Solve CC attacks, Linux VPs, log on to SSH, and log on to the VPs Control Panel

In order to keep the description of the operation process as concise as possible, there is no excessive explanation added in the above content, and you will stay here for a unified description.

1. The nature of "Proxy Server"

Two values related to TCP & HTTP, remote_addr and http_x_forwarded_for.

(1) remote_addr always obtains the IP address of a host closest to the Web server. If no proxy is used, this value is the visitor's IP address. If a proxy is used, this value is the IP address of the proxy server. If multiple proxy servers are connected, this value is the IP address of the last proxy server before the web server.

Remote_addr is determined by the TCP/IP layer and cannot be modified or forged.

(2) http_x_forwarded_for, because the value belongs to the HTTP part rather than the TCP/IP, no matter what the value is, it does not affect data transmission. In fact, in general, if a visitor directly accesses the web server, this value is blank; When a transparent proxy is used, this value is set by the proxy server as the visitor's IP address; when using an anonymous proxy connection, this value may be the IP address of the proxy server, which may be empty or random.

Http_x_forwarded_for can be arbitrarily modified. Most proxy servers are transparent proxies. That is to say, this value is set to the IP address of the original visitor.

2. CC attacks

Sort by processing efficiency from high to low.

(Because this article is for VPs servers, VPs is simply a low-end alternative to servers, and the memory and CPU resources are generally low, of course, the higher the processing efficiency, the better .)

(1) network transmission layer. That is, the iptables used in this article. This tool is used by the system kernel to directly disable the attacker connection when establishing a network connection. After the attack source is processed at this layer, the consumed resources are almost negligible.

(2) At the Web server layer, most Web servers can set IP addresses that prohibit access. At this layer, the solution is similar to the above, but the efficiency is lower.

(3) The Script layer filters out attack sources by formulating policies suitable for the script program. There are a lot of solutions circulating on the network at this layer, but they are not suitable for VPs, And the setting difficulty may be increased several times or dozens of times.

3. Why not I collect IP addresses from logs?

There are two main considerations: first, most VPs users disable the log because the disk space is too small and it is difficult to clear logs frequently.

Second, if the IP address is collected from logs, the script is much more complicated and may need to be adjusted based on the situation. Considering that most of the people who will read this article may not master more technologies, the purpose of this article is to follow this step to solve the problem.

Find the attacker IP Address

1. Create the file IP address. php In the root directory of the website and write the following content.

 

$ Real_ip = getenv ('HTTP _ x_forwarded_for '); If (isset ($ real_ip )){ Shell_exec ("Echo $ real_ip> real_ip.txt "); Shell_exec ("Echo $ _ server ['remote _ ADDR ']> proxy.txt "); } Else { Shell_exec ("Echo $ _ server ['remote _ ADDR ']> ips.txt ")" } Echo: the server is under attack and is collecting attack sources. Please visit this site five minutes later. Multiple accesses to this site within five minutes may be blocked as an attack source. Thank you for your cooperation! '; ?>

2. Set the pseudo-static state and rewrite all accesses to IP. php.

 

Nginx rules: Rewrite (. *)/IP. php; Lighttpd rules: URL. Rewrite = ( "^/(. + )/? $ "=>"/IP. php" )

3. Start the Web server to collect IP addresses.

After setting 1 and 2, start the Web server and record IP information.

It is recommended that the collection time be 3 to 5 minutes, and then the Web server is disabled again.

Real_ip.txt: the IP addresses stored in this file are more than 80% identical. This IP address is the IP address of the platform where attackers are launching attacks.

Proxy.txt, which stores the IP address of the proxy server called by the attacker and needs to be blocked.

Ips.txt, which records the IP addresses that do not show the characteristics of the proxy server, and determines whether the IP addresses are attack sources based on the number of visits.

Start IP address Blocking

Create File ban. php

 

$ Threshold = 10; $ IPS = array_count_values(file('ips.txt ')); $ Ban_num = 0; Foreach ($ IPs as $ IP => $ num ){ If ($ num> $ threshold ){ $ IP = trim ($ IP ); $ Cmd = "iptables-I input-P TCP -- dport 80-S $ IP-J Drop "; Shell_exec ($ cmd ); Echo "$ IP Baned! "; $ Ban_num ++; } } $ Proxy_arr = array_unique(file('ips.txt '))' Foreach ($ proxy_arr as $ proxy ){ $ Proxy = trim ($ proxy ); $ Cmd = "iptables-I input-P TCP -- dport 80-S $ IP-J Drop "; Shell_exec ($ cmd ); Echo "$ IP Baned! "; $ Ban_num ++; } Echo "Total: $ ban_num IPS "; ?>

Run the script with the following command (make sure that the php Command is in path)

PHP ban. php

This script depends on the results saved in ips.txt in Section 2. When the number of IP access records exceeds 10, it is blocked as an attack source. If it is a proxy server, it is directly blocked without judging the number of times.

After the IP address is closed, all the website settings are restored to normal, and the website can continue to run normally.

Preparations

1. log on to the VPs control panel and be ready to restart the VPs at any time.

2. Shut down the web server first. Excessive load will make subsequent operations very difficult, and even cannot directly log on to ssh.

3. Remove the configured web server automatically after it is started.

(If you are unable to log on to the system, and the load is too high after the restart, the system will no longer be able to log on after the startup. You can contact the Administrator to block the IP address or port 80 of the VPs on the master machine, log on to the system using the virtual console on the parent machine, perform 2 & 3 operations, and then unseal them)

Supplement to the previous paragraph

If Web logs are enabled on VPs, you can view the log file growth rate to determine which site is under attack.

If logs are not enabled and the number of sites is small, it is convenient to enable logs temporarily.

If logs are not enabled and the number of sites is too large, you can use the temporary Web server configuration file to set a default site without binding a virtual host. Add the following line to IP. php.

 

Shell_exec ("Echo $ _ server ['HTTP _ host']> domain.txt ");

In domain.txt, the accessed domain names will be saved, and CC-attacked sites will account for the vast majority.