以下是我的Apache 2.0中的几行error_log:
[Sun Nov 25 08:22:04 2012] [error] [client 64.34.195.190] File does not exist: /var/www/vhosts/default/htdocs/admin
[Sun Nov 25 14:14:32 2012] [error] [client 96.254.171.2] File does not exist: /var/www/vhosts/default/htdocs/azenv.php
[Wed Nov 28 03:02:01 2012] [error] [client 91.205.189.15] File does not exist: /var/www/vhosts/default/htdocs/user
[Wed Nov 28 03:44:35 2012] [error] [client 66.193.171.223] File does not exist: /var/www/vhosts/default/htdocs/vtigercrm
[Mon Dec 03 00:09:16 2012] [error] [client 82.223.239.68] File does not exist: /var/www/vhosts/default/htdocs/jmx-console
[Mon Dec 03 20:48:44 2012] [error] [client 221.2.209.46] File does not exist: /var/www/vhosts/default/htdocs/manager
[Thu Dec 06 07:37:04 2012] [error] [client 116.254.203.24] File does not exist: /var/www/vhosts/default/htdocs/w00tw00t.at.blackhats.romanian.anti-sec:)
[Thu Dec 06 07:37:05 2012] [error] [client 116.254.203.24] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin
[Thu Dec 06 07:37:05 2012] [error] [client 116.254.203.24] File does not exist: /var/www/vhosts/default/htdocs/phpmyadmin
[Thu Dec 06 07:37:06 2012] [error] [client 116.254.203.24] File does not exist: /var/www/vhosts/default/htdocs/pma
[Thu Dec 06 07:37:06 2012] [error] [client 116.254.203.24] File does not exist: /var/www/vhosts/default/htdocs/myadmin
[Thu Dec 06 07:37:07 2012] [error] [client 116.254.203.24] File does not exist: /var/www/vhosts/default/htdocs/MyAdmin
[Thu Dec 13 02:19:53 2012] [error] [client 96.254.171.2] File does not exist: /var/www/vhosts/default/htdocs/judge.php
最常见的错误是对"phpMyAdmin"文件的请求,以及"w00tw00t.at.blackhats.romanian.anti-sec :)".
我可以看到请求来自的IP地址.但谁是"客户"?
谢谢,谢恩.
Hal*_*oum 60
这只是许多Script Kiddies部署的自动脚本,它在您的apache版本/配置中寻找安全漏洞.签名w00tw00t通常留下DFind.
只需使用像fail2ban此示例所配置的程序解释,以避免被这些请求淹没:
这并不一定意味着您已被黑客攻击,但已对服务器进行了漏洞扫描.但是,如果您使用在这些日志中看到的任何软件,并且它是具有已知漏洞的旧版本,则应检查服务器是否存在异常文件和登录活动.
小智 6
对此的请求通常在没有服务器头的情况下发送.只需为没有您期望的服务器头的请求创建默认虚拟主机并对其进行黑洞处理.记录损坏的流量并反向DNS以查看它是否来自另一个网络服务器(受损?)并根据whois数据库联系所有者也很有趣.您永远不知道谁从可公开识别的服务器运行愚蠢的脚本来扫描漏洞,然后通过ToR隧道利用它们.如果您不想引起注意,请使用刻录机联系信息.
要跟进@ user823629给出的答案,这是我在Apache 2.4上使用的默认虚拟主机配置:
<VirtualHost *:80 *:443>
# Default vhost for requests not matching IP or Host of other vhosts
ServerName blackhole
ErrorLog logs/error_log_blackhole
CustomLog logs/access_log_blackhole combined
Redirect 404 /
</VirtualHost>
它将所有请求重定向到默认的404页面.
我把它放入conf.d并给它一个名称,conf.d/0_default.conf以便它在其他vhosts定义之前出现,它是默认的虚拟主机.这可以通过以下方式验证:
apachectl -t -D DUMP_VHOSTS
如果1)它们的IP地址和端口更明确(基于IP的虚拟主机的虚拟主机定义相匹配的其他虚拟主机将在默认的虚拟主机之前一致),或2)请求包含Host该请求(基于域名的虚拟主机匹配的头) .否则,请求将回退到上面定义的默认黑洞虚拟主机.
有关虚拟主机匹配的更多详细信息,请参见http://httpd.apache.org/docs/current/vhosts/details.html.
| 归档时间: |
|
| 查看次数: |
32317 次 |
| 最近记录: |