Shulou(Shulou.com)05/31 Report--

Today, the editor will share with you the relevant knowledge points about how to solve CC attacks under Linux VPS. The content is detailed and the logic is clear. I believe most people still know too much about this, so share this article for your reference. I hope you can get something after reading this article. Let's take a look at it.

First, prepare for the work

1. Log in to the vps control panel and be ready to restart vps at any time.

2. Close web server first. Excessive load will make it difficult to perform later operations, or even fail to log in to ssh directly.

3, just in case, remove the set web server system automatically after it is started.

(if you are no longer able to log in to the system, and the load is too high after reboot, you can contact the administrator to block the ip or port 80 of vps on the parent machine, log in to the system with the virtual console on the parent machine, then perform the 2 / 3 operation, and then unseal it.)

Second, find out the attacker ip

1. Create the file ip.php in the root directory of the website and write the following.

The copy code is as follows:

$real_ip = getenv ('http_x_forwarded_for')

If (isset ($real_ip)) {

Shell_exec ("echo $real_ip > real_ip.txt")

Shell_exec ("echo $_ server ['remote_addr'] > proxy.txt")

} else {

Shell_exec ("echo $_ server ['remote_addr'] > ips.txt") "

}

The echo' server is under attack and is collecting the attack source. Please visit this site in 5 minutes. Multiple visits to this site within 5 minutes may block the ip as an attack source. Thank you for your cooperation.

? >

2. Set pseudo-static to rewrite all visits under the website to ip.php.

Nginx rules:

The copy code is as follows:

Rewrite (. *) / ip.php

Lighttpd rules:

Url.rewrite = (

"^ / (. +) /? $" = > "/ ip.php"

)

3. Start web server and start collecting ip

After setting 1 and 2, start web server and start recording ip information.

The recommended collection time is 3 to 5 minutes, and then close web server again.

Real_ip.txt, more than 80% of the ip saved in this file are the same, and this ip is the ip of the platform on which the attacker attacked.

Proxy.txt, which holds the ip of the proxy server called by the attacker, needs to be blocked.

Ips.txt, which records the ip that does not show the characteristics of proxy server, and determines whether it is the source of attack according to the number of visits.

Third, a supplement to the previous paragraph

If web logging is enabled on vps, you can look at the growth rate of the log file to determine which site was attacked.

If logging is not enabled and the number of sites is small, it is also convenient to enable logging temporarily.

If logging is not enabled and there are too many sites, you can use a temporary web server profile and set a default site without binding virtual hosts. Then add the following line to the ip.php

Shell_exec ("echo $_ server ['http_host'] > > domain.txt")

The visited domain names will be saved in domain.txt, and the sites attacked by cc will account for the vast majority of them.

Fourth, begin to block ip.

Create the file ban.php

The copy code is as follows:

$threshold = 10

$ips = array_count_values (file ('ips.txt'))

$ban_num = 0

Foreach ($ips as $ip= > $num) {

If ($num > $threshold) {

$ip = trim ($ip)

$cmd = "iptables-I input-p tcp-- dport 80-s $ip-j drop"

Shell_exec ($cmd)

Echo "$ip baned!"

$ban_num + +

}

}

$proxy_arr = array_unique (file ('ips.txt'))'

Foreach ($proxy_arr as $proxy) {

$proxy = trim ($proxy)

$cmd = "iptables-I input-p tcp-- dport 80-s $ip-j drop"

Shell_exec ($cmd)

Echo "$ip baned!"

$ban_num + +

}

Echo "total: $ban_num ips"

? >

Execute the script with the following command (make sure the php command is in path)

Php ban.php

This script relies on the results saved in the ips.txt in the second paragraph, and when more than 10 ip visits are recorded, it is blocked as an attack source. If it is a proxy server, it will be blocked without judging the number of times.

After blocking the ip, return all the site settings to normal, and the site can continue to operate normally.

Run and get rid of.

Five, some details

In order to keep the description of the operation process as concise as possible, without adding too many explanations in the above content, stay in this paragraph.

1. Some nature of "proxy server"

Two values related to the tcp&http protocol, remote_addr and http_x_forwarded_for.

(1) remote_addr always takes the ip of the host closest to the web server. If you do not use a proxy, this value is the visitor's own ip. If a proxy is used, this value is the ip of the proxy server. If you connect through multiple proxy servers, this value is the ip of the last proxy server before reaching the web server.

Remote_addr is determined by the tcp/ip layer and cannot be modified or forged.

(2) http_x_forwarded_for, because this value belongs to the http part, not tcp/ip, so whatever this value is, it does not affect the transmission of data. In fact, in general, this value is empty if the visitor accesses the web server directly; when through the transparent proxy, this value will be set by the proxy server so that when the visitor's ip; connects through an anonymous proxy, this value may be the proxy server's ip, empty or random.

Http_x_forwarded_for can be modified at will. Most proxy servers are transparent proxies, that is, this value is set to the ip of the original visitor.

2, on solving the problem of cc attack

Arranged from high to low in terms of processing efficiency.

Because this article is written for the vps server, and vps is simply a low-end substitute for the server, resources such as memory and cpu are generally low, of course, the higher the processing efficiency, the better. )

(1) Network transport layer. That is, the iptables used in this article, this tool itself works in the system kernel and directly denies the attacker's connection when establishing a network connection. After the attack source is disposed of at this level, the resources consumed are almost negligible.

(2) in the web server layer, most web server can set ip that forbids access. The meaning of the solution at this level is similar to that above, but the efficiency is less.

(3) script layer, from the script program to develop their own strategy to filter out the source of attack. There are many solutions circulating on the network at this level, but they are not suitable for vps, and the difficulty of setting up may be several times or dozens of times.

3, why not collect ip from logs?

Mainly consider two points, one is that most vps users because the hard disk space is too small, often clear the log is very troublesome, and directly prohibit the log.

Second, if you collect ip from the log, the script is much more complex and may have to make some adjustments according to the situation.

These are all the contents of this article entitled "how to solve CC attacks under Linux VPS". Thank you for reading! I believe you will gain a lot after reading this article. The editor will update different knowledge for you every day. If you want to learn more knowledge, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.