与Bot斗法

最近发现有个后端服务器出现异常,cpu使用率持续较高,流量也不少,htop观察到是两个站点的fastcgi进程跑的有点欢,遂处理之。

 

说起来还真下了不少功夫。

一般我习惯性的是找几个访问量太多的ip直接封了就是,但是简单统计一下,发现ip太多,手工封了100多个IP/IP段以后,我就疯了。。。

然后统计一下这些bot提交的地址,我自己的一个网站被提交最多的是评论和后台登录,哥们的网站被提交的是后台登录,两个都是wordpress。

我自己那个网站,试了下直接关闭评论功能,但是tmd居然还能提交进去,虽然被插件直接列为垃圾了,但cpu还是会占用的,所以直接把提交地址给删了。

那么剩下来的就是后台暴破密码的问题了。因为我不好去动哥们的网站文件,所以先从外围入手,有些垃圾是通过user-agent来伪装成spider进行暴破的,那么根据他的实际行为来封锁,包括协议版本和ua:

if ($server_protocol ~* "HTTP/1.0") {
    return 444;
}

if ($http_user_agent ~* (SemrushBot|python|MJ12bot|AhrefsBot|AhrefsBot|hubspot|opensiteexplorer|leiki|webmeup|ZoominfoBot|x86_64)) {
     return 444;
}

因为1.0已经是化石级协议了,现在的工具和浏览器没人用这个版本,所以直接屏蔽没问题。然后这些ua大多是网友统计的,我自己加了几个。

这样就处理掉大部分了,剩下仍然有很少的几个人在不断的换ip暴破,虽然频率已经很低了,但看到了也没有不管的道理,顺手封一下ip就是了。

下面是我一个前端的ipset列表,一个c段有多个ip连续暴破的话,则封c段,一个b段有多个c段不干好事的话,则直接封b段,中间有几个是重复的,也有很多是我懒得去分析,直接用的单ip:

