Nginx website has been continuously attacked for 1 months after the final anti-attack strategy

Nginx website has been continuously attacked for 1 months after the final anti-attack strategy

last month after the structure of all the migration on the cloud, generally more stable, business volume also came up, the cute bad guys are coming, 7x24 hours of malicious attacks on my site, The first time to receive the alarm is the website inflow traffic 1 minutes or more 3 times more than 1000000bps, conversion under 1m/s seconds , usually not so big flow of Ah, at that time just in the friend's house to play, hurriedly open the laptop even VPN check, found that all access to the same page of the request, and is normal access to HTTP 200, should be malicious attack.

Discover Problems:
find the first response to the problem, hurriedly send the request address to the developers to see, ask this specific is what?
finally learned is for the SMS authentication Code interface, according to later statistics in the continued attackOne hoursloss in16000more than one text message. 650) this.width=650; "title=" 01.png "src=" http://s4.51cto.com/wyfs02/M02/86/08/ Wkiol1ey83jyabsoaanjsvqfb0w403.png-wh_500x0-wm_3-wmp_4-s_3571057584.png "alt=" Wkiol1ey83jyabsoaanjsvqfb0w403.png-wh_50 "/>

Solve the problem:

> Of course, the problem must be solved immediately,

execute every minute, automatically restart the firewall at 0 o ' night, release IP , basically prevented the attack, probably used half a month

#!/bin/bash#write: lijing qq 858080796#date:  20160528 v2.0#description: Intercept Illegal IP   #定义变量RETVAL =0date=$ (date  ' +%y-%m-%d ') time=$ (date  ' +%y:%h:%m '  -d  ' -1 minute ') MON =$ (date|awk -f " "   ' {print $2} ') today=$ (date|awk -f " "   ' {print $3} ') Log = "/data/logs/nginx/access.log " line= "70000"   #关键字Key01 = "Sendphonecode"  status=/tmp/status_deny_ ip /sbin/service iptables status >  $Status   #定义函数 # Forbidden Time function Secure_deny_time () { time01=$ (date  "+%h:%m:%s"  -d  " -10 second") time02=$ (date  "+%h:%m:%s"  -d   " -9  second") time03=$ (date  "+%h:%m:%s"  -d  " -8  second") time04=$ (date  "+%h:%m:%s"  -d  " -7  second") time05=$ (date  "+%h:%m:%s"  - d  " -6  second") time06=$ (date  "+%h:%m:%s"  -d  " -5  second") time07=$ (date  "+%h:%m:%s " -d "  -4  second ") time08=$ (date " +%h:%m:%s " -d "  -3   second ") time09=$ (date " +%h:%m:%s " -d "  -2  second ") time10=$ (date " +%H :%m:%s " -d "  -1  second ")     echo  " $Time 01   $Time 02  $Time 03  $Time 04  $Time 05  $Time 06  $Time 07  $Time 08  $Time 09 $ time10  "}#        Forbidden keyword function Secure_key () {    tail  -n  $LINE   $LOG  |grep  "$TODAY \ $MON" |grep -v ^$|grep  $TIME |grep $1  |grep $2 |grep $3  |grep $4 |awk -F  " "   ' {print  $1} '  |sort >>  $Deny     echo   grep  $TODAY \ $MON "  $LOG  |grep -v ^$|grep  $TIME |grep $1 |grep $2 |grep $3   |grep $4 |awk  ' {print $1} '  |sort '         } #执行防火墙拦截函数secure_ DENY_IP () {        cat  $Deny          echo ......................        cat  $Deny 02     for i in  $IP;d o        num=$ ( cat  $Deny 02|grep  $i |awk -f " "   ' {print $1} ')         if [ -z  $NUM  ];then             echo  " "         else             if [  $NUM  -ge  $Dot  ];then                 for y in  $i ;d o                    grep  $y   $Status   >/dev/null 2>&1                      RETVAL=$?                                          [   $RETVAL  != 0  ] && echo  "/sbin/iptables -i input  -s  $y   -j drop "[  $RETVAL  != 0  ] && /sbin /iptables -i input -s  $y   -j DROP                                           [  $RETVAL  != 0   ] && echo  "$ (date " +%h:%m:%s ")   $y  "  >> /tmp/$Date                       #[  $RETVAL  != 0  ] && /sbin/iptables -I INPUT  -s  $y  -p  tcp  -j REJECT                 done             fi        fi    done}   number= "1 2 3 4 5 6" for  number in   $NUMBER     ;d osleep 10s# Define the number of clicks  dotdot=5deny=/tmp/secure_deny_tmp_$numberdeny02=/tmp/secure_deny_$ number# 1th time, check current time before 10S.   for example:  0-10 sec echo  "$number , check the current time before $number  10s. Greater than   $Dot   attack blocking" echo >   $Denyfor  LOG in  ' echo  $Log '  ;d o    secure_deny_time     for TIME in  $Time 01   $Time 02  $Time 03  $Time 04  $Time 05   $Time 06  $Time 07  $Time 08  $Time 09  $Time 10 ;d o         secure_key   $Key 01     done        cat  $Deny |sort|uniq -c >  $Deny 02             ip=$ (cat  $Deny 02|awk -f " "   ' {print $2} ')          secure_deny_ip donedoneexit

