我在我的一个域名上收到了无情的请求,我认为这些请求来自Pushdo病毒(或类似的),请参阅下面的日志片段。显然,它会选择随机域来发送流量,以便屏蔽对其命令节点的请求。我已经尝试过Fail2Ban,但IP不断变化并且禁止50K +并且禁止使用的资源多于请求。我希望通过阻止用户代理来处理HTTP请求(也有SMTP请求,但这是另一个问题!)。
我尝试过使用
iptables -A INPUT -p tcp --dport 80 -m string --algo bm --string "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" -j DROP
但这不起作用!我究竟做错了什么?此外,任何其他建议处理这个 - 它已经持续了一个多月了,我正在拉我的头发!
操作系统:CentOS 6.4
Log Snippet:
121.54.54.47 - - [20/Oct/2013:03:32:37 +0100] "POST / HTTP/1.1" 200 14772 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
125.60.156.224 - - [20/Oct/2013:03:32:37 +0100] "POST / HTTP/1.1" 200 14772 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
84.108.50.80 - - [20/Oct/2013:03:32:37 +0100] "POST / HTTP/1.1" 200 14772 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
110.143.55.42 - - [20/Oct/2013:03:32:37 +0100] "POST / HTTP/1.1" 200 14772 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
122.208.75.75 - - [20/Oct/2013:03:32:37 +0100] "POST / HTTP/1.1" 200 14772 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
1.2.248.56 - - [20/Oct/2013:03:32:38 +0100] "POST / HTTP/1.1" 200 14772 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
180.194.171.167 - - [20/Oct/2013:03:32:38 +0100] "POST / HTTP/1.1" 200 14772 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
190.200.59.125 - - [20/Oct/2013:03:32:39 +0100] "POST / HTTP/1.1" 200 14772 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
223.197.238.249 - - [20/Oct/2013:03:32:40 +0100] "POST / HTTP/1.1" 200 14772 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
200.121.4.163 - - [20/Oct/2013:03:32:39 +0100] "POST / HTTP/1.1" 200 14772 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
答案 0 :(得分:2)
您正在使用-A将规则附加到现有集合,因此它可能没有做任何事情。使用-I可能会起作用,但你可能想要编写脚本并按正确的顺序输入它。