我是否应该阻止这些相当蹩脚的尝试来攻击我的服务器？

我不会花费精力去尝试和手动处理类似的事情，但是如果你还没有尝试设置fail2ban之类的东西，

是的，它的脚本小子运行标准的“现成”黑客脚本，寻找易受攻击的服务器。 如果你打了补丁和防火墙，并且locking了所有常见的东西，那么我不必太担心 – 你会一直尝试黑客攻击。

当然，担心没有打补丁，防火墙和有可利用的脚本/页/应用程序运行在您的服务器上。 留意任何不寻常的事情，并确保您收到安全更新通知并安装它们。

这只是互联网的背景噪音。 处理它不是你的时间或精力。 如果你还没有设置fail2ban，那么你应该这样做，但其他任何东西都不需要。 我在一两天的日志里就看到了这样的一万多次这样的尝试。

在我的日志中，我总是看到非常类似的东西。 我敢打赌，这只是一个扫描仪，可能在很大程度上拖网寻找已知的攻击漏洞。

换句话说，别担心。 只要确保你的系统是最新的补丁。

这是我在“早些时候”（即几年前）从Apache错误日志中删除恼人的404的一个脚本。

 #!/usr/bin/perl -w # =========================================================================== # Script kiddies and worms often try URLs behind which one can find # specific vulnerabilities. This script writes a file to stdout that can then # be included by httpd.conf so that known probed URLS result in 410s. # # See also: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html: # # 10.4.11 410 Gone # # The requested resource is no longer available at the server and no # forwarding address is known. This condition is expected to be # considered permanent. Clients with link editing capabilities SHOULD # delete references to the Request-URI after user approval. If the # server does not know, or has no facility to determine, whether or # not the condition is permanent, the status code 404 (Not Found) SHOULD # be used instead. This response is cacheable unless indicated otherwise. # # The 410 response is primarily intended to assist the task of web # maintenance by notifying the recipient that the resource is intentionally # unavailable and that the server owners desire that remote links to that # resource be removed. Such an event is common for limited-time, promotional # services and for resources belonging to individuals no longer working at # the server's site. It is not necessary to mark all permanently unavailable # resources as "gone" or to keep the mark for any length of time -- that is # left to the discretion of the server owner. # # WHY IS THIS INTERESTING # ----------------------- # # This setup removes the requests from the Apache httpd error log (the # requests no longer generate 'file not found' errors) # # This is is a good thing insofar as that list then becomes smaller (good # for maintenance) and someone trying out more 'refined' vulnerabilities # becomes visible (good for ringing the warning bell). It also tells # script kiddies to go look elsewhere. On the other hand, a notable # increase in probing might go unnoticed. # # If the website is configured to redirect requests for unknown URLs to the # homepage, having this script saves on bandwidth for sure. # # Notes # ----- # # Probes for errors in HTTP protocol handling (bad headers etc) will still # show up in the log. # # -> analog webanalysis: The files still appear in the analog "failure # request" log except if you set "STATUSEXCLUDE 410" # # -> You want to allow some URLs which are being probed as you really # might have the corresponding application installed (patched and # secured beforehand of course). Sometimes, adding further path elements # might be a solution to discriminate legit requests from probes. # # -> Performance impact? I have no idea. # # What matches # ------------ # # The "gone" URLs are just the start of URLs, so anything with an extension # will also match. There generally is no need to put the values into goneMatch. # If you list "/forum3" as "gone", then the following will be marked "gone": # # /forum3 # //forum3 (which reduces to /forum3) # /forum3/x # /forum3// # # but not # # /forum3alpha # # If the website is configured to