Nginx如何处理类似恶意请求试探
以下是Nginx log信息
167.114.226.21 - - [13/Mar/2019:07:40:24 +0100] "GET /phpmyadmin2017/index.php?lang=en HTTP/1.1" 302 170 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36"
167.114.226.21 - - [13/Mar/2019:07:40:24 +0100] "GET /phpmyadmin2018/index.php?lang=en HTTP/1.1" 302 170 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36"
167.114.226.21 - - [13/Mar/2019:07:40:25 +0100] "GET /phpmyadmin2019/index.php?lang=en HTTP/1.1" 302 170 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36"
167.114.226.21 - - [13/Mar/2019:07:40:25 +0100] "GET /index.php?lang=en HTTP/1.1" 302 170 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36"
103.89.254.130 - - [13/Mar/2019:08:34:48 +0100] "GET / HTTP/1.1" 302 170 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"
66.240.205.34 - - [13/Mar/2019:09:27:33 +0100] "Gh0st\xAD\x00\x00\x00\xE0\x00\x00\x00x\x9CKS``\x98\xC3\xC0\xC0\xC0\x06\xC4\x8C@\xBCQ\x96\x81\x81\x09H\x07\xA7\x16\x95e&\xA7*\x04$&g+\x182\x94\xF6\xB000\xAC\xA8rc\x00\x01\x11\xA0\x82\x1F\x5C`&\x83\xC7K7\x86\x19\xE5n\x0C9\x95n\x0C;\x84\x0F3\xAC\xE8sch\xA8^\xCF4'J\x97\xA9\x82\xE30\xC3\x91h]&\x90\xF8\xCE\x97S\xCBA4L?2=\xE1\xC4\x92\x86\x0B@\xF5`\x0CT\x1F\xAE\xAF]" 400 182 "-" "-"
85.108.82.241 - - [13/Mar/2019:09:46:19 +0100] "GET / HTTP/1.1" 302 170 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7"
109.111.129.107 - - [13/Mar/2019:10:11:36 +0100] "GET / HTTP/1.1" 302 170 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"
196.12.57.2 - - [13/Mar/2019:11:29:34 +0100] "GET / HTTP/1.1" 302 170 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
54.184.223.128 - - [13/Mar/2019:11:45:01 +0100] "GET / HTTP/1.1" 302 170 "-" "Go-http-client/1.1"
138.99.101.21 - - [13/Mar/2019:12:02:30 +0100] "GET / HTTP/1.1" 302 170 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"
66.240.205.34 - - [13/Mar/2019:13:10:50 +0100] "Gh0st\xAD\x00\x00\x00\xE0\x00\x00\x00x\x9CKS``\x98\xC3\xC0\xC0\xC0\x06\xC4\x8C@\xBCQ\x96\x81\x81\x09H\x07\xA7\x16\x95e&\xA7*\x04$&g+\x182\x94\xF6\xB000\xAC\xA8rc\x00\x01\x11\xA0\x82\x1F\x5C`&\x83\xC7K7\x86\x19\xE5n\x0C9\x95n\x0C;\x84\x0F3\xAC\xE8sch\xA8^\xCF4'J\x97\xA9\x82\xE30\xC3\x91h]&\x90\xF8\xCE\x97S\xCBA4L?2=\xE1\xC4\x92\x86\x0B@\xF5`\x0CT\x1F\xAE\xAF]" 400 182 "-" "-"
211.23.154.136 - - [13/Mar/2019:13:40:43 +0100] "GET / HTTP/1.1" 302 170 "-" "Z"
177.188.243.228 - - [13/Mar/2019:13:48:04 +0100] "GET / HTTP/1.1" 302 170 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"
154.118.52.126 - - [13/Mar/2019:13:54:57 +0100] "GET / HTTP/1.1" 302 170 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"
202.59.141.59 - - [13/Mar/2019:14:02:27 +0100] "GET / HTTP/1.0" 302 170 "-" "-"
78.8.58.117 - - [13/Mar/2019:14:23:54 +0100] "GET / HTTP/1.1" 302 170 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
211.23.154.136 - - [13/Mar/2019:16:47:07 +0100] "GET / HTTP/1.1" 403 152 "-" "Z"
211.20.101.36 - - [13/Mar/2019:16:52:24 +0100] "GET / HTTP/1.0" 302 170 "-" "-"
71.6.199.23 - - [13/Mar/2019:17:17:40 +0100] "GET / HTTP/1.1" 302 170 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
71.6.199.23 - - [13/Mar/2019:17:17:40 +0100] "GET /robots.txt HTTP/1.1" 302 170 "-" "-"
71.6.199.23 - - [13/Mar/2019:17:17:40 +0100] "GET /sitemap.xml HTTP/1.1" 302 170 "-" "-"
71.6.199.23 - - [13/Mar/2019:17:17:40 +0100] "GET /.well-known/security.txt HTTP/1.1" 302 170 "-" "-"
71.6.199.23 - - [13/Mar/2019:17:17:40 +0100] "GET /favicon.ico HTTP/1.1" 302 170 "-" "python-requests/2.19.1"
71.6.199.23 - - [13/Mar/2019:17:17:40 +0100] "GET /favicon.ico HTTP/1.1" 403 152 "-" "python-requests/2.19.1"
71.6.199.23 - - [13/Mar/2019:17:17:42 +0100] "GET / HTTP/1.1" 403 580 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/537.36"
71.6.199.23 - - [13/Mar/2019:17:17:42 +0100] "" 400 0 "-" "-"
71.6.199.23 - - [13/Mar/2019:17:17:43 +0100] "" 400 0 "-" "-"
71.6.199.23 - - [13/Mar/2019:17:17:43 +0100] "" 400 0 "-" "-"
71.6.199.23 - - [13/Mar/2019:17:17:43 +0100] "" 400 0 "-" "-"
71.6.199.23 - - [13/Mar/2019:17:17:46 +0100] "quit" 400 182 "-" "-"
71.6.199.23 - - [13/Mar/2019:17:17:47 +0100] "GET /robots.txt HTTP/1.1" 403 178 "-" "-"
71.6.199.23 - - [13/Mar/2019:17:17:47 +0100] "GET /sitemap.xml HTTP/1.1" 403 178 "-" "-"
71.6.199.23 - - [13/Mar/2019:17:17:47 +0100] "GET /.well-known/security.txt HTTP/1.1" 403 178 "-" "-"
71.6.199.23 - - [13/Mar/2019:17:17:47 +0100] "GET /favicon.ico HTTP/1.1" 403 152 "-" "python-requests/2.19.1"
71.6.199.23 - - [13/Mar/2019:17:17:47 +0100] "" 400 0 "-" "-"
177.84.40.189 - - [13/Mar/2019:17:24:12 +0100] "GET / HTTP/1.1" 302 170 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"
201.150.151.133 - - [13/Mar/2019:17:56:05 +0100] "GET / HTTP/1.1" 302 170 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"
184.105.139.68 - - [13/Mar/2019:18:41:11 +0100] "GET / HTTP/1.1" 403 178 "-" "-"
162.243.140.136 - - [13/Mar/2019:18:52:28 +0100] "GET / HTTP/1.1" 403 152 "-" "Mozilla/5.0 zgrab/0.x"
190.211.100.50 - - [13/Mar/2019:18:55:19 +0100] "GET / HTTP/1.1" 302 170 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
66.240.205.34 - - [13/Mar/2019:19:46:55 +0100] "145.ll|'|'|SGFjS2VkX0Q0OTkwNjI3|'|'|WIN-JNAPIER0859|'|'|JNapier|'|'|19-02-01|'|'||'|'|Win 7 Professional SP1 x64|'|'|No|'|'|0.7d|'|'|..|'|'|AA==|'|'|112.inf|'|'|SGFjS2VkDQoxOTIuMTY4LjkyLjIyMjo1NTUyDQpEZXNrdG9wDQpjbGllbnRhLmV4ZQ0KRmFsc2UNCkZhbHNlDQpUcnVlDQpGYWxzZQ==12.act|'|'|AA==" 400 182 "-" "-"
203.115.104.162 - - [13/Mar/2019:19:53:05 +0100] "GET / HTTP/1.1" 302 170 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
178.73.215.171 - - [13/Mar/2019:21:06:16 +0100] "GET / HTTP/1.0" 200 96 "-" "-"
216.245.197.254 - - [13/Mar/2019:21:28:57 +0100] "HEAD /robots.txt HTTP/1.0" 302 0 "-" "-"
176.113.212.7 - - [13/Mar/2019:22:21:07 +0100] "GET / HTTP/1.1" 302 170 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
37.6.218.35 - - [13/Mar/2019:23:36:20 +0100] "GET / HTTP/1.1" 302 170 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7"
41.215.188.174 - - [14/Mar/2019:00:33:48 +0100] "GET / HTTP/1.1" 302 170 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"
139.162.113.204 - - [14/Mar/2019:00:40:01 +0100] "GET / HTTP/1.1" 403 178 "-" "HTTP Banner Detection (https://security.ipip.net)"
5.8.10.202 - - [14/Mar/2019:00:42:12 +0100] "GET / HTTP/1.1" 302 170 "-" "Mozilla/5.0 (Windows NT 5.0) AppleWebKit/5340 (KHTML, like Gecko) Chrome/26.0.802.0 Safari/5340"
37.192.205.10 - - [14/Mar/2019:01:01:45 +0100] "GET / HTTP/1.1" 302 170 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"
52.53.201.78 - - [14/Mar/2019:01:04:06 +0100] "GET / HTTP/1.1" 302 170 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
写脚本监控日志,根据ip限流。
这日志一看就知道是有人在用漏扫扫漏洞,这种情况是没有人会直接在中间件上处理的。一般的企业对于这种情况会用商业waf来拦截恶意的请求,而对于个人的话显然是没有财力这么弄的。可以考虑在nginx外,通过iptables的方式针对ip限流,或者在github上面找个开源的和中间件结合的waf,部署这个来拦截恶意请求。
不要使用 / 这个localtion 来访问你的业务, 这个localtion 直接 return 200;