Linux Nginx VPS simple solution to CC attack

one, preparation

1. Log into the VPS control panel and be ready to restart VPS at any time.

2. Close Web Server first, the excessive load will make the following operations difficult, or even directly unable to log in SSH.

3. Just in case, remove the automatic operation of the Web Server system after it is started.

(if you can't log in to the system, and the load is too high after the reboot, you can't log in just after starting up, you can contact the administrator to seal VPS's IP or port 80 on the mother machine, log in to the system with the virtual console on the mother machine, and then unseal

)

ii, find the attacker IP

1. Create a file ip.php in the root directory of the website and write the following.

  < ?php

      $real_ip = getenv(' HTTP_X_FORWARDED_FOR');

      if(isset($real_ip)){

      shell_exec("echo $real_ip   > real_ip.txt");

      shell_exec("echo $_SERVER['REMOTE_ADDR'] > proxy. txt ");

      }else{

      shell_exec("echo $_SERVER['REMOTE_ADDR']   >

ips. txt ")"

      }

echo' server has been attacked and is collecting attack sources. Please visit this site after 5 minutes. If you visit this site several times within 5 minutes, IP may be blocked as an attack source. Thanks for your cooperation! ';

? >

2, set pseudo-static, all the visits under the website are rewrite to ip.php.

Nginx rules:

      rewrite (.*) /ip.php;

      Lighttpd rule :

      url.rewrite = (

      "^ / / (. +)? $" = > "/ ip. php

"

      )

3. Start Web Server and start collecting IP

After setting 1 and 2, launch Web Server and start recording IP information.

The collection time is recommended to be 3 to 5 minutes, then close Web Server again.

Es193en_ip.txt. More than 80% of the IP stored in this file is the same. IP is the IP of the platform on which the attacker carried out the attack.

Es203en.txt, this file contains the IP of the proxy server called by the attacker, which needs to be blocked.

Es210en.txt, which is the record of IP which does not show the characteristics of the proxy server, is the source of the attack according to the number of visits.

iii, a supplement to the previous paragraph,

If WEB logging is enabled on VPS, you can see the growth rate of the log files to determine which site was attacked.

If logging is not enabled and the number of sites is small, it is also convenient to enable logging temporarily.

If logging is not enabled and the number of sites is excessive, you can use the temporary Web Server configuration file and set up a default site without binding to the virtual host. Then add the following line

to ip.php

shell_exec("echo $_SERVER['HTTP_HOST'] > > domain. txt ");

domain.txt will store the domain names that have been visited, and the sites that have been attacked by CC will be the majority of them.

iv, start blocking IP

Create ban.php

< ?

      $threshold = 10;

      $ips = array_count_values(file('ips.txt'));

      $ban_num = 0;

      foreach($ips as $ip= > $num){

      if($num > $threshold){

      $ip = trim($ip);

      $cmd = "iptables-I INPUT-p tcp --dport 80-s $ip-j DROP";

      shell_exec($cmd);

      echo "$ip baned! ";

      $ban_num ++;

      }

      }

      $proxy_arr = array_unique(file('ips.txt'))'

      foreach($proxy_arr as $proxy){

      $proxy = trim($proxy);

      $cmd = "iptables-I INPUT-p tcp --dport dport $j DROP";

      shell_exec($cmd);

      echo "$ip baned! ";

      $ban_num ++;

      }

      echo "total: $ban_num ips";

      ? >

Execute the script with the following command (make sure the php command is in PATH)

php ban.php

This script relies on the results saved in ips.txt in the second paragraph, and when more than 10 accesses to IP are recorded, it is shielded as the source of the attack. If it is a proxy server, The Times are not judged directly blocked.

After blocking IP, all site Settings are restored to normal and the site can continue to function normally.

v, some details

In order to keep the description of the operation process as simple as possible, do not add too much explanation in the above content, stay in this paragraph unified description.

1. Some essence of "proxy server"

Two values related to the TCP&HTTP protocol, REMOTE_ADDR and HTTP_X_FORWARDED_FOR.

(1) REMOTE_ADDR always take from Web servers closest to a host of IP, if don't use the proxy server, this value is the visitor itself IP, if using the proxy, the value is a proxy server IP, if through the multiple proxy server connection, this value is arrived at last a proxy server IP Web server.

REMOTE_ADDR is determined by the TCP/IP layer and cannot be modified or forged.

(2) HTTP_X_FORWARDED_FOR, because this value is part of HTTP, not TCP/IP, so whatever this value is, it does not affect the data transmission. In fact, in general, this value is null if a visitor is directly accessing the Web server. Through the transparent proxy, this value will be set by the proxy server to the visitor's IP; When connected through an anonymous proxy, this value may be IP of the proxy server or it may be empty or random.

HTTP_X_FORWARDED_FOR can be modified at will. Most proxy servers are transparent proxies, that is, they set this value to IP of the original visitor.

2.

about the level of the CC attack

In order of processing efficiency from high to low.

(since this article is written for VPS server, VPS is simply a low-end substitute for server, with low memory and CPU resources, of course, the higher the processing efficiency, the better.)

(1) network transport layer. iptables, the tool used in this article, works on the system kernel itself, denying the attacker a connection when establishing a network connection. After the attack source is disposed of at this level, the resources consumed are almost negligible.

(2) Web Server layer, most Web Server can set IP which is not accessible. The solution at this level has the same meaning as above, but is less efficient.

(3) script layer, from the script program to develop the appropriate strategy to filter out the attack source. There are a lot of solutions floating around on the web at this level, but they don't work well with VPS, and the setup can be several or dozens times harder.

3. Why not collect IP from the log?

There are two main considerations. First, most VPS users simply disable logging because their hard disk space is too small and it is troublesome to clean up logs frequently.

Second, if IP is collected from the log, the script is much more complex and may need to be adjusted according to the situation. Considering that most people who will read this article may not have more technology, the purpose of this article is to follow this article step by step to solve the problem.