redirect requests for unknown URLs to the # homepage, having this script saves both on bandwidth and noise in the web # statistics. # =========================================================================== use List::MoreUtils qw(uniq); # yum install perl-List-MoreUtils # Direct matching @gone = makeGoneArray(); # Used for simple printing # for my $x (@gone) { print " $x\n" }; exit 1; # Special matching ANYWHERE WITHIN AN URL. # Lines terminated with a "$" will only match at the URL's end # (so "/data.tar" and "/data.tar?x=2" will match, but "/data.tar/foo" will not) # Probes may check many versions of "phpMyAdmin" (like "/phpMyAdmin-2.6.0a" etc), # so, that URL is in the "goneMatch" list: # 2014-07: Found a bot actually scanning for backup files in the root; added! @goneMatch = qw(xmlrpc\.php nsiislog\.dll jud\.cgi xmlrpc xmlsrv w00tw00t proc\/self\/environ etc\/passwd /\.ht /\.svn/ /\.svn$ ^/phpMyAdmin /(site|data|pack|archive|zip|arch|all|export|exported|old|new|db|database|tgz|dump|backup|bckp|bak)\.(tar|tar\.gz|tgz|zip|rar|bz7)?$ ); # PRINT IT. The result is supposed to be installed by another script which # checks whether the script currently in use has different content and # runs a graceful restart of Apache httpd. It also replaces %COPYMARK% # with a tag indicating the installation operation. print "# --------------------------------------------------------------------------\n"; print "# Use the perl script 'kiddie_be_gone.pl' to generate the contents below,\n"; print "# which are included by httpd.conf\n"; print "# Even easier, use ~q/httpd/sbin/install_kiddie_be_gone.sh\n"; print "# \%COPYMARK%\n"; print "# --------------------------------------------------------------------------\n"; # # Some URLs in scan attacks are actually used by us! We allow them here. # # @allowed = ( '/administrator', '/main.php' ); @allowed = (); %allowed = map { $_, 1 } @allowed; { my $earlier = ""; foreach my $entry (sort @gone) { # Eliminate duplicates, which is easy as the list is sorted if ($earlier eq $entry) { print STDERR "Duplicate 'gone' entry '$entry'; skipping it\n"; } else { $earlier = $entry; if ($entry =~ /^(.*)\/$/) { print STDERR "Terminating slash in '$entry'; removed slash\n"; $entry = $1; } if ($allowed{$entry}) { # # Some URLS in scan attacks are actually used by us! Filter them out # } else { # # Return a "410" - redirect gone # # See "http://httpd.apache.org/docs/2.2/mod/mod_alias.html#redirect" redirect instruction # Access to URLs yields error 410 - "Resource gone, no forwarding address" # # It would be cool to return a custom error code "444" - probe URL for example, but that # does not seem to be possible. # print "Redirect gone $entry\n"; } } } } # # Once again, for "RedirectMatch" # { my $earlier = ""; foreach my $entry (sort @goneMatch) { if ($earlier eq $entry) { print STDERR "Duplicate 'goneMatch' entry $entry\n"; } else { $earlier = $entry; print "RedirectMatch gone $entry\n"; } } } ####################################################################################### # Function to set up the URLs to which one responds "gone". # # "/\.ht" matches URLS which contain "/.ht", eg "/.htaccess" # "/\.svn/" matches URLS which contain "/.svn/", ie anything requesting stuff under .svn # "/\.svn$ matches URLs which terminate in "/.svn", ie the request for the dir itself # (What about requests for "encoded" URLs? like "/.s%76n/"? They seem to be caught, too) # # This list is at the end of the script for easier editing and subsequent appending # using the usual Unix text processing tools. # # Use "sort --unique" on the array to manually recreate the list. ####################################################################################### sub makeGoneArray { @series1 = qw( /* /.. /..