Simple anti-CC script attack experience summary in PHP

1, login into the VPS Control Panel, ready to reboot the VPS at any time.
2, shut down the Web server first, too much load will cause the subsequent operation is difficult, or even directly unable to login SSH.
3, just in case, the setting of the Web server system started automatically run away.
(If you can not log in to the system, and restart after the overload caused by the boot has been unable to log on, you can contact the Administrator on the machine tool to seal off the IP or 80-port of the VPS, in the Machine tool with Virtual Console login system, and then carry out 2&3 operation, after the solution

Second, identify the attacker IP

1, create the file ip.php in the root directory of the website, and write the following content.

code is as follows

copy code

. php  $real _ip = getenv (' http_x_forwarded_for ');   If (isset ($real _ip)) {           shell_exec ("Echo $real _ip >> real_ip.txt")            shell_exec ("Echo $_server[' remote_addr '] >> proxy.txt");   }else{           shell_exec ("Echo $_server[' remote_addr '] >> ips.txt"   }  Echo server is being attacked and is collecting the source of the attack, please visit this site in 5 minutes, visit this site within 5 minutes and may be used as an attack source to seal off the IP. Thank you for your cooperation! ';

2, set pseudo static, all the visits under the website are rewrite to ip.php.
Nginx Rules:

The code is as follows	Copy Code
Rewrite (. *)/ip.php; LIGHTTPD Rules: Url.rewrite = ( "^/(. +)/?$" => "/ip.php" )

3, start Web server to start collecting IP
After you have set up 1 and 2, start the Web Server and start recording IP information.
The collection time is recommended for 3-5 minutes, and then the Web Server is closed again.
Real_ip.txt, this file contains more than 80% of the IP stored in the same, this IP is the attacker to implement the platform IP.
Proxy.txt, this file holds the IP of the proxy server invoked by the attacker, and needs to be sealed off.
Ips.txt, this record is not showing the characteristics of the proxy server IP, based on the number of visits to determine whether the source of the attack.

Third, the supplementary to the previous paragraph
If web logs are enabled on a VPS, you can view the growth of the log file to determine which site is being attacked.
If logging is not enabled and the number of sites is small, it is also convenient to temporarily enable logging.
If logging is not enabled and there are too many sites, you can use a temporary Web server configuration file, do not bind a virtual host, and set up a default site. Then add the following line to the ip.php.

The code is as follows	Copy Code
Shell_exec ("Echo $_server[' Http_host '] >> domain.txt");

Domain.txt will save the visited domain name, the CC attack site will occupy the vast majority.

Four, start plugging IP
Create a file ban.php

The code is as follows

Copy Code

<?php $threshold = 10; $ips = array_count_values (file (' Ips.txt ')); $ban _num = 0; foreach ($ips as $ip => $num) { if ($num > $threshold) { $ip = Trim ($IP); $cmd = "Iptables-i input-p tcp--dport 80-s $ip-j DROP"; Shell_exec ($cmd); echo "$ip baned!n"; $ban _num + +; } } $proxy _arr = array_unique (file (' Proxy.txt ')); foreach ($proxy _arr as $proxy) { Proxy = Trim ($proxy); $cmd = "Iptables-i input-p tcp--dport 80-s $proxy-j DROP"; Shell_exec ($cmd); echo "$proxy baned!n"; $ban _num + +; } echo "Total: $ban _num ipsn"; ?>

Execute the script with the following command (make sure the PHP command is in path)

PHP ban.php
This script relies on the results saved in Ips.txt in the second paragraph, where the number of IP accesses recorded is more than 10 times and is blocked as an attack source. If it is a proxy server, then do not judge the number of times directly sealed off.
After the completion of IP, all the Web site settings back to normal, the site can continue to run normally.