服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 对于web服务器IPTABLE速率限制,应该限制什么
Intereting Posts
shell脚本自动化SFTP上传? php_mod和脚本执行时间 阻止访问其他用户的文件 使用nginx + apache或nginx +龙卷风为django站点服务更好吗? 亚马逊机器图像 限制对ACL的访问(CentOS) 所以我从共享主机转移到VPS。 我需要什么? 带有$ scheme的nginx proxy_cache_key 什么是可移植的nignx HTTP访问日志格式与nginx一起使用? UnrealIRCD – 启动问题 是否有任何远程桌面软件可以通过浏览器访问Linux? 在两台远程机器之间复制大文件 – 高效 子网计算器 任何不是基于netfilter / iptables的debian防火墙解决scheme? 请说明Xen,VirtualBox,Sun VM和Oracle VM之间的关系

对于web服务器IPTABLE速率限制,应该限制什么

我在我的web服务器上看到如下一些日志 

203.252.157.98 - :25:02 "GET //phpmyadmin/ HTTP/1.1" 404 393 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro" 203.252.157.98 - :25:03 "GET //phpMyAdmin/ HTTP/1.1" 404 394 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro" 203.252.157.98 - :25:03 "GET //pma/ HTTP/1.1" 404 388 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro" 203.252.157.98 - :25:04 "GET //dbadmin/ HTTP/1.1" 404 391 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro" 203.252.157.98 - :25:05 "GET //myadmin/ HTTP/1.1" 404 391 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro" 203.252.157.98 - :25:06 "GET //phppgadmin/ HTTP/1.1" 404 394 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro" 203.252.157.98 - :25:06 "GET //PMA/ HTTP/1.1" 404 389 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro" 203.252.157.98 - :25:07 "GET //admin/ HTTP/1.1" 404 389 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro" 203.252.157.98 - :25:08 "GET //MyAdmin/ HTTP/1.1" 404 392 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro" 203.252.157.98 - :27:36 "GET //phpmyadmin/ HTTP/1.1" 404 393 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro" 203.252.157.98 - :27:42 "GET //phpMyAdmin/ HTTP/1.1" 404 394 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro" 203.252.157.98 - :27:42 "GET //pma/ HTTP/1.1" 404 388 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro" 203.252.157.98 - :27:43 "GET //dbadmin/ HTTP/1.1" 404 391 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro" 203.252.157.98 - - "GET //myadmin/ HTTP/1.1" 404 391 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"