ipset destroy badip
ipset create badip hash:net
ipset add badip 195.154.79.0/24
ipset add badip 110.84.66.70/32
ipset add badip 222.239.225.0/24
ipset add badip 221.229.166.101/32
ipset add badip 221.229.207.198/32
ipset add badip 153.36.201.6/32
ipset add badip 51.15.16.144/32
ipset add badip 198.144.121.186/32
ipset add badip 122.114.156.118/32
ipset add badip 106.13.79.113/32
ipset add badip 5.45.88.12/32
ipset add badip 5.45.71.103/32
ipset add badip 46.249.59.234/32
ipset add badip 5.45.85.119/32
ipset add badip 37.1.207.7/32
ipset add badip 5.45.73.238/32
ipset add badip 93.158.203.45/32
ipset add badip 178.170.150.120/32
ipset add badip 193.176.184.112/32
ipset add badip 188.120.34.245/32
ipset add badip 188.72.64.86/32
ipset add badip 5.45.67.104/32
ipset add badip 5.45.73.148/32
ipset add badip 185.10.57.154/32
ipset add badip 37.1.206.32/32
ipset add badip 37.1.220.179/32
ipset add badip 193.176.185.36/32
ipset add badip 185.145.24.34/32
ipset add badip 185.89.133.134/32
ipset add badip 46.249.36.223/32
ipset add badip 185.234.114.39/32
ipset add badip 5.45.75.55/32
ipset add badip 185.67.0.202/32
ipset add badip 37.1.219.55/32
ipset add badip 188.72.64.107/32
ipset add badip 188.120.32.84/32
ipset add badip 37.1.202.97/32
ipset add badip 5.45.76.53/32
ipset add badip 185.44.128.5/32
ipset add badip 193.176.184.112/32
ipset add badip 5.178.65.164/32
ipset add badip 185.234.114.38/32
ipset add badip 5.45.86.243/32
ipset add badip 37.252.15.34/32
ipset add badip 185.10.57.154/32
ipset add badip 5.45.67.104/32
ipset add badip 91.235.136.178/32
ipset add badip 37.1.204.78/32
ipset add badip 91.235.137.21/32
ipset add badip 37.1.220.244/32
ipset add badip 93.158.208.30/32
ipset add badip 193.176.184.112/32
ipset add badip 185.145.25.9/32
ipset add badip 5.45.87.223/32
ipset add badip 188.120.34.241/32
ipset add badip 37.1.220.179/32
ipset add badip 92.119.113.26/32
ipset add badip 193.200.164.90/32
ipset add badip 138.201.87.102/32
ipset add badip 95.216.36.80/32
ipset add badip 142.234.39.0/24
ipset add badip 194.158.36.0/24
ipset add badip 178.216.249.0/24
ipset add badip 178.128.248.0/24
ipset add badip 134.209.0.0/16
ipset add badip 104.248.0.0/16
ipset add badip 178.62.0.0/16
ipset add badip 159.69.42.212/32
ipset add badip 54.36.0.0/16
ipset add badip 66.249.79.0/24
ipset add badip 110.249.201.0/24
ipset add badip 111.225.149.0/24
ipset add badip 111.225.148.0/24
ipset add badip 115.159.151.0/24
ipset add badip 110.249.201.0/24
ipset add badip 110.249.202.0/24
ipset add badip 194.93.59.13/32
ipset add badip 164.68.109.233/32
ipset add badip 209.182.198.223/32
ipset add badip 192.145.239.208/32
ipset add badip 162.158.58.74/32
ipset add badip 172.68.47.53/32
ipset add badip 139.59.58.99/32
ipset add badip 210.57.217.18/32
ipset add badip 66.42.63.201/32
ipset add badip 104.192.83.226/32
ipset add badip 104.192.83.226/32
ipset add badip 218.71.136.108/32
ipset add badip 66.249.75.0/24
ipset add badip 5.188.210.0/24
ipset add badip 5.188.62.5/32
ipset add badip 193.114.100.2/32
ipset add badip 188.17.152.172/32
ipset add badip 163.179.32.211/32
ipset add badip 185.6.8.3/32
ipset add badip 42.236.10.112/32
ipset add badip 125.84.183.240/32
ipset add badip 125.84.177.26/32
ipset add badip 88.208.206.200/32
ipset add badip 185.94.192.84/32
ipset add badip 211.214.160.164/32
ipset add badip 183.150.238.244/32
ipset add badip 167.114.172.224/32
ipset add badip 167.71.93.181/32
ipset add badip 139.59.58.99/32
ipset add badip 210.57.217.18/32
ipset add badip 35.246.180.56/32
ipset add badip 210.233.72.4/32
ipset add badip 162.241.211.155/32
ipset add badip 110.74.222.159/32
ipset add badip 77.84.114.166/32
ipset add badip 177.36.43.59/32
ipset add badip 95.38.169.246/32
ipset add badip 143.255.52.102/32
ipset add badip 181.209.82.154/32
ipset add badip 24.198.153.105/32
ipset add badip 192.154.98.50/32
ipset add badip 200.56.60.157/32
ipset add badip 178.170.187.106/32
ipset add badip 77.233.11.21/32
ipset add badip 178.93.151.70/32
ipset add badip 212.34.254.34/32
ipset add badip 106.105.219.84/32
ipset add badip 118.173.232.184/32
ipset add badip 220.232.156.206/32
ipset add badip 212.120.186.39/32
ipset add badip 194.44.61.82/32
ipset add badip 116.212.131.174/32
ipset add badip 95.165.160.46/32
ipset add badip 86.57.174.152/32
ipset add badip 31.210.228.44/32
ipset add badip 138.117.84.175/32
ipset add badip 103.65.194.2/32
ipset add badip 194.44.192.201/32
ipset add badip 121.225.173.233/32
ipset add badip 158.174.107.91/32
ipset add badip 87.251.238.156/32
ipset add badip 37.59.17.24/32
ipset add badip 188.225.179.98/32
ipset add badip 95.179.134.75/32
ipset add badip 110.78.147.176/32
ipset add badip 118.175.207.216/32
ipset add badip 163.172.105.148/32
ipset add badip 177.74.184.254/32
ipset add badip 36.89.10.51/32
ipset add badip 223.25.14.66/32
ipset add badip 195.110.53.148/32
ipset add badip 104.223.45.57/32
ipset add badip 121.225.25.224/32
ipset add badip 222.186.138.0/24
ipset add badip 193.106.30.0/24
ipset add badip 183.164.242.0/24





iptables -I INPUT -m set --match-set badip src -j DROP

 

凡是这些ip过来的数据直接丢掉。

小技巧就是,ipset创建的是网络,需要加单ip的话就用/32的掩码,挺方便。

状态444是让前端的nginx直接把这个连接删掉,不产生任何回应,让bot自己等去吧,他要是发起的连接足够多的话,就相当于对他自己进行了dos,让他死机去。

 

 

 

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: