有人试图进入我的服务器?

时间:2016-03-15 23:19:52

标签: ruby-on-rails security nginx server

我上周主持了我的Rails应用程序。今天我正在浏览我们的日志文件并注意到很多这样的请求。

I, [2016-03-14T00:42:18.501703 #21223]  INFO -- : Started GET "/testproxy.php" for 185.49.14.190 at 2016-03-14 00:42:18 -0400
F, [2016-03-14T00:42:18.510616 #21223] FATAL -- : 
ActionController::RoutingError (No route matches [GET] "/testproxy.php"):

有人试图从不同的IP地址转到testproxy.php。有些ip来自波兰,有些来自香港。我被某人袭击了吗?我有什么保护自己的选择。

以下是日志文件中的其他输出:

I, [2016-03-14T03:09:24.945467 #15399]  INFO -- : Started GET "/clientaccesspolicy.xml" for 107.22.223.242 at 2016-03-14 03:09:24 -0400
F, [2016-03-14T03:09:24.949328 #15399] FATAL -- : 
ActionController::RoutingError (No route matches [GET] "/clientaccesspolicy.xml"):

不同的IP地址:

I, [2016-03-14T16:03:47.793731 #15399]  INFO -- : Started GET "/testproxy.php" for 178.216.200.48 at 2016-03-14 16:03:47 -0400
F, [2016-03-14T16:03:47.818519 #15399] FATAL -- : 
ActionController::RoutingError (No route matches [GET] "/testproxy.php"):

search.php

I, [2016-03-14T19:41:14.261843 #15399]  INFO -- : Started GET "/forum/search.php" for 164.132.161.67 at 2016-03-14 19:41:14 -0400
F, [2016-03-14T19:41:14.266563 #15399] FATAL -- : 
ActionController::RoutingError (No route matches [GET] "/forum/search.php"):

forum/index.php

I, [2016-03-15T10:54:55.254785 #26469]  INFO -- : Started GET "/forum/index.php" for 164.132.161.56 at 2016-03-15 10:54:55 -0400
F, [2016-03-15T10:54:55.266456 #26469] FATAL -- : 
ActionController::RoutingError (No route matches [GET] "/forum/index.php"):

phpmyadim/scripts/setup.php

I, [2016-03-15T13:21:36.862918 #26469]  INFO -- : Started GET "/phpMyAdmin/scripts/setup.php" for 103.25.73.234 at 2016-03-15 13:21:36 -0400
F, [2016-03-15T13:21:36.867050 #26469] FATAL -- : 
ActionController::RoutingError (No route matches [GET] "/phpMyAdmin/scripts/setup.php"):

another setup.php

I, [2016-03-15T13:21:37.452097 #26469]  INFO -- : Started GET "/pma/scripts/setup.php" for 103.25.73.234 at 2016-03-15 13:21:37 -0400
F, [2016-03-15T13:21:37.453647 #26469] FATAL -- : 
ActionController::RoutingError (No route matches [GET] "/pma/scripts/setup.php"):

myadmin/scripts/setup.php

I, [2016-03-15T13:21:38.034283 #26469]  INFO -- : Started GET "/myadmin/scripts/setup.php" for 103.25.73.234 at 2016-03-15 13:21:38 -0400
F, [2016-03-15T13:21:38.041563 #26469] FATAL -- : 
ActionController::RoutingError (No route matches [GET] "/myadmin/scripts/setup.php"):

还有很多其他的东西。请告诉我如何保护自己免受这些攻击。

2 个答案:

答案 0 :(得分:3)

当您运行公共服务器时,这很常见。以下是我家庭服务器的auth.log摘录:

Mar 14 19:22:36 hotdog sshd[65937]: Received disconnect from 181.214.92.11:  11: Bye Bye [preauth]
Mar 14 19:22:37 hotdog sshd[65939]: Invalid user ubnt from 181.214.92.11
Mar 14 19:22:37 hotdog sshd[65939]: input_userauth_request: invalid user ubnt [preauth]
Mar 14 19:22:37 hotdog sshd[65939]: Received disconnect from 181.214.92.11: 11: Bye Bye [preauth]
Mar 14 19:22:38 hotdog sshd[65941]: Invalid user support from 181.214.92.11
Mar 14 19:22:38 hotdog sshd[65941]: input_userauth_request: invalid user support [preauth]
Mar 14 19:22:38 hotdog sshd[65941]: Received disconnect from 181.214.92.11: 11: Bye Bye [preauth]
Mar 14 19:22:39 hotdog sshd[65943]: Invalid user oracle from 181.214.92.11
Mar 14 19:22:39 hotdog sshd[65943]: input_userauth_request: invalid user oracle [preauth]
Mar 14 19:22:39 hotdog sshd[65943]: Received disconnect from 181.214.92.11: 11: Bye Bye [preauth]
Mar 14 19:22:40 hotdog sshd[65945]: Received disconnect from 181.214.92.11: 11: Bye Bye [preauth]
Mar 14 19:24:04 hotdog sshd[65947]: fatal: Read from socket failed: Operation timed out [preauth]
Mar 14 20:01:19 hotdog sshd[66032]: Received disconnect from 183.3.202.102: 11:  [preauth]
Mar 14 20:40:17 hotdog sshd[66092]: Invalid user cacti from 199.217.117.71
Mar 14 20:40:17 hotdog sshd[66092]: input_userauth_request: invalid user cacti [preauth]
Mar 14 20:40:17 hotdog sshd[66092]: Connection closed by 199.217.117.71 [preauth]
Mar 14 21:32:09 hotdog sshd[66188]: Received disconnect from 183.3.202.102: 11:  [preauth]
Mar 14 22:01:59 hotdog sshd[66256]: Invalid user user1 from 199.217.117.71
Mar 14 22:01:59 hotdog sshd[66256]: input_userauth_request: invalid user user1 [preauth]
Mar 14 22:02:00 hotdog sshd[66256]: Connection closed by 199.217.117.71 [preauth]
Mar 14 22:17:57 hotdog sshd[66280]: Did not receive identification string from 14.182.117.161

正如您所看到的那样,人们不断尝试通过猜测用户名来侵入我的服务器。由于服务器只接受publickey登录,而不是密码,我相信自己对这些特殊攻击相当安全。

这同样适用于您的PHP文件。他们正试图找到一个他们可以运行一些罐头漏洞的php端点。您可以使用 fail2ban 等有助于限速的工具。但实际上这些攻击总是存在于公共服务器上。唯一的方法是确保您的软件能够抵御攻击。

一些常识常识:

  • 不要运行超出您需要的服务,因为任何一项服务都可能会打开您的服务器进行攻击。使用nmap检查已打开的端口。
  • 检查您的apache / nginx配置是否允许执行超出必要的更多(PHP)文件。
  • 不断更新您的软件。这些攻击中的大多数是自动化的,因此依赖于常见包中的已发布漏洞利用。

答案 1 :(得分:0)

我有IP地址183.3.202.102,其他一些来自同一子网的其他人经常出现在我的一个蜜罐的日志中。

但是它突然停了下来。我猜有人最终提交了滥用报告并将其禁止。