Two-phase anti-attack strategy:

shell scripts run for half a month, though prevent the attack, but the company customer service feedback has been manslaughter, The most serious is the company has a time event, 10 seconds to send 5 SMS request is normal Ah, killed some of the users, blocked by the firewall IP can not access any services . So we have to find a method from Nginx application layer, can not use the old method to ban IP , in the internet for a few days of data to solve, almost no same case, can only create their own.

Tiandaochouqin, finally have two ideas:
One is the nginx combined with LUA to prevent attacks (on the Internet to see my foggy, and finally will not LUA choose to abandon this scheme).
the second is to use Ngx_http_referer_module(at the time2 Days official website English information, http://nginx.org/en/docs/http/ngx_http_referer_module.html, this page let me find the method, especially the Nginx if statement).

compared to the attack log and normal log discovery, its $http-referer are different, such as:
Normal Access:
650) this.width=650; "title=" 02.png "src=" http://s2.51cto.com/wyfs02/M00/86/08/ Wkiom1ey846hgg84aab2astbary211.png-wh_500x0-wm_3-wmp_4-s_1741060338.png "alt=" Wkiom1ey846hgg84aab2astbary211.png-wh_50 "/>
Attack Access:
650) this.width=650; "title=" 03.png "src=" http://s2.51cto.com/wyfs02/M00/86/08/ Wkiol1ey86tjw8xlaanuq4j46ls058.png-wh_500x0-wm_3-wmp_4-s_944790640.png "alt=" Wkiol1ey86tjw8xlaanuq4j46ls058.png-wh_50 "/>

Final Solution: 1, removed the original interception IP policy, does not contain the interception of IP. 2, enable NIGNX location matching/account $http-referer filter, when not normal $http-referer, directly in the re-nginx processing.
nginx is configured as follows:

Location ~/account (/.*) {if ($http _referer ~ "Https://www.touchouwang.net/account/sendPhoneCode") {#如果配置就直接返回200,        Love attackers, do not pass to the backend web return 200; } #不配置, passed to backend web Proxy_pass http://web_group/account/;}

The entire anti-attack to now without any problems, the effect of the leverage. Later will increase the third phase, mainly our development of NB, from the program-level solution, such as the addition of various verification ah.

This article is Clever unfeeling A word a figure to play out, reference a lot of information, thanks to their sharing, based on the open source sharing Spirit, reproduced please indicate out.
support me, please click Clever unfeeling Thanks

Resources:

http://drops.wooyun.org/tips/734

Http://nginx.org/en/docs/http/ngx_http_referer_module.html

Http://www.ttlsa.com/nginx/nginx-referer

This article is from "clever unfeeling-li jing" blog, please make sure to keep this source http://qiaomiao.blog.51cto.com/484197/1839337

Nginx website has been continuously attacked for 1 months after the final anti-attack strategy