Simple solution to CC attack under Linux VPS

  • 2020-05-06 12:02:35
  • OfStack

one, preparations
1. Log into the VPS control panel and be ready to restart VPS at any time.
2. Close Web Server first, the excessive load will make the following operations difficult to carry out, or even directly unable to log in SSH.
3. Just in case, remove the automatic operation of the Web Server system after it is started.
(if you can't log in to the system, and the load is too high after the reboot, you can't log in just after starting up, you can contact the administrator to seal VPS's IP or port 80 on the mother machine, log in to the system with the virtual console on the mother machine, then carry out the operation of 2&3, and then unseal)
ii, find the attacker IP
1. Create a file ip.php in the root directory of the website and write the following.
 
  $real_ip = getenv('HTTP_X_FORWARDED_FOR'); 
  if(isset($real_ip)){ 
  shell_exec("echo $real_ip > real_ip.txt"); 
  shell_exec("echo $_SERVER['REMOTE_ADDR']> proxy.txt"); 
  }else{ 
  shell_exec("echo $_SERVER['REMOTE_ADDR'] > ips.txt")" 
  } 
  echo' The server is under attack, collecting the attack source, please 5 Visit this site in a minute, 5 Multiple visits to this site within minutes may be blocked as an attack source IP . Thanks for your cooperation! '; 
  ?> 

2, set pseudo-static, all the visits under the website are rewrite to ip.php.
Nginx rule:
 
  rewrite (.*) /ip.php; 
  Lighttpd The rules : 
  url.rewrite = ( 
  "^/(.+)/?$" => "/ip.php" 
  ) 

3. Start Web Server and start collecting IP
After setting 1 and 2, launch Web Server and start recording IP information.
The collection time is recommended to be 3 to 5 minutes, then turn off Web Server again.
Es47en_ip.txt, more than 80% of the IP stored in this file is the same, IP is the IP of the platform where the attacker carried out the attack.
Es54en.txt, this file holds the IP of the proxy server called by the attacker, which needs to be blocked.
Es58en.txt, which is recorded here is IP which does not show the characteristics of the proxy server. According to the number of visits, it can judge whether it is the source of the attack.
iii, a supplement to the previous paragraph,
If WEB logs are enabled on VPS, you can see the growth rate of the log files to determine which site was attacked.
If logging is not enabled and the number of sites is small, it is also convenient to enable logging temporarily.
If logging is not enabled and the number of sites is excessive, you can use the temporary Web Server configuration file and set up a default site without binding to the virtual host. Then add the following line
to ip.php shell_exec (" echo $_SERVