Nginx website has been continuously attacked for 1 months after the final anti-attack strategy
last month after the structure of all the migration on the cloud, generally more stable, business volume also came up, the cute bad guys are coming, 7x24 hours of malicious attacks on my site, The first time to receive the alarm is the website inflow traffic 1 minutes or more 3 times more than 1000000bps, conversion under 1m/s seconds , usually not so big flow of Ah, at that time just in the friend's house to play, hurriedly open the laptop even VPN check, found that all access to the same page of the request, and is normal access to HTTP 200, should be malicious attack.
Discover Problems:
find the first response to the problem, hurriedly send the request address to the developers to see, ask this specific is what?
finally learned is for the SMS authentication Code interface, according to later statistics in the continued attackOne hoursloss in16000more than one text message. 650) this.width=650; "title=" 01.png "src=" http://s4.51cto.com/wyfs02/M02/86/08/ Wkiol1ey83jyabsoaanjsvqfb0w403.png-wh_500x0-wm_3-wmp_4-s_3571057584.png "alt=" Wkiol1ey83jyabsoaanjsvqfb0w403.png-wh_50 "/>
Solve the problem:
> Of course, the problem must be solved immediately,
execute every minute, automatically restart the firewall at 0 o ' night, release IP , basically prevented the attack, probably used half a month
#!/bin/bash#write: lijing qq 858080796#date: 20160528 v2.0#description: Intercept Illegal IP #定义变量RETVAL =0date=$ (date ' +%y-%m-%d ') time=$ (date ' +%y:%h:%m ' -d ' -1 minute ') MON =$ (date|awk -f " " ' {print $2} ') today=$ (date|awk -f " " ' {print $3} ') Log = "/data/logs/nginx/access.log " line= "70000" #关键字Key01 = "Sendphonecode" status=/tmp/status_deny_ ip /sbin/service iptables status > $Status #定义函数 # Forbidden Time function Secure_deny_time () { time01=$ (date "+%h:%m:%s" -d " -10 second") time02=$ (date "+%h:%m:%s" -d " -9 second") time03=$ (date "+%h:%m:%s" -d " -8 second") time04=$ (date "+%h:%m:%s" -d " -7 second") time05=$ (date "+%h:%m:%s" - d " -6 second") time06=$ (date "+%h:%m:%s" -d " -5 second") time07=$ (date "+%h:%m:%s " -d " -4 second ") time08=$ (date " +%h:%m:%s " -d " -3 second ") time09=$ (date " +%h:%m:%s " -d " -2 second ") time10=$ (date " +%H :%m:%s " -d " -1 second ") echo " $Time 01 $Time 02 $Time 03 $Time 04 $Time 05 $Time 06 $Time 07 $Time 08 $Time 09 $ time10 "}# Forbidden keyword function Secure_key () { tail -n $LINE $LOG |grep "$TODAY \ $MON" |grep -v ^$|grep $TIME |grep $1 |grep $2 |grep $3 |grep $4 |awk -F " " ' {print $1} ' |sort >> $Deny echo grep $TODAY \ $MON " $LOG |grep -v ^$|grep $TIME |grep $1 |grep $2 |grep $3 |grep $4 |awk ' {print $1} ' |sort ' } #执行防火墙拦截函数secure_ DENY_IP () { cat $Deny echo ...................... cat $Deny 02 for i in $IP;d o num=$ ( cat $Deny 02|grep $i |awk -f " " ' {print $1} ') if [ -z $NUM ];then echo " " else if [ $NUM -ge $Dot ];then for y in $i ;d o grep $y $Status >/dev/null 2>&1 RETVAL=$? [ $RETVAL != 0 ] && echo "/sbin/iptables -i input -s $y -j drop "[ $RETVAL != 0 ] && /sbin /iptables -i input -s $y -j DROP [ $RETVAL != 0 ] && echo "$ (date " +%h:%m:%s ") $y " >> /tmp/$Date #[ $RETVAL != 0 ] && /sbin/iptables -I INPUT -s $y -p tcp -j REJECT done fi fi done} number= "1 2 3 4 5 6" for number in $NUMBER ;d osleep 10s# Define the number of clicks dotdot=5deny=/tmp/secure_deny_tmp_$numberdeny02=/tmp/secure_deny_$ number# 1th time, check current time before 10S.   for example: 0-10 sec echo "$number , check the current time before $number 10s. Greater than $Dot attack blocking" echo > $Denyfor LOG in ' echo $Log ' ;d o secure_deny_time for TIME in $Time 01 $Time 02 $Time 03 $Time 04 $Time 05 $Time 06 $Time 07 $Time 08 $Time 09 $Time 10 ;d o secure_key $Key 01 done cat $Deny |sort|uniq -c > $Deny 02 ip=$ (cat $Deny 02|awk -f " " ' {print $2} ') secure_deny_ip donedoneexit
Two-phase anti-attack strategy:
shell scripts run for half a month, though prevent the attack, but the company customer service feedback has been manslaughter, The most serious is the company has a time event, 10 seconds to send 5 SMS request is normal Ah, killed some of the users, blocked by the firewall IP can not access any services . So we have to find a method from Nginx application layer, can not use the old method to ban IP , in the internet for a few days of data to solve, almost no same case, can only create their own.
Tiandaochouqin, finally have two ideas:
One is the nginx combined with LUA to prevent attacks (on the Internet to see my foggy, and finally will not LUA choose to abandon this scheme).
the second is to use
Ngx_http_referer_module(at the time2 Days official website English information, http://nginx.org/en/docs/http/ngx_http_referer_module.html, this page let me find the method, especially the Nginx if statement).
compared to the attack log and normal log discovery, its $http-referer are different, such as:
Normal Access:
650) this.width=650; "title=" 02.png "src=" http://s2.51cto.com/wyfs02/M00/86/08/ Wkiom1ey846hgg84aab2astbary211.png-wh_500x0-wm_3-wmp_4-s_1741060338.png "alt=" Wkiom1ey846hgg84aab2astbary211.png-wh_50 "/>
Attack Access:
650) this.width=650; "title=" 03.png "src=" http://s2.51cto.com/wyfs02/M00/86/08/ Wkiol1ey86tjw8xlaanuq4j46ls058.png-wh_500x0-wm_3-wmp_4-s_944790640.png "alt=" Wkiol1ey86tjw8xlaanuq4j46ls058.png-wh_50 "/>
Final Solution: 1, removed the original interception IP policy, does not contain the interception of IP. 2, enable NIGNX location matching/account $http-referer filter, when not normal $http-referer, directly in the re-nginx processing.
nginx is configured as follows:
Location ~/account (/.*) {if ($http _referer ~ "Https://www.touchouwang.net/account/sendPhoneCode") {#如果配置就直接返回200, Love attackers, do not pass to the backend web return 200; } #不配置, passed to backend web Proxy_pass http://web_group/account/;}
The entire anti-attack to now without any problems, the effect of the leverage. Later will increase the third phase, mainly our development of NB, from the program-level solution, such as the addition of various verification ah.
This article is Clever unfeeling A word a figure to play out, reference a lot of information, thanks to their sharing, based on the open source sharing Spirit, reproduced please indicate out.
support me, please click Clever unfeeling Thanks
Resources:
http://drops.wooyun.org/tips/734
Http://nginx.org/en/docs/http/ngx_http_referer_module.html
Http://www.ttlsa.com/nginx/nginx-referer
This article is from "clever unfeeling-li jing" blog, please make sure to keep this source http://qiaomiao.blog.51cto.com/484197/1839337
Nginx website has been continuously attacked for 1 months after the final anti-attack strategy