linux / Nginx · 2021年7月21日 0

Nginx添加ip黑名单


最近吃饱没事干,看了下自己的云服务器nginx日志
发现大量境外黑客扫描

163.53.156.199 - - [24/Apr/2021:03:14:04 +0800] "GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36"
163.53.156.199 - - [24/Apr/2021:03:14:04 +0800] "GET /db/dbweb/index.php?lang=en HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36"
163.53.156.199 - - [24/Apr/2021:03:14:05 +0800] "GET /phpmyadmin2013/index.php?lang=en HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36"
163.53.156.199 - - [24/Apr/2021:03:14:05 +0800] "GET /mysql/web/index.php?lang=en HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36"
163.53.156.199 - - [24/Apr/2021:03:14:05 +0800] "GET /mysqlmanager/index.php?lang=en HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36"

从上述部分日志得知,这个黑客在扫描我站点的php漏洞,可惜我这个博客是静态的html,并没有使用php(笑)

当然,这个只是其中一个黑客,还有大量ip在扫描我站点的漏洞

下面讲述如何在nginx中禁止该ip访问

检查主配置文件

[root@doragon ~]# cat /etc/nginx/nginx.conf | grep -v \# | grep -v ^$
user  nginx;
worker_processes  1;
events {
    worker_connections  1024;
}
http {
    include       mime.types;
    include      conf.d/*.conf;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;
    server {
        listen       80 default;
    rewrite ^(.*) http://app.doragon.xyz$request_uri permanent;
    root html;
        location / {
            index  index.html;
        }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    }
}

其中包含了一个配置项

include conf.d/*.conf

为了方便以后管理,写成子配置文件

创建子配置文件

touch /etc/nginx/conf.d/blacklist.conf
echo "deny 163.53.156.199;"

这时候163.53.156.199就无法对nginx服务器请求

批量添加ip到黑名单配置文件

当然攻击我的人不只是这个一个ip

[root@doragon ~]# cat /var/log/nginx/nginx_error.log | grep login.php | head -20
2021/01/26 13:01:52 [error] 25814#25814: *474 open() "/var/www/blog/public/wp-login.php" failed (2: No such file or directory), client: 34.73.237.110, server: www.doragon.xyz, request: "GET /wp-login.php HTTP/1.1", host: "www.doragon.xyz:443", referrer: "http://doragon.xyz/wp-login.php"
2021/01/27 14:23:11 [error] 25009#25009: *18 open() "/var/www/blog/public/wp-login.php" failed (2: No such file or directory), client: 34.236.18.197, server: www.doragon.xyz, request: "GET /wp-login.php HTTP/2.0", host: "www.doragon.xyz"
2021/01/30 00:40:08 [error] 26608#26608: *222 open() "/var/www/blog/public/wp-login.php" failed (2: No such file or directory), client: 18.194.196.202, server: www.doragon.xyz, request: "GET /wp-login.php HTTP/2.0", host: "www.doragon.xyz"
2021/01/30 00:40:10 [error] 26608#26608: *223 open() "/var/www/blog/public/wp-login.php" failed (2: No such file or directory), client: 18.194.196.202, server: www.doragon.xyz, request: "GET /wp-login.php HTTP/2.0", host: "www.doragon.xyz"
2021/01/30 07:41:46 [error] 26608#26608: *296 open() "/var/www/blog/public/mmbh/login.php" failed (2: No such file or directory), client: 118.123.1.36, server: www.doragon.xyz, request: "GET /mmbh/login.php HTTP/2.0", host: "112.74.165.206"
2021/01/30 07:41:46 [error] 26608#26608: *296 open() "/var/www/blog/public/gai/ucms/login.php" failed (2: No such file or directory), client: 118.123.1.36, server: www.doragon.xyz, request: "GET /gai/ucms/login.php HTTP/2.0", host: "112.74.165.206"
2021/01/30 12:36:30 [error] 26608#26608: *394 open() "/var/www/blog/public/wp-login.php" failed (2: No such file or directory), client: 54.176.188.51, server: www.doragon.xyz, request: "GET /wp-login.php HTTP/2.0", host: "www.doragon.xyz"
2021/02/02 10:26:24 [error] 26608#26608: *1835 open() "/var/www/blog/public/wp-login.php" failed (2: No such file or directory), client: 37.59.54.36, server: www.doragon.xyz, request: "GET /wp-login.php HTTP/1.1", host: "www.doragon.xyz"
2021/02/03 01:56:17 [error] 26608#26608: *2193 open() "/var/www/blog/public/wp-login.php" failed (2: No such file or directory), client: 18.194.196.202, server: www.doragon.xyz, request: "GET /wp-login.php HTTP/2.0", host: "www.doragon.xyz"
2021/02/03 01:56:20 [error] 26608#26608: *2195 open() "/var/www/blog/public/wp-login.php" failed (2: No such file or directory), client: 18.194.196.202, server: www.doragon.xyz, request: "GET /wp-login.php HTTP/2.0", host: "www.doragon.xyz"
2021/02/03 01:56:21 [error] 26608#26608: *2197 open() "/var/www/blog/public/wordpress/wp-login.php" failed (2: No such file or directory), client: 18.194.196.202, server: www.doragon.xyz, request: "GET /wordpress/wp-login.php HTTP/2.0", host: "www.doragon.xyz"
2021/02/03 01:56:23 [error] 26608#26608: *2199 open() "/var/www/blog/public/blog/wp-login.php" failed (2: No such file or directory), client: 18.194.196.202, server: www.doragon.xyz, request: "GET /blog/wp-login.php HTTP/2.0", host: "www.doragon.xyz"
2021/02/03 01:56:25 [error] 26608#26608: *2201 open() "/var/www/blog/public/wp/wp-login.php" failed (2: No such file or directory), client: 18.194.196.202, server: www.doragon.xyz, request: "GET /wp/wp-login.php HTTP/2.0", host: "www.doragon.xyz"
2021/02/05 07:40:22 [error] 25170#25170: *1216 open() "/var/www/blog/public/mmbh/login.php" failed (2: No such file or directory), client: 118.123.1.38, server: www.doragon.xyz, request: "GET /mmbh/login.php HTTP/2.0", host: "112.74.165.206"
2021/02/05 07:40:23 [error] 25170#25170: *1186 open() "/var/www/blog/public/gai/ucms/login.php" failed (2: No such file or directory), client: 118.123.1.38, server: www.doragon.xyz, request: "GET /gai/ucms/login.php HTTP/2.0", host: "112.74.165.206"
2021/02/07 13:24:41 [error] 6744#6744: *812 open() "/var/www/blog/public/wp-login.php" failed (2: No such file or directory), client: 192.99.14.189, server: www.doragon.xyz, request: "GET /wp-login.php HTTP/1.1", host: "doragon.xyz"
2021/02/09 12:25:50 [error] 6744#6744: *1604 open() "/var/www/blog/public/wp-login.php" failed (2: No such file or directory), client: 52.30.16.188, server: www.doragon.xyz, request: "GET /wp-login.php HTTP/2.0", host: "www.doragon.xyz"
2021/02/09 12:25:58 [error] 6744#6744: *1606 open() "/var/www/blog/public/wp-login.php" failed (2: No such file or directory), client: 52.30.16.188, server: www.doragon.xyz, request: "GET /wp-login.php HTTP/2.0", host: "www.doragon.xyz"
2021/02/09 12:26:04 [error] 6744#6744: *1608 open() "/var/www/blog/public/wordpress/wp-login.php" failed (2: No such file or directory), client: 52.30.16.188, server: www.doragon.xyz, request: "GET /wordpress/wp-login.php HTTP/2.0", host: "www.doragon.xyz"
2021/02/09 12:26:10 [error] 6744#6744: *1610 open() "/var/www/blog/public/blog/wp-login.php" failed (2: No such file or directory), client: 52.30.16.188, server: www.doragon.xyz, request: "GET /blog/wp-login.php HTTP/2.0", host: "www.doragon.xyz"

从上面部分日志可以得知还有大量ip在攻击

通过常用命令截取出全部黑客ip,并重定向到黑名单的配置文件

grep login.php /var/log/nginx/nginx_error.log | cut -d ':' -f 6 | cut -d ',' -f 1 | uniq > /tmp/blacklist
for i in $(</tmp/blacklist)
do 
echo "deny $i;" >>/etc/nginx/conf.d/blacklist.conf
done