有些家伙正在我的服务器上运行一些漏洞利用扫描程序。我得到了奇怪的请求,如:
IP ADDRESS: ::ffff:127.0.0.1
www-0 (out): POST /cgi-bin/php5?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%22%79%65%73%22+%2D%64+%63%67%69%2E%66%69%78%5F%70%61%74%68%69%6E%66%6F%3D%31+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E
IP使用another Stackoverflow answer中的代码显示127.0.0.1:
app.use(function(req, res, next) {
var ip = req.headers['x-forwarded-for'] ||
req.connection.remoteAddress ||
req.socket.remoteAddress ||
req.connection.socket.remoteAddress;
console.log('IP ADDRESS: ', ip);
next();
});
希望在Cloudflare上屏蔽此人,这样就不会让我的日志变得杂乱无章。
我在Mac Mini服务器上运行它,它是几周前刚刚安装好的,所以我认为我的服务器没有受到损害(或有它?)并在本地运行漏洞扫描。
答案 0 :(得分:0)
您可以致电req.connection.remoteAddress获取此人的真实 IP地址(或其代理,这是他们提出请求所需的内容)然后您可以存储不同的禁止数组中的IP。
app.use(function(req, res, next) {
var ip = req.connection.remoteAddress;
if (bannedips.indexof(ip) > -1) {
req.abort();
}
console.log("IP ADDRESS: ", ip);
next();
});
修改
现在我知道您正在使用CloudFlare,CF-Connecting-IP标题更适合您的情况。
app.use(function(req, res, next) {
var ip = req.headers["CF-Connecting-IP"];
if (bannedips.indexof(ip) > -1) {
req.abort();
}
console.log("IP ADDRESS: ", ip);
next();
});