%5c..%5cwinnt /... /000 /111 /222 /2phpmyadmin /333 /3rdparty /444 /555 /666 /777 /888 /999 /AZ.php /BB /BBS1 /BBS2 /BE_config.php /BFormMail.pl /Blog /CFIDE /Cdma-cat.html /Count-cat.html /FastHTTPAuthScanner200test /Forum /Forums /Horde /Joomla /M83A /MSADC /MSOffice /MSOffice/cltreq.asp /MyAdmin /MySQLAdmin /MySQLDumper /NULL.IDA /NULL.ida /NULL.idq /NULL.printer /PBServer /PHPMYADMIN /PHPmyadmin /PMA /PMA2005 /README /Rpc /SQL /SQLite /SQLiteManager /SQLiteManager-1.2.4 /SQlite /SSLMySQLAdmin /Wordpress /\x85\x04\bsoapCaller.bs /_admin /_mem_bin /_phpMyAdmin /_phpmyadmin /_vti_bin /_vti_bin/owssvr.dll /_vti_cnf /_vti_inf.html /a.asp /achievo /adm /admin /admin/config/config.inc.php /admin/includes/general.js /admin/phpmyadmin2/index.php /admin/scripts/setup.php /admin_modules /admindump /administrator /adminsql /admm /admn /adsamples /agSearch /agenda.php3 /agenda2.php3 /apc-aa /appConf.htm /apps /appserv/main.php /assets /aws /awstats /awstats-cgibin /awstats.pl /awstatstotals /awstatstotals.php /azenv.php /b2b/admin/includes/stylesheet.css /backup /backups /backuptool /bak /bb /bbs /bck /bin/msgimport /bk /bkup /blogs /board /boards /bug/login_page.php /bugtracker/login_page.php /bulletinboard /bulletinboards /butik /c /c99.php /cart /catalog/admin/includes/stylesheet.css /cc /cgi /cgi-bin /cgi-bin/.. /cgi-bin/azenv.pl /cgi-bin/check.bat /cgi-bin/ip1.cgi /cgi-bin/judge.cgi /cgi-bin/prxjdg.cgi /cgi-bin2 /cgi-local /chat /chat1 /chat2 /chat3 /chi-bin /class /cmd.php /cms /common /community /components /components/com_roundcube/CHANGELOG /config /configuration_administrator /content /cpadmin /cpadmindb /cpanelmysql /cpanelphpmyadmin /cpanelsql /cpdbadmin /cpphpmyadmin /createemails.inc.php /cube /cube/bin/msgimport /cvs /d /data_dump /database /databaseadmin /db /db/js/keyhandler.js /db/mysql/main.php /db/pma/main.php /db/scripts/setup.php /db/sql/main.php /db9 /dbadmin /dbadmin/config/config.inc.php /dbdumper /dbsich /dbtw-wpd /default.ida /discussion /dmp /dmpr /domains /downloads /drupal /dump /dumper /ecommerce/admin/includes/stylesheet.css /ehcp /email/README /eshop/admin/includes/stylesheet.css /estadisticas /exchange /ezformml.cgi /fastenv /feed /fmail.pl /formmail.cgi /foros /forum /forum2 /forum3 /forums /freepbx /galaxy_ /gallery /gb /getip.php /global /globals.php3 /him.php /horde /horde-3.0.5 /horde-3.0.6 /horde-3.0.7 /horde-3.0.8 /horde-3.0.9 /horde2 /horde3 /htdocs /httdocs /http /hudson /iisadmpwd /index.cgiupgrade_album.ph /index.phtml /intl /ip.cgi /ip.php /ip1.cgi /issue/login_page.php /issuetracker/login_page.php /jmx-console /joke /joomla /js /judge.php /judge112233.php /lib /lib_gor /libs /mail /mail/bin/msgimport /mail2 /mails/README /mailz/README /main.php /mambo /mambots /manager /mantis/login_page.php /mantisbt/login_page.php /map.xml /members /mod_cbsms_messages.php /modules /msadc /msd /msd0.1 /msd0.9.2 /msd0.9.3c /msd1 /msd1.14_Beta3 /msd1.20 /msd1.21 /msd1.21.1 /msd1.21.2 /msd1.21.3 /msd1.21.4 /msd1.21.5 /msd1.21.6 /msd1.21.7 /msd1.21.8 /msd1.21.9 /msd1.21b6 /msd1.21stable /msd1.22 /msd1.22.1 /msd1.22.2 /msd1.22.3 /msd1.22.4 /msd1.22.5 /msd1.22.6 /msd1.22.7 /msd1.22.8 /msd1.22.9 /msd1.22stable /msd1.23 /msd1.23.1 /msd1.23.2 /msd1.23.3 /msd1.23.4 /msd1.23.5 /msd1.23.6 /msd1.23.7 /msd1.23.8 /msd1.23.9 /msd1.23stable /msd1.24 /msd1.24.1 /msd1.24.2 /msd1.24.3 /msd1.24.4 /msd1.24.5 /msd1.24.6 /msd1.24.7 /msd1.24.8 /msd1.24.9 /msd1.24RC1.5 /msd1.24RC1.6 /msd1.24RC1.7 /msd1.24RC1.8 /msd1.24stable /msd1.25 /msd10 /msd2 /msd3 /msd4 /msd5 /msd6 /msd7 /msd8 /msd9 /msdac /msdadmin /msdump /msdump0 /msgboard /mss /mss2 /mss2/bin/msgimport /mt-comments.cgi /muieblackcat /my /my-sql /myAdmin/config/config.inc.php /myAdmin/scripts/setup.php /mySqlDumper /myadmin /myadmin/config/config.inc.php /myadmin/scripts/setup.php /mysql /mysql-admin /mysql/config/config.inc.php /mysql/scripts/setup.php /mysqladmin /mysqladmin/scripts/setup.php /mysqladminconfig /mysqld /mysqldadmin /mysqldmp /mysqldump /mysqldump0 /mysqldump3r /mysqldumpe /mysqldumper /mysqldumper0 /mysqldumper01 /mysqldumper02 /mysqldumper03 /mysqldumper04 /mysqldumper05 /mysqldumper06 /mysqldumper07 /mysqldumper08 /mysqldumper09 /mysqldumper1 /mysqldumper1.24.1 /mysqldumper1.24.2 /mysqldumper1.24.3 /mysqldumper1.24.4 /mysqldumper10 /mysqldumper2 /mysqldumper3 /mysqldumper4 /mysqldumper5 /mysqldumper6 /mysqldumper7 /mysqldumper8 /mysqldumper9 /mysqldumperadmin /mysqlmanager /nar /negozio/admin/includes/stylesheet.css /newboard /newboards /newmail /ok /openwebmail /p /p/m/a/config/config.inc.php /pHpMy /pHpMyAdMiN /pMA /padmin /php /php-my-admin /php-my-admin/config/config.inc.php /php-myadmin /phpAlbum /phpBB /phpBB2 /phpLDAPadmin /phpMyA /phpMyAdmi /phpMyAdmin/scripts/setup.php /phpMyAds /phpMyChat /phpMyadmin /phpTest /phpTest/zologize/axa.php /phpThumb /phpThumb.php /phpadmin /phpadmin/js/keyhandler.js /phpadmin/scripts/setup.php /phpalbum /phpbb /phpdb /phpgroupware /phpldapadmin /phpm /phpmanager /phpmy /phpmy-admin /phpmyAdmin /phpmya /phpmyad /phpmyad-sys /phpmyadmin /phpmyadmin1 /phpmyadmin2 /phppgadmin /phppma /pma /pma/scripts/setup.php /pma2005 /pmadmin /pmwiki /pmwiki.php /pmwiki2 /portal /pp /ppmwiki /pr.php /presse /program /projects/login_page.php /proxy /proxy-1.php /proxyheader.php /qql /r /r57.php /rc /recordings /rms /root /round /round/bin /roundcube /roundcube-0.1 /roundcube-0.2 /roundcubemail /roundcubemail-0.1 /roundcubemail-0.2 /s-cgi /samples /scgi /scgi-bin /scoreboard /script /scripts /scripts/.. /send_emails.inc.php /sicherung /siemens /sl2 /soapCaller.bs /sql /sqladmin /sqldumper /sqlite /sqlitemanager /sqlmanager /sqlweb /sqlweb/config/config.inc.php /squirrelmail/CHANGELOG /ssa /stat /staticfiles /stats /stoma.php /stuff /sumthin /test /textenv.pl /thisdoesnotexistahaha.php /thumb /tmp /track /tracker/login_page.php /translators.html /trix/soapCaller.bs /trixbox/soapCaller.bs /typo3 /ugboard /ugboards /undergraduate /underground /usage /user/soapCaller.bs /user/templates/footer.tpl /vhcs2 /vhcs2/domain_default_page/index.html /vhcs2/soapCaller.bs /vhosts /vtigercrm /w /wbb2 /web /webadmin /webdav /webdb /webmai /webmail /webmail2 /websql /webstats /wiki /wikipedia /wm /wordpress /workflow-activities.php /wp /wp-admin /wp-admin/index.php /wp-content /wp-login.php /wp-phpmyadmin /www /wwwroot /xampp /zadmin /~ /~root /configuration_administrator /administrator /blog /_phpmyadmin /apache-default ); return uniq sort (@series1); } 

Checkout http://www.modsecurity.org/也可以configuration为缓解对Apache的攻击。 您可以考虑使用不同的服务器进行身份validation和未经身份validation的用户。 因此，要对您的主要Web应用程序用户发起攻击需要完全validation。

滥用用户可能被拒绝访问，或者至less被通知清理他们的恶心机器。

我宁愿使用不同的方法。 接受这些请求，但将这些请求存储在数据库中，通过您网站的安全function直接拒绝这些请求。 如果安装了防火墙，请确保防火墙也将IP直接阻塞24小时。 识别非常简单：不pipe是什么不正常的请求，都是不好的。 这就是我所做的，它工作得非常好。 请注意，这使我可以识别进入的请求，这些发出的次数等，并对此有非常快速的反应。 我知道这需要你的网站软件多一点的知识，但最后它是非常有效的捕捉不必要的stream量，并积极防御。