我上周主持了我的Rails应用程序.今天我正在浏览我们的日志文件并注意到很多这样的请求.
I,[2016-03-14T00:42:18.501703 #21223] INFO -- : Started GET "/testproxy.php" for 185.49.14.190 at 2016-03-14 00:42:18 -0400
F,[2016-03-14T00:42:18.510616 #21223] FATAL -- :
ActionController::RoutingError (No route matches [GET] "/testproxy.php"):
有人试图从不同的IP地址转到testproxy.php.有些ip来自波兰,有些来自香港.我被某人袭击了吗?我有什么保护自己的选择.
以下是日志文件中的其他输出:
I,[2016-03-14T03:09:24.945467 #15399] INFO -- : Started GET "/clientaccesspolicy.xml" for 107.22.223.242 at 2016-03-14 03:09:24 -0400
F,[2016-03-14T03:09:24.949328 #15399] FATAL -- :
ActionController::RoutingError (No route matches [GET] "/clientaccesspolicy.xml"):
不同的IP地址:
I,[2016-03-14T16:03:47.793731 #15399] INFO -- : Started GET "/testproxy.php" for 178.216.200.48 at 2016-03-14 16:03:47 -0400
F,[2016-03-14T16:03:47.818519 #15399] FATAL -- :
ActionController::RoutingError (No route matches [GET] "/testproxy.php"):
search.php中
I,[2016-03-14T19:41:14.261843 #15399] INFO -- : Started GET "/forum/search.php" for 164.132.161.67 at 2016-03-14 19:41:14 -0400
F,[2016-03-14T19:41:14.266563 #15399] FATAL -- :
ActionController::RoutingError (No route matches [GET] "/forum/search.php"):
论坛/ index.php文件
I,[2016-03-15T10:54:55.254785 #26469] INFO -- : Started GET "/forum/index.php" for 164.132.161.56 at 2016-03-15 10:54:55 -0400
F,[2016-03-15T10:54:55.266456 #26469] FATAL -- :
ActionController::RoutingError (No route matches [GET] "/forum/index.php"):
phpmyadim /脚本/ setup.php
I,[2016-03-15T13:21:36.862918 #26469] INFO -- : Started GET "/phpMyAdmin/scripts/setup.php" for 103.25.73.234 at 2016-03-15 13:21:36 -0400
F,[2016-03-15T13:21:36.867050 #26469] FATAL -- :
ActionController::RoutingError (No route matches [GET] "/phpMyAdmin/scripts/setup.php"):
另一个setup.php
I,[2016-03-15T13:21:37.452097 #26469] INFO -- : Started GET "/pma/scripts/setup.php" for 103.25.73.234 at 2016-03-15 13:21:37 -0400
F,[2016-03-15T13:21:37.453647 #26469] FATAL -- :
ActionController::RoutingError (No route matches [GET] "/pma/scripts/setup.php"):
myadmin /脚本/ setup.php
I,[2016-03-15T13:21:38.034283 #26469] INFO -- : Started GET "/myadmin/scripts/setup.php" for 103.25.73.234 at 2016-03-15 13:21:38 -0400
F,[2016-03-15T13:21:38.041563 #26469] FATAL -- :
ActionController::RoutingError (No route matches [GET] "/myadmin/scripts/setup.php"):
还有很多其他的东西.请告诉我如何保护自己免受这些攻击.
当您运行公共服务器时,这很常见.这是我家庭服务器的auth.log的摘录:
Mar 14 19:22:36 hotdog sshd[65937]: Received disconnect from 181.214.92.11: 11: Bye Bye [preauth]
Mar 14 19:22:37 hotdog sshd[65939]: Invalid user ubnt from 181.214.92.11
Mar 14 19:22:37 hotdog sshd[65939]: input_userauth_request: invalid user ubnt [preauth]
Mar 14 19:22:37 hotdog sshd[65939]: Received disconnect from 181.214.92.11: 11: Bye Bye [preauth]
Mar 14 19:22:38 hotdog sshd[65941]: Invalid user support from 181.214.92.11
Mar 14 19:22:38 hotdog sshd[65941]: input_userauth_request: invalid user support [preauth]
Mar 14 19:22:38 hotdog sshd[65941]: Received disconnect from 181.214.92.11: 11: Bye Bye [preauth]
Mar 14 19:22:39 hotdog sshd[65943]: Invalid user oracle from 181.214.92.11
Mar 14 19:22:39 hotdog sshd[65943]: input_userauth_request: invalid user oracle [preauth]
Mar 14 19:22:39 hotdog sshd[65943]: Received disconnect from 181.214.92.11: 11: Bye Bye [preauth]
Mar 14 19:22:40 hotdog sshd[65945]: Received disconnect from 181.214.92.11: 11: Bye Bye [preauth]
Mar 14 19:24:04 hotdog sshd[65947]: fatal: Read from socket failed: Operation timed out [preauth]
Mar 14 20:01:19 hotdog sshd[66032]: Received disconnect from 183.3.202.102: 11: [preauth]
Mar 14 20:40:17 hotdog sshd[66092]: Invalid user cacti from 199.217.117.71
Mar 14 20:40:17 hotdog sshd[66092]: input_userauth_request: invalid user cacti [preauth]
Mar 14 20:40:17 hotdog sshd[66092]: Connection closed by 199.217.117.71 [preauth]
Mar 14 21:32:09 hotdog sshd[66188]: Received disconnect from 183.3.202.102: 11: [preauth]
Mar 14 22:01:59 hotdog sshd[66256]: Invalid user user1 from 199.217.117.71
Mar 14 22:01:59 hotdog sshd[66256]: input_userauth_request: invalid user user1 [preauth]
Mar 14 22:02:00 hotdog sshd[66256]: Connection closed by 199.217.117.71 [preauth]
Mar 14 22:17:57 hotdog sshd[66280]: Did not receive identification string from 14.182.117.161
正如您所看到的那样,人们不断尝试通过猜测用户名来侵入我的服务器.由于服务器只接受publickey登录,而不是密码,我相信自己对这些特殊攻击相当安全.
这同样适用于您的PHP文件.他们正试图找到一个他们可以运行一些罐头漏洞的php端点.您可以使用fail2ban等工具来帮助限制速率.但实际上这些攻击总是存在于公共服务器上.唯一的方法是确保您的软件能够抵御攻击.
一些常识常识提示:
>不要运行超出您需要的服务,因为任何一项服务都可能会打开您的服务器进行攻击.使用nmap检查已打开的端口.
>检查您的apache / nginx配置是否允许执行超过必要的更多(PHP)文件.
>不断更新您的软件.这些攻击中的大多数是自动化的,因此依赖于常见包中的已发布漏洞.
