Shell Anti-Automatic forum posting Machine

Source: Internet
Author: User

I helped my friend maintain the server of his website. Recently, the traffic surge and the server pressure surge. Let's look at the nginx log. There are a large number of POST requests for several specific php requests. One IP address will POST four or five requests in one second. Basically, reg. php, login. php, and article_add.php. Apparently, a group of bots or individuals installed with Automatic posting machines are launching attacks.

It's nice to say, that is, to post advertisements. If it's hard to say something, it's hard to say something about Trojans. Although php on the Forum and backend of this website does not have any vulnerabilities that can be exploited by the registration and posting machine, it is completely a white brush, but it also consumes a considerable amount of system resources and bandwidth. Every request will go to the backend to call mysql or something. Normal access is very slow, and traffic is limited.

I installed FreeBSD on the server, which is very stable. It is easier to compile and load ipfw on the kernel. At the beginning, however, I was too small to look at these grandchildren. I tried to manually block them. After filtering out the IP addresses, I ran the ipfw ip address manually. The result was over an hour, simply write two scripts to do this and put them in the crontab to run automatically.

Script 1: filter the automatically published IP Address -- tail. sh

#!/bin/shtail -F /var/log/nginx-access.log | grep -E "/member/article_add.php|/member/login.php|/include/vdimgck.php" | awk '{print $1}' | grep -v your_admin_ip >> /usr/local/etc/nginx/ipfw.rules.tmp &

For details, tail-F is a continuously rolling log.-F indicates that the file name is rolled regardless of whether the log is rotate or not. It is different from-f. Then, grep regular matches multiple filtering conditions, prints ip addresses with awk, removes your remote management ip address, and appends the ip address to a temporary file named ipfw. rules. tmp.

The script can be executed once without repeated execution.


Script 2: remove the IP address of the registration machine and put it in the ipfw script-ipfw. sh

#!/bin/shcat /usr/local/etc/nginx/ipfw.rules.tmp | sort -u > /usr/local/etc/nginx/ipfw.rulesipfw -f flushipfw add 00100 allow ip fromanytoany via lo0ipfw add 00200 deny ip fromanyto 127.0.0.0/8ipfw add 00300 deny ip from 127.0.0.0/8 toanyipfw add 00400 deny ip fromanyto ::1ipfw add 00500 deny ip from ::1 toanyipfw add 00600 allow ipv6-icmp from :: to ff02::/16ipfw add 00700 allow ipv6-icmp from fe80::/10 to fe80::/10ipfw add 00800 allow ipv6-icmp from fe80::/10 to ff02::/16ipfw add 00900 allow ipv6-icmp fromanytoany ip6 icmp6types 1ipfw add 01000 allow ipv6-icmp fromanytoany ip6 icmp6types 2,135,136ipfw add 10010 deny udp fromanytoany 80seq=10100for i in $(cat /usr/local/etc/nginx/ipfw.rules); do        ipfw add $seq deny allfrom $i toany 80        seq=$(($seq+1))done

Explain it one by one

02. Sort the temporary files generated by the script for a lifetime and re-import them to the new file (Replace the second line with the following line to block the IP address segments of the C class)

cat /usr/local/etc/nginx/ipfw.rules.tmp | awk -F'.''{print $1"."$2"."$3".0/24"}' | sort -u > /usr/local/etc/nginx/ipfw.rules

04. Force Delete All ipfw rules

06-15. Original default ipfw rules. Row 04 is deleted and needs to be supplemented.

17. Rejecting port 80 udp connections is the so-called Aladdin DDoS attack.

19. Rule serial number, starting from 10100

20. List of IP addresses after deduplication

21. Add ipfw to rule $ seq sequence number, deny all connections from $ I to any port 80

22. Serial number accumulation.

Ipfw can add multiple ip addresses in a rule sequence number. The reason why the serial number is accumulated is that ipfw deletes a rule according to the rule sequence number rather than the ip address. All are put in one, and all are deleted as soon as they are deleted. If a specific ip address needs to access the website, you only need to delete the corresponding serial number.

The script is put into the crontab and runs once every 12 hours. In fact, I run it several times manually. After more than two hours, nearly 300 ip addresses have been blocked, with the largest number of ip addresses in Putian, Fujian, followed by the IP addresses in Xiamen, Quanzhou, and Fuzhou. There are also some other provinces, but few.


Google checked that Putian, Xiamen, and Quanzhou in Fujian are the largest distribution centers in China for spam and spam posts. If you see the IP addresses in these three locations, you can directly block the IP segments, such as 27.159.0.0/16.


Familiar with iptables, and changed the script to iptables, which can be used in linux.

These forums are so annoying to automatically register and post machines.

Note: The tail content can be directly printed on the screen, but there is a buffer for writing to the disk, that is, the buffer for system input and output, this buffer will be written to the disk and flushed off until it reaches 16 kb. Therefore, if the attack ip address is small, the temporary file created at the beginning will not receive the content immediately. It will take a while.


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.