p = '/home/www/webshells. sh'; $ _ SERVER ['remote _ ADDR '] = isSet ($ _ SERVER ['remote _ ADDR'])? $ _ SERVER ['remote _ ADDR ']: 'unknow'; File_Put_Contents ($ p ,"#! /Bin/bash \ niptables-I INPUT-s {$ _ SERVER ['remote _ ADDR ']}-j DROP; \ necho \ "{$ _ SERVER ['remote _ ADDR ']}-'date' \" | mail-s \ "WebBench-www.7di.net \" see7di@gmail.com \ n ", LOCK_EX ); chmod ($ p, 0755); chown ($ p, 'www '); Header ('location: http://127.0.0.1 '); Die ();}}