iptables封锁指定IP命令以及如何避免重启失效

发布于 2016-01-25 作者 [重庆SEO]

最近几天,某网站的每天日志统计分析邮件里面都会出现IP为49.246.230.40恶意扫描的大量错误日志。

49.246.230.40 - - [23/Jan/2016:22:42:42 +0800] "POST / HTTP/1.1" 410 728 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800] "POST /plus/mytag_js.php?aid=511348 HTTP/1.1" 410 756 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800] "POST /plus/mytag_js.php?aid=9527 HTTP/1.1" 410 754 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800] "POST /plus/mytag_j.php?aid=6022 HTTP/1.1" 410 753 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800] "POST /plus/mytag_js.php?aid=8080 HTTP/1.1" 410 754 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800] "POST /plus/mytag_js.php?aid=9090 HTTP/1.1" 410 754 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800] "POST /plus/mytag_js.php?aid=9191 HTTP/1.1" 410 754 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800] "POST /include/code/mp.php HTTP/1.1" 410 747 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800] "POST /include/helpers/cookie.helpea.php HTTP/1.1" 410 761 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800] "POST /templets/plus/sky.php HTTP/1.1" 410 749 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800] "POST /plus/cere.php HTTP/1.1" 410 741 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800] "POST /plus/360.php HTTP/1.1" 410 740 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800] "POST /data/safe/360.php HTTP/1.1" 410 745 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800] "POST /include/helperss/filter.helpear.php HTTP/1.1" 410 763 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800] "POST /dxyylc/1ndex.php HTTP/1.1" 410 744 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800] "POST /dxyylc/md5.php HTTP/1.1" 410 742 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800] "POST /plus/bakup.php HTTP/1.1" 410 742 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800] "POST /plus/e7xue.php HTTP/1.1" 410 742 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800] "POST /images/swfupload/images/uploadye.php HTTP/1.1" 410 764 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800] "POST /plus/mybak.php HTTP/1.1" 410 742 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800] "POST /plus/xsvip.php HTTP/1.1" 410 742 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800] "POST /plus/laobiao.php HTTP/1.1" 410 744 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800] "POST /data/admin/sky.php HTTP/1.1" 410 746 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800] "POST /plus/90sec.php HTTP/1.1" 410 742 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800] "POST /include/data/fonts/uddatasql.php HTTP/1.1" 410 760 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800] "POST /include/ckeditor/plugins/pagebreak/images/inCahe.php HTTP/1.1" 410 780 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800] "POST /plus/av.php HTTP/1.1" 410 739 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800] "POST /plus/long.php HTTP/1.1" 410 741 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800] "POST /xiaolei.php HTTP/1.1" 410 739 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800] "POST /plus/myjs.php HTTP/1.1" 410 741 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800] "POST /uploads/allimg/xm.php HTTP/1.1" 410 749 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800] "POST /utility/convert/data/config.inc.php HTTP/1.1" 410 763 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800] "POST /utility/convert/data/config.inc.php HTTP/1.1" 410 763 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800] "POST /utility/convert/data/config.inc.php HTTP/1.1" 410 763 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800] "POST /utility/convert/data/rom2823.php HTTP/1.1" 410 760 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800] "POST /utility/convert/include/rom2823.php HTTP/1.1" 410 763 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800] "POST /utility/convert/include/phpmp.php HTTP/1.1" 410 761 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800] "POST /utility/convert/data/config.inc.php HTTP/1.1" 410 763 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:42 +0800] "POST /utility/convert/data/config.inc.php HTTP/1.1" 410 763 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:43 +0800] "POST /config/AspCms_Config.asp HTTP/1.1" 410 752 