menu LittleJake's Blog
color_lens
avatar
Jake Liu
Never Settle
creative commons by-nc-sa
hit
Category
keyboard_arrow_down

© 2024 LittleJake's Blog.

萌ICP备20223020号

禁止网站漏洞特征扫描(封禁扫描IP)

Annoying attack to my server.

pic


Use a honeypot to capture IP, but...

attack through the Cloudflare but without HTTP_CF_CONNECTING_IP header.
damn

pic

Next, brute force attack my PHPMyAdmin (mysql)

pic

I wonder why phpmyadmin don't povide anti brute force attack.
Even a captcha.

deeper analyze

  • symbol 1:It will first scan POST /Appc187f5ac.php HTTP/1.1
  • symbol 2:Massively use the same IP visit PHPMyAdmin continuously
  • symbol 3:Attack lasts for 20 mins about 1QPS speed
  • symbol 4:visit http but not https

Simple solution Apache version

Forbid IP according to symbol 1 and write it into hosts.deny (Linux).

  1. Create a shell file and copy the code below.
#!/bin/sh
WWWLOG=wwwlog directory
LIST=`cat $WWWLOG/*/access.log | grep Appc187f5ac | uniq | awk '{print $1}'|sort`

for IP in $LIST
do
  grep $IP /etc/hosts.deny > /dev/null
  if [ $? -gt 0 ]
  then
    echo "all:$IP" >> /etc/hosts.deny
  fi
done
  1. chmod +x grant permission to the script.
  2. using crontab to execute it per 5 mins
root $ crontab -e

*/5 * * * * sh 'script position'

Massive abuse IP in my hosts.deny. Update every 5 mins

including lots of ssh brute force attack IP

blacklist.txt

Buy me a beer

buymeacoffee
Jake Liu
Never Settle

Title: 禁止网站漏洞特征扫描(封禁扫描IP)

Author: Jake Liu

Origin:

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International (CC BY-NC-SA 4.0) For any re-post you must give appropriate credit.

文章遵循CC许可 署名-非商业性使用-相同方式共享 4.0 国际 (CC BY-NC-SA 4.0) 转载请注明出处

Tag:none

评论区

Add a new comment.

Theme