还有一些如下 

 118.219.234.254 - - [19/Oct/2010:22:57:41 "GET /pma/scripts/setup.php HTTP/1.1" 404 399 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 118.219.234.254 - - [19/Oct/2010:22:57:41 "GET /scripts/setup.php HTTP/1.1" 404 397 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 118.219.234.254 - - [19/Oct/2010:22:57:42 "GET /sqlweb/scripts/setup.php HTTP/1.1" 404 401 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 118.219.234.254 - - [19/Oct/2010:22:57:42 "GET /web/phpMyAdmin/scripts/setup.php HTTP/1.1" 404 408 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 118.219.234.254 - - [19/Oct/2010:22:57:43 "GET /web/phpmyadmin/scripts/setup.php HTTP/1.1" 404 408 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 118.219.234.254 - - [19/Oct/2010:22:57:44 "GET /web/scripts/setup.php HTTP/1.1" 404 400 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 118.219.234.254 - - [19/Oct/2010:22:57:44 "GET /webadmin/scripts/setup.php HTTP/1.1" 404 403 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 118.219.234.254 - - [19/Oct/2010:22:57:45 "GET /webdb/scripts/setup.php HTTP/1.1" 404 401 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 118.219.234.254 - - [19/Oct/2010:22:57:45 "GET /websql/scripts/setup.php HTTP/1.1" 404 401 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 118.219.234.254 - - [19/Oct/2010:05:38:51 "GET /admin/phpmyadmin/scripts/setup.php HTTP/1.1" 404 407 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 118.219.234.254 - - [19/Oct/2010:05:38:52 "GET /admin/pma/scripts/setup.php HTTP/1.1" 404 404 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 118.219.234.254 - - [19/Oct/2010:05:38:52 "GET /admin/scripts/setup.php HTTP/1.1" 404 401 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 118.219.234.254 - - [19/Oct/2010:05:38:53 "GET /db/scripts/setup.php HTTP/1.1" 404 399 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 118.219.234.254 - - [19/Oct/2010:05:38:54 "GET /dbadmin/scripts/setup.php HTTP/1.1" 404 402 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 118.219.234.254 - - [19/Oct/2010:05:38:54 "GET /myadmin/scripts/setup.php HTTP/1.1" 404 403 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 118.219.234.254 - - [19/Oct/2010:05:38:55 "GET /mysql/scripts/setup.php HTTP/1.1" 404 401 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 118.219.234.254 - - [19/Oct/2010:05:38:55 "GET /mysqladmin/scripts/setup.php HTTP/1.1" 404 405 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 118.219.234.254 - - [19/Oct/2010:05:38:56 "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 405 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 118.219.234.254 - - [19/Oct/2010:05:38:56 "GET /phpadmin/scripts/setup.php HTTP/1.1" 404 403 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 118.219.234.254 - - [19/Oct/2010:05:38:57 "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 404 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 118.219.234.254 - - [19/Oct/2010:05:38:57 "GET /pma/scripts/setup.php HTTP/1.1" 404 399 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 118.219.234.254 - - [19/Oct/2010:05:38:58 "GET /scripts/setup.php HTTP/1.1" 404 397 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 118.219.234.254 - - [19/Oct/2010:05:38:58 "GET /sqlweb/scripts/setup.php HTTP/1.1" 404 401 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 118.219.234.254 - - [19/Oct/2010:05:38:59 "GET /web/phpMyAdmin/scripts/setup.php HTTP/1.1" 404 408 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 118.219.234.254 - - [19/Oct/2010:05:38:59 "GET /web/phpmyadmin/scripts/setup.php HTTP/1.1" 404 408 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 118.219.234.254 - - [19/Oct/2010:05:39:00 "GET /web/scripts/setup.php HTTP/1.1" 404 400 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 118.219.234.254 - - [19/Oct/2010:05:39:01 "GET /webadmin/scripts/setup.php HTTP/1.1" 404 403 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 118.219.234.254 - - [19/Oct/2010:05:39:01 "GET /webdb/scripts/setup.php HTTP/1.1" 404 401 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 118.219.234.254 - - [19/Oct/2010:05:39:02 "GET /websql/scripts/setup.php HTTP/1.1" 404 401 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

我有2个问题
1)当我的网站发生这样的攻击时,那么这样的扫描正在进行如何检测它? (在很短的时间内)
2)我决定对IPTABLES进行速率限制,以便在一定程度上减less一些脚本小子(在phpmyadmin或其他脚本中扫描漏洞)的DOS攻击。要限制真正用户的数量是多less被踢出。问题2的最佳做法是什么?

而不是限制你的networking服务器,你应该考虑安装类似fail2ban的东西。 使用合适的filter可以用来禁止iptables防火墙的IP地址。 您可以将其configuration为禁止将匹配的IP地址从几分钟到永久。

编辑:

你可以使用fail2ban来做到这一点。 /etc/fail2ban/filter.d/apache-noscript.conf文件要实现你想要的东西很长。

你可以添加一个监狱到/etc/fail2ban/jail.conf使用它 

 [apache-noscript] enabled = true filter = apache-noscript action = iptables[name=Apache, port=80, protocol=tcp] sendmail[name=Postfix, [email protected]] logpath = /var/log/httpd/error_log maxretry = 5 bantime = some value you like

请注意,您的错误日志可能在我不同的位置,例如/var/log/apache2/error.log

当这种攻击发生在我的网站上,然后这样的扫描正在进行如何检测它?

使用IDS这样的Snort或日志分析器(fail2ban)。

问题2的最佳做法是什么?

最佳做法阻止IP和CAPTCHAredirect。