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:43 +0800] "POST /config/AspCms_Config.asp HTTP/1.1" 410 752 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:43 +0800] "POST /config/AspCms_Conn.asp HTTP/1.1" 410 750 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:43 +0800] "POST /wp-content/uploads/ftp.php HTTP/1.1" 410 754 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:43 +0800] "POST /wp-admin/js/edit.php HTTP/1.1" 410 748 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:43 +0800] "POST /wp-admin/newfile.php HTTP/1.1" 410 748 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:43 +0800] "POST /wp-content/themes/inline/edit.php HTTP/1.1" 410 761 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:43 +0800] "POST /wp-includes/css/log.php HTTP/1.1" 410 751 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:43 +0800] "POST /wp-includes/theme-compat/qiaogua.php HTTP/1.1" 410 764 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:43 +0800] "POST /wp-content/themes/light/log.php HTTP/1.1" 410 759 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:43 +0800] "POST /wp-includes/images/wlwlog.php HTTP/1.1" 410 757 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:43 +0800] "POST /phpcms/plugin/tangshi.PHp HTTP/1.1" 410 753 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:43 +0800] "POST /phpcms/plugin/weibo/tan.php HTTP/1.1" 410 755 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800] "POST /phpsso_server/phpcms/modules/admin/top.php HTTP/1.1" 410 770 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800] "POST /phpsso_server/phpcms/modules/admin/map.php HTTP/1.1" 410 770 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800] "POST /phpsso_server/api/uc_client/model/cachebase.php HTTP/1.1" 410 775 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800] "POST /phpsso_server/phpcms/libs/functions/global.top.php HTTP/1.1" 410 778 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800] "POST /lrrpv51331.asp;.jpg HTTP/1.1" 410 747 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800] "POST /zzz.asp;.jpg HTTP/1.1" 410 740 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800] "POST /jycpcx.asp;.jpg HTTP/1.1" 410 743 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800] "POST /l0s4r.asp;.jpg HTTP/1.1" 410 742 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800] "POST /Ac2.asp;.jpg HTTP/1.1" 410 740 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800] "POST /zixi.asp;.jpg HTTP/1.1" 410 741 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800] "POST /jjasp.asp;.jpg HTTP/1.1" 410 742 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800] "POST /miaojcx.asp;.jpg HTTP/1.1" 410 744 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800] "POST /xk_com.asp;.jpg HTTP/1.1" 410 743 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800] "POST /weki.asp HTTP/1.1" 410 736 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800] "POST /data/s.asp HTTP/1.1" 410 738 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800] "POST /dxyylc/md5.asp HTTP/1.1" 410 742 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800] "POST /Somnus/Somnus.asp HTTP/1.1" 410 745 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800] "POST /kdatebase/index_.asp HTTP/1.1" 410 748 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800] "POST /sitemap/templates/met/SqlIn.asp HTTP/1.1" 410 759 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800] "POST /weki.php HTTP/1.1" 410 736 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800] "POST /data/s.php HTTP/1.1" 410 738 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800] "POST /php168/1ist.php HTTP/1.1" 410 743 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800] "POST /data/data/index.php HTTP/1.1" 410 747 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800] "POST /data/conn/config.php HTTP/1.1" 410 748 "-" "-" "-"
49.246.230.40 - - [23/Jan/2016:22:42:44 +0800] "POST /book/story_dod_hjkdsafon.php HTTP/1.1" 410 756 "-" "-" "-" 

从他的扫描的URL特征来看,会发现某些开源CMS程序(也许是老版本)的"漏洞"身影。如果无法修复就使用NGINX/APACHE配置屏蔽掉某 些扫描吧,挺管用的,自从加了某些规则,扫描的人数和次数似乎有所下降,应该是某些发觉无法进一步操作就放弃了的,可参考我之前发过的这篇文章 Apache/Nginx屏蔽蜘蛛和采集

虽然它被我配置的nginx规则拒之门外,直接返回410,但是每天收到这种无意义的日志也没必要,所以干脆就把他通过防火墙阻止掉,眼不见心不烦。

#封锁指定IP,即时生效
iptables -I INPUT -s 49.246.230.40 -j DROP
#将规则写入文件,避免重启后规则失效,如果不信你可以跳过这步试下
service iptables save
#重启防火墙
service iptables restart
#查看所有规则
iptables -L 
也可以直接编辑的iptables,然后重启生效