Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to limit IP malicious call SMS interface in nginx. The content of the article is of high quality, so Xiaobian shares it with you for reference. I hope you have a certain understanding of relevant knowledge after reading this article.

Treatment:

1. Nginx blacklist method:

1. Filter log IP of API access interface, count IP that is called more than 100 times every 10 minutes, and directly throw it into nginx access blacklist.

2. Specific steps:

Writing shell scripts:

vim /shell/nginx_cutaccesslog.sh#!/ bin/bashlog_path=/xxx/nginx/logsdate=`date -d "10 min ago" +%Y%m%d-%H:%M:%S`nginxpid=`cat ${log_path}/nginx.pid`cd ${log_path}#Filter the 30 IPs with the highest number of visits in access.log that normally access API interfaces within 10 minutes (log cutting is below, and a timed task is performed once every 10 minutes to achieve this). If the number of visits to this IP is greater than 100, put this IP into the blacklist cat access.log| grep sendCheckCode | grep -v 403 | awk '{print $2}'| sort| uniq -c | sort -k1 -n | tail -30 | awk '{if($1>100) print "deny "$2";"}' > ../ conf/denyip.conf#Log cutting, do timed tasks, execute mv ${log_path}/access.log ${log_path}/accesslog.bak/access_${date}.log./every 10 minutes sbin/nginx -s reload

You can define your own time interval and access volume, or cancel filtering the 30 with the highest access volume, and directly take the value of accessing the interface more than 100 times every 10 minutes.

Where: "grep -v403" is to filter out IP that has been banned from access and only filter normal access.

3, Modify nginx.conf

Add in http module:

include denyip.conf;

Reloading nginx takes effect.

4. Add planned tasks:

*/10 * * * * /bin/bash /shell/nginx_cutaccesslog.sh > /dev/null 2>&1

5. Verification:

[root@xxx logs]# ll accesslog.bak/-rw-r--r-- 1 root root 2663901 Jun 5 15:10 access_20180605-15:00:01.log-rw-r--r-- 1 root root 13696947 Jun 5 15:20 access_20180605-15:10:01.log-rw-r--r-- 1 root root 13265509 Jun 5 15:30 access_20180605-15:20:01.log-rw-r--r-- 1 root root 13846297 Jun 5 15:40 access_20180605-15:30:01.log[root@xxx logs]# cat ../ conf/denyip.conf ……………………deny 112.12.137.28;deny 183.167.237.229;deny 111.41.43.58;deny 115.217.117.159;deny 219.133.100.133;deny 171.221.254.115;deny 60.184.131.6;……………………

If you look at the access log for IP that has been disabled, you will return a 403 error:

[root@xxx logs]# tail -f access.log | grep "60.184.131.6"31268622 60.184.131.6 "-" [05/Jun/2018:15:47:34 +0800] 0.000 xxxxxx.com "POST /xxxxxx/sendCheckCode HTTP/1.1" 377 403 168 - - - "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0" "https://xxxxxx/sendCheckCode"31268622 60.184.131.6 "-" [05/Jun/2018:15:47:35 +0800] 0.000 xxxxxx.com "POST /xxxxxx/sendCheckCode HTTP/1.1" 377 403 168 - - - "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0" "https://xxxxxx/sendCheckCode"31268622 60.184.131.6 "-" [05/Jun/2018:15:47:35 +0800] 0.000 xxxxxx.com "POST /xxxxxx/sendCheckCode HTTP/1.1" 377 403 168 - - - "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0" https://xxxxxx/sendCheckCode

Limit the number of IP requests:

Another way to handle this situation is to limit the number of requests per unit time per IP and the number of concurrent connections per IP.

This method was not used in practice because it felt like it would kill normal visitors

Write about the general configuration of this method, http module added:

http { limit_req_zone $binary_remote_addr zone=one:10m rate=8r/s; server { location /search/ { limit_req zone=one burst=5; }

How to estimate limit_req_zone size:

A megabyte area can hold about 16,064 bytes of state.

Then 10M can store 160,000 IP statistics, which is enough for ordinary applications, 160,000 UV per second, which is already super powerful.

If the size is set smaller, for example, set to 1M, then when the number of IP requests in one second exceeds 16000, the corresponding users of the exceeded IP will see the 503 Service Temporarily Unavailable page. Leaky Bucket algorithm. At the same time, the unit of rate is very suitable with r/s. If it is counted by day and hour, 10M memory is definitely not enough.

How to estimate limit_req_zone rate:

The first thing you need to know is the number of simultaneous concurrency in ordinary browsers. According to the Dropbox tech blog, the current mainstream browser limit for AJAX is 6 concurrent connections to the same subdomain. IE 6 and IE 7 are two.

Most browsers have a limit of 6 concurrent connections per hostname.

About how to limit IP malicious call SMS interface in nginx to share here, I hope the above content can be of some help to everyone, you can learn more knowledge. If you think the article is good, you can share it so that more people can see it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.