处理w00tw00t.at.blackhats.romanian.anti-sec问题
时间:2019-08-20 17:58:28 来源:igfitidea点击:
最近云服务器被攻击:
[root@server log]# grep -r w00t * httpd/access_log-20130623:203.156.205.160 – – [21/Jun/2013:10:15:42 +0000] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 301 354 "-" "ZmEu" httpd/access_log-20130623:203.156.205.160 – – [21/Jun/2013:18:24:07 +0000] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 301 354 "-" "ZmEu" httpd/access_log-20130623:203.156.205.160 – – [21/Jun/2013:18:24:09 +0000] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 301 354 "-" "ZmEu" httpd/access_log-20130623:108.161.129.137 – – [22/Jun/2013:21:46:59 +0000] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 301 354 "-" "ZmEu" [root@server log]#
w00tw00t.at.blackhats.romanian.anti-sec是一种脚本攻击,攻击者试图通过Apache找到phpmyadmin和php中的漏洞,并试图通过URL进行操作。
解决方案:
(1) 为了解决这个问题,使用iptable,基于字符串进行过滤。
iptables -I INPUT -p tcp --dport 80 -m string --to 60 --algo bm --string 'GET /w00tw00t' -j DROP
(2) 使用fail2ban
在/etc/fail2ban/filter.d/中创建一个名为“w00tw00t.conf”的新文件
vi /etc/fail2ban/filter.d/w00tw00t.conf [Definition] failregex = ^ .*"GET /w00tw00t* ignoreregex =
编辑/etc/fail2ban/jail.conf文件,在最后一行之后放入此配置并重新启动fail2ban服务
vi /etc/fail2ban/jail.conf [w00tw00t-scans] enabled = true action = iptables-allports sendmail-whois[name=SSH, dest=root, [email protected]] filter = w00tw00t ##### set the log path ###### logpath = /var/log/httpd/access_log maxretry = 1 ###### ban for 24 hour ###### bantime = 86400