iptables封锁指定IP命令以及如何避免重启失效

NOCO发布于 分类 Linux

2天前 有1个用户阅读过

最近几天,某网站的每天日志统计分析邮件里面都会出现IP为49.246.230.40恶意扫描的大量错误日志。

49.246.230.40 - - [23/Jan/2016:22:42:42 +0800]"POST / HTTP/1.1" 410 728"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800]"POST /plus/mytag_js.php?aid=511348 HTTP/1.1" 410 756"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800]"POST /plus/mytag_js.php?aid=9527 HTTP/1.1" 410 754"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800]"POST /plus/mytag_j.php?aid=6022 HTTP/1.1" 410 753"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800]"POST /plus/mytag_js.php?aid=8080 HTTP/1.1" 410 754"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800]"POST /plus/mytag_js.php?aid=9090 HTTP/1.1" 410 754"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800]"POST /plus/mytag_js.php?aid=9191 HTTP/1.1" 410 754"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800]"POST /include/code/mp.php HTTP/1.1" 410 747"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800]"POST /include/helpers/cookie.helpea.php HTTP/1.1" 410 761"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800]"POST /templets/plus/sky.php HTTP/1.1" 410 749"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800]"POST /plus/cere.php HTTP/1.1" 410 741"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800]"POST /plus/360.php HTTP/1.1" 410 740"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800]"POST /data/safe/360.php HTTP/1.1" 410 745"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800]"POST /include/helperss/filter.helpear.php HTTP/1.1" 410 763"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800]"POST /dxyylc/1ndex.php HTTP/1.1" 410 744"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800]"POST /dxyylc/md5.php HTTP/1.1" 410 742"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800]"POST /plus/bakup.php HTTP/1.1" 410 742"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800]"POST /plus/e7xue.php HTTP/1.1" 410 742"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800]"POST /images/swfupload/images/uploadye.php HTTP/1.1" 410 764"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800]"POST /plus/mybak.php HTTP/1.1" 410 742"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800]"POST /plus/xsvip.php HTTP/1.1" 410 742"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800]"POST /plus/laobiao.php HTTP/1.1" 410 744"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800]"POST /data/admin/sky.php HTTP/1.1" 410 746"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800]"POST /plus/90sec.php HTTP/1.1" 410 742"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800]"POST /include/data/fonts/uddatasql.php HTTP/1.1" 410 760"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800]"POST /include/ckeditor/plugins/pagebreak/images/inCahe.php HTTP/1.1" 410 780"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800]"POST /plus/av.php HTTP/1.1" 410 739"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800]"POST /plus/long.php HTTP/1.1" 410 741"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800]"POST /xiaolei.php HTTP/1.1" 410 739"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800]"POST /plus/myjs.php HTTP/1.1" 410 741"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800]"POST /uploads/allimg/xm.php HTTP/1.1" 410 749"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800]"POST /utility/convert/data/config.inc.php HTTP/1.1" 410 763"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800]"POST /utility/convert/data/config.inc.php HTTP/1.1" 410 763"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800]"POST /utility/convert/data/config.inc.php HTTP/1.1" 410 763"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800]"POST /utility/convert/data/rom2823.php HTTP/1.1" 410 760"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800]"POST /utility/convert/include/rom2823.php HTTP/1.1" 410 763"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800]"POST /utility/convert/include/phpmp.php HTTP/1.1" 410 761"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800]"POST /utility/convert/data/config.inc.php HTTP/1.1" 410 763"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800]"POST /utility/convert/data/config.inc.php HTTP/1.1" 410 763"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:43 +0800]"POST /config/AspCms_Config.asp HTTP/1.1" 410 752"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:43 +0800]"POST /config/AspCms_Config.asp HTTP/1.1" 410 752"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:43 +0800]"POST /config/AspCms_Conn.asp HTTP/1.1" 410 750"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:43 +0800]"POST /wp-content/uploads/ftp.php HTTP/1.1" 410 754"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:43 +0800]"POST /wp-admin/js/edit.php HTTP/1.1" 410 748"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:43 +0800]"POST /wp-admin/newfile.php HTTP/1.1" 410 748"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:43 +0800]"POST /wp-content/themes/inline/edit.php HTTP/1.1" 410 761"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:43 +0800]"POST /wp-includes/css/log.php HTTP/1.1" 410 751"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:43 +0800]"POST /wp-includes/theme-compat/qiaogua.php HTTP/1.1" 410 764"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:43 +0800]"POST /wp-content/themes/light/log.php HTTP/1.1" 410 759"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:43 +0800]"POST /wp-includes/images/wlwlog.php HTTP/1.1" 410 757"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:43 +0800]"POST /phpcms/plugin/tangshi.PHp HTTP/1.1" 410 753"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:43 +0800]"POST /phpcms/plugin/weibo/tan.php HTTP/1.1" 410 755"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800]"POST /phpsso_server/phpcms/modules/admin/top.php HTTP/1.1" 410 770"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800]"POST /phpsso_server/phpcms/modules/admin/map.php HTTP/1.1" 410 770"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800]"POST /phpsso_server/api/uc_client/model/cachebase.php HTTP/1.1" 410 775"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800]"POST /phpsso_server/phpcms/libs/functions/global.top.php HTTP/1.1" 410 778"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800]"POST /lrrpv51331.asp;.jpg HTTP/1.1" 410 747"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800]"POST /zzz.asp;.jpg HTTP/1.1" 410 740"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800]"POST /jycpcx.asp;.jpg HTTP/1.1" 410 743"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800]"POST /l0s4r.asp;.jpg HTTP/1.1" 410 742"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800]"POST /Ac2.asp;.jpg HTTP/1.1" 410 740"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800]"POST /zixi.asp;.jpg HTTP/1.1" 410 741"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800]"POST /jjasp.asp;.jpg HTTP/1.1" 410 742"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800]"POST /miaojcx.asp;.jpg HTTP/1.1" 410 744"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800]"POST /xk_com.asp;.jpg HTTP/1.1" 410 743"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800]"POST /weki.asp HTTP/1.1" 410 736"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800]"POST /data/s.asp HTTP/1.1" 410 738"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800]"POST /dxyylc/md5.asp HTTP/1.1" 410 742"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800]"POST /Somnus/Somnus.asp HTTP/1.1" 410 745"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800]"POST /kdatebase/index_.asp HTTP/1.1" 410 748"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800]"POST /sitemap/templates/met/SqlIn.asp HTTP/1.1" 410 759"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800]"POST /weki.php HTTP/1.1" 410 736"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800]"POST /data/s.php HTTP/1.1" 410 738"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800]"POST /php168/1ist.php HTTP/1.1" 410 743"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800]"POST /data/data/index.php HTTP/1.1" 410 747"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800]"POST /data/conn/config.php HTTP/1.1" 410 748"-""-""-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800]"POST /book/story_dod_hjkdsafon.php HTTP/1.1" 410 756"-""-""-" 

从他的扫描的URL特征来看,会发现某些开源CMS程序(也许是老版本)的"漏洞"身影。如果无法修复就使用NGINX/APACHE配置屏蔽掉某 些扫描吧,挺管用的,自从加了某些规则,扫描的人数和次数似乎有所下降,应该是某些发觉无法进一步操作就放弃了的,可参考我之前发过的这篇文章 Apache/Nginx屏蔽蜘蛛和采集

虽然它被我配置的nginx规则拒之门外,直接返回410,但是每天收到这种无意义的日志也没必要,所以干脆就把他通过防火墙阻止掉,眼不见心不烦。

#封锁指定IP,即时生效
iptables -I INPUT -s 49.246.230.40 -j DROP
#将规则写入文件,避免重启后规则失效,如果不信你可以跳过这步试下
service iptables save
#重启防火墙
service iptables restart
#查看所有规则
iptables -L 
也可以直接编辑的iptables,然后重启生效

-- The End --

本文标题: iptables封锁指定IP命令以及如何避免重启失效

本文地址: https://seonoco.com/blog/iptables-blocked-ip

本文是否有所帮助?
点赞 0
感谢支持
0
多谢反馈
评论 0
打赏

支持微信/支付宝

评论

网友