最近云服务器被攻击：

[root@server log]# grep -r w00t *
httpd/access_log-20130623:203.156.205.160 – – [21/Jun/2013:10:15:42 +0000] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 301 354 "-" "ZmEu"
httpd/access_log-20130623:203.156.205.160 – – [21/Jun/2013:18:24:07 +0000] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 301 354 "-" "ZmEu"
httpd/access_log-20130623:203.156.205.160 – – [21/Jun/2013:18:24:09 +0000] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 301 354 "-" "ZmEu"
httpd/access_log-20130623:108.161.129.137 – – [22/Jun/2013:21:46:59 +0000] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 301 354 "-" "ZmEu"
[root@server log]#

w00tw00t.at.blackhats.romanian.anti-sec是一种脚本攻击，攻击者试图通过Apache找到phpmyadmin和php中的漏洞，并试图通过URL进行操作。

解决方案：

(1) 为了解决这个问题，使用iptable，基于字符串进行过滤。

iptables -I INPUT -p tcp --dport 80 -m string --to 60 --algo bm --string 'GET /w00tw00t' -j DROP

(2) 使用fail2ban

在/etc/fail2ban/filter.d/中创建一个名为“w00tw00t.conf”的新文件

vi /etc/fail2ban/filter.d/w00tw00t.conf

[Definition]

failregex = ^ .*"GET /w00tw00t*

ignoreregex =

编辑/etc/fail2ban/jail.conf文件，在最后一行之后放入此配置并重新启动fail2ban服务

vi /etc/fail2ban/jail.conf

[w00tw00t-scans]

enabled  = true

action   = iptables-allports

sendmail-whois[name=SSH, dest=root, [email protected]]

filter   = w00tw00t

##### set the log path ######

logpath  = /var/log/httpd/access_log

maxretry = 1

###### ban for 24 hour ######

bantime  = 86400