The work that the author has been doing for a long time is basically developing the company's PHP program and maintaining several CentOS servers. During the long period of work, I have summarized a set of small means to deal with attacks. I dare not hide my secrets. Share it with everyone, hope you all like it!
First let’s talk about the setting of the server. The server is inside the company. It is directly connected to a fiber optic cable and has 7 fixed IPs. Each server has its own fixed IP. In addition, each server has its own fixed IP. It is a dual network card. In addition to having a fixed IP on the external network, it also belongs to the same internal network. These 7 fixed IPs are distributed through a hardware firewall with routing function. The hardware firewall only opens port 80 to the outside world, and the rest are All are turned off. The servers are basically CentOs, and only one is Windows. CentOs all have the firewall that comes with the Linux system turned on. During remote management, they use some special means to connect to a certain location on the LAN where the server is located. On a server with Windows operating system, you can then control each server through SSH installed on this Windows. Although this setting is very troublesome, it is very safe. (I would like to add here that the firewall of each server They all set rules that allow a certain intranet IP to have one-way SSH connection. This setting is more cumbersome. It’s a long story for a child without a mother. Since it’s very long, I won’t go into it.)
In this case, you may ask, what is there to attack if you only open an 80? In fact, it is not the case. First of all, a certain company often uses the webbench stress testing tool to try to paralyze nginx. There is no way because this program has been used before. They developed it. They know that this program consumes extremely CPU resources when running. Secondly, many netizens from the mainland speculate on the potential loopholes of this program, such as guessing the administrator's backend entrance and guessing whether there are compressed files of website backups placed on the server. Wait, all of their access methods are for port 80. If certain measures are not taken, Nginx will often be paralyzed, resulting in error 500 or error 502 on the website, and I don’t need to worry about the harm of those guesses. Having said that, the author has no choice but to take some measures to suppress the many unfriendly visitors mentioned above.
In fact, the method is not complicated. First, I will use PHP to obtain the visitor's access intention. If the other party's intention is sinister or evil and meets my blocking conditions, then kill him! First, use PHP to automatically create A file like .sh. The content of this file is used to rewrite the Linux firewall rules (of course I can also rewrite the rules of the hardware firewall, but it’s too troublesome, so I’d better be lazy!). Modify this .sh file. The attributes and owners allow it to be executed, and then use Linux's crontab to obtain and execute this.sh. Write the blocking rules into the firewall, and at the same time send an email to the author to inform me that a certain unlucky guy has been blocked.
Here’s how I do it:
<?PHP
# 自動封鎖IP QQ群:223494678
# 用法:
# 1.首先把下方的PHP代碼放入被全局require的配置檔內.
# 2.用SSH執行:cat /etc/crontab
# 3.加入下邊兩行:
# #auto lock webbench
# */1 * * * * root /home/wwwroot/bossAdm_Web/webbench.sh;
# 4.重啟crontab的服務:service crontab restart
//封鎖任何來源的WebBench
IF(isSet($_SERVER['HTTP_USER_AGENT']) And Trim($_SERVER['HTTP_USER_AGENT'])!='') {
$_SERVER['HTTP_USER_AGENT']=StrToLower($_SERVER['HTTP_USER_AGENT']);
IF(StriStr($_SERVER['HTTP_USER_AGENT'],'webbench')!==False And (isSet($_SERVER['REMOTE_ADDR']) And Trim($_SERVER['REMOTE_ADDR'])!='')) {
DoLock($_SERVER['REMOTE_ADDR']);
Die();
}
}
//封鎖敏感Url,針對猜測如下url的ip直接封殺 QQ群:223494678
//這段代碼最好是加入到404.php內,這樣效果更大(需要重新配置一下httpd.conf,讓404錯誤頁指向到該404.php) QQ群:223494678
IF(isSet($_SERVER['REQUEST_URI']) And Trim($_SERVER['REQUEST_URI'])!='') {
IF(StriStr($_SERVER['REQUEST_URI'],'/admin')!==False
Or StriStr($_SERVER['REQUEST_URI'],'/sign')!==False
Or StriStr($_SERVER['REQUEST_URI'],'/reg')!==False
Or StriStr($_SERVER['REQUEST_URI'],'/tiki-')!==False
Or StriStr($_SERVER['REQUEST_URI'],'/join')!==False
Or StriStr($_SERVER['REQUEST_URI'],'/config')!==False
Or StriStr($_SERVER['REQUEST_URI'],'/backup')!==False
Or StriStr($_SERVER['REQUEST_URI'],'/www')!==False
Or StriStr($_SERVER['REQUEST_URI'],'/manage')!==False
Or StriStr($_SERVER['REQUEST_URI'],'/password')!==False
Or StriStr($_SERVER['REQUEST_URI'],'/install')!==False
Or StriStr($_SERVER['REQUEST_URI'],'/phpmyadmin')!==False
Or StriStr($_SERVER['REQUEST_URI'],'/webadmin')!==False
Or StriStr($_SERVER['REQUEST_URI'],'/inc')!==False
Or StriStr($_SERVER['REQUEST_URI'],'/user')!==False
Or StriStr($_SERVER['REQUEST_URI'],'/upload')!==False
Or StriStr($_SERVER['REQUEST_URI'],'/setup')!==False
Or StriStr($_SERVER['REQUEST_URI'],'/sys')!==False
Or StriStr($_SERVER['REQUEST_URI'],'/cert')!==False
){
DoLock($_SERVER['REMOTE_ADDR']);
Die();
}
}
//建立sh檔,用途是封鎖ip,該sh檔會被排程以root身份執行. QQ群:223494678
Function DoLock($x){
$p='/home/wwwroot/bossAdm_Web/webbench.sh';
File_Put_Contents($p,"#! /bin/bash\n iptables -I INPUT -s {$x} -j DROP;\n echo \"{$x} - `date`\" | mail -s \"WebBench\" see7di@gmail.com;\n cat /dev/null > {$p}",LOCK_EX);
Chmod($p,0755);
chown($p,'www');
unSet($p,$x);
}
Copy after login
After I asked the question, some netizens asked me "Special meansConnect to a Windows operating system server on the LAN where this server is located" The Special meansWhat exactly is the method? Well, I’ll just explain it briefly. I’m afraid I’ll ruin myself by saying too much. First, I will log in to the backend management of the company’s website, then send a request to open 3389, and then log out after sending it. Just do it in the background. After the Linux server receives the request (it's just an ini file), it will throw the file to the Windows server through samb and the internal LAN. There is a monitoring terminal I developed on the Windows server to scan whether If there is a request, the monitoring terminal will modify the hardware firewall settings and open the mapped port of 3389 (a port in 65525 is mapped to 3389 on this Windows). At this time, I can use 3389 method to connect to this server (it only takes about 1 minute from sending the request to opening 3389), but please note that you need to change the settings of gpedit so that it can automatically create a 3389 server after the 3389 connection is completed. Close the request for 3389, and leave the rest to the monitoring program to help me close the mapped port of 3389.
For the above, if you want to communicate with friends about PHP, you can join my QQ group: 223494678. I believe that only through communication can we grow! At least that’s what I think.:)
http://www.bkjia.com/PHPjc/440195.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/440195.htmlTechArticleThe work that the author has been doing for a long time is basically developing the company's PHP program and maintaining several CentOS servers. After a long period of work, I have summarized a set of small methods to deal with attacks, and I dare not hide them...
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
