0%

Nginx 添加ip黑名单

Nginx 添加ip黑名单

最近吃饱没事干,看了下自己的云服务器nginx日志
发现大量境外黑客扫描

1
2
3
4
5
6
163.53.156.199 - - [24/Apr/2021:03:14:04 +0800] "GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36"
163.53.156.199 - - [24/Apr/2021:03:14:04 +0800] "GET /db/dbweb/index.php?lang=en HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36"
163.53.156.199 - - [24/Apr/2021:03:14:05 +0800] "GET /phpmyadmin2013/index.php?lang=en HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36"
163.53.156.199 - - [24/Apr/2021:03:14:05 +0800] "GET /mysql/web/index.php?lang=en HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36"
163.53.156.199 - - [24/Apr/2021:03:14:05 +0800] "GET /mysqlmanager/index.php?lang=en HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36"

从上述部分日志得知,这个黑客在扫描我站点的php漏洞,可惜我这个博客是静态的html,并没有使用php(笑)

当然,这个只是其中一个黑客,还有大量ip在扫描我站点的漏洞

下面讲述如何在nginx中禁止该ip访问

检查主配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
[root@doragon ~]# cat /etc/nginx/nginx.conf | grep -v \# | grep -v ^$
user nginx;
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
include conf.d/*.conf;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80 default;
rewrite ^(.*) http://app.doragon.xyz$request_uri permanent;
root html;
location / {
index index.html;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}

其中包含了一个配置项

1
include conf.d/*.conf

为了方便以后管理,写成子配置文件

创建子配置文件

1
2
touch /etc/nginx/conf.d/blacklist.conf
echo "deny 163.53.156.199;"

这时候163.53.156.199就无法对nginx服务器请求

批量添加ip到黑名单配置文件

当然攻击我的人不只是这个一个ip

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
[root@doragon ~]# cat /var/log/nginx/nginx_error.log | grep login.php | head -20
2021/01/26 13:01:52 [error] 25814#25814: *474 open() "/var/www/blog/public/wp-login.php" failed (2: No such file or directory), client: 34.73.237.110, server: www.doragon.xyz, request: "GET /wp-login.php HTTP/1.1", host: "www.doragon.xyz:443", referrer: "http://doragon.xyz/wp-login.php"
2021/01/27 14:23:11 [error] 25009#25009: *18 open() "/var/www/blog/public/wp-login.php" failed (2: No such file or directory), client: 34.236.18.197, server: www.doragon.xyz, request: "GET /wp-login.php HTTP/2.0", host: "www.doragon.xyz"
2021/01/30 00:40:08 [error] 26608#26608: *222 open() "/var/www/blog/public/wp-login.php" failed (2: No such file or directory), client: 18.194.196.202, server: www.doragon.xyz, request: "GET /wp-login.php HTTP/2.0", host: "www.doragon.xyz"
2021/01/30 00:40:10 [error] 26608#26608: *223 open() "/var/www/blog/public/wp-login.php" failed (2: No such file or directory), client: 18.194.196.202, server: www.doragon.xyz, request: "GET /wp-login.php HTTP/2.0", host: "www.doragon.xyz"
2021/01/30 07:41:46 [error] 26608#26608: *296 open() "/var/www/blog/public/mmbh/login.php" failed (2: No such file or directory), client: 118.123.1.36, server: www.doragon.xyz, request: "GET /mmbh/login.php HTTP/2.0", host: "112.74.165.206"
2021/01/30 07:41:46 [error] 26608#26608: *296 open() "/var/www/blog/public/gai/ucms/login.php" failed (2: No such file or directory), client: 118.123.1.36, server: www.doragon.xyz, request: "GET /gai/ucms/login.php HTTP/2.0", host: "112.74.165.206"
2021/01/30 12:36:30 [error] 26608#26608: *394 open() "/var/www/blog/public/wp-login.php" failed (2: No such file or directory), client: 54.176.188.51, server: www.doragon.xyz, request: "GET /wp-login.php HTTP/2.0", host: "www.doragon.xyz"
2021/02/02 10:26:24 [error] 26608#26608: *1835 open() "/var/www/blog/public/wp-login.php" failed (2: No such file or directory), client: 37.59.54.36, server: www.doragon.xyz, request: "GET /wp-login.php HTTP/1.1", host: "www.doragon.xyz"
2021/02/03 01:56:17 [error] 26608#26608: *2193 open() "/var/www/blog/public/wp-login.php" failed (2: No such file or directory), client: 18.194.196.202, server: www.doragon.xyz, request: "GET /wp-login.php HTTP/2.0", host: "www.doragon.xyz"
2021/02/03 01:56:20 [error] 26608#26608: *2195 open() "/var/www/blog/public/wp-login.php" failed (2: No such file or directory), client: 18.194.196.202, server: www.doragon.xyz, request: "GET /wp-login.php HTTP/2.0", host: "www.doragon.xyz"
2021/02/03 01:56:21 [error] 26608#26608: *2197 open() "/var/www/blog/public/wordpress/wp-login.php" failed (2: No such file or directory), client: 18.194.196.202, server: www.doragon.xyz, request: "GET /wordpress/wp-login.php HTTP/2.0", host: "www.doragon.xyz"
2021/02/03 01:56:23 [error] 26608#26608: *2199 open() "/var/www/blog/public/blog/wp-login.php" failed (2: No such file or directory), client: 18.194.196.202, server: www.doragon.xyz, request: "GET /blog/wp-login.php HTTP/2.0", host: "www.doragon.xyz"
2021/02/03 01:56:25 [error] 26608#26608: *2201 open() "/var/www/blog/public/wp/wp-login.php" failed (2: No such file or directory), client: 18.194.196.202, server: www.doragon.xyz, request: "GET /wp/wp-login.php HTTP/2.0", host: "www.doragon.xyz"
2021/02/05 07:40:22 [error] 25170#25170: *1216 open() "/var/www/blog/public/mmbh/login.php" failed (2: No such file or directory), client: 118.123.1.38, server: www.doragon.xyz, request: "GET /mmbh/login.php HTTP/2.0", host: "112.74.165.206"
2021/02/05 07:40:23 [error] 25170#25170: *1186 open() "/var/www/blog/public/gai/ucms/login.php" failed (2: No such file or directory), client: 118.123.1.38, server: www.doragon.xyz, request: "GET /gai/ucms/login.php HTTP/2.0", host: "112.74.165.206"
2021/02/07 13:24:41 [error] 6744#6744: *812 open() "/var/www/blog/public/wp-login.php" failed (2: No such file or directory), client: 192.99.14.189, server: www.doragon.xyz, request: "GET /wp-login.php HTTP/1.1", host: "doragon.xyz"
2021/02/09 12:25:50 [error] 6744#6744: *1604 open() "/var/www/blog/public/wp-login.php" failed (2: No such file or directory), client: 52.30.16.188, server: www.doragon.xyz, request: "GET /wp-login.php HTTP/2.0", host: "www.doragon.xyz"
2021/02/09 12:25:58 [error] 6744#6744: *1606 open() "/var/www/blog/public/wp-login.php" failed (2: No such file or directory), client: 52.30.16.188, server: www.doragon.xyz, request: "GET /wp-login.php HTTP/2.0", host: "www.doragon.xyz"
2021/02/09 12:26:04 [error] 6744#6744: *1608 open() "/var/www/blog/public/wordpress/wp-login.php" failed (2: No such file or directory), client: 52.30.16.188, server: www.doragon.xyz, request: "GET /wordpress/wp-login.php HTTP/2.0", host: "www.doragon.xyz"
2021/02/09 12:26:10 [error] 6744#6744: *1610 open() "/var/www/blog/public/blog/wp-login.php" failed (2: No such file or directory), client: 52.30.16.188, server: www.doragon.xyz, request: "GET /blog/wp-login.php HTTP/2.0", host: "www.doragon.xyz"

从上面部分日志可以得知还有大量ip在攻击

通过常用命令截取出全部黑客ip,并重定向到黑名单的配置文件

1
2
3
4
5
grep login.php /var/log/nginx/nginx_error.log | cut -d ':' -f 6 | cut -d ',' -f 1 | uniq > /tmp/blacklist
for i in $(</tmp/blacklist)
do
echo "deny $i;" >>/etc/nginx/conf.d/blacklist.conf
done
如果觉得文章对您有帮助,可以打赏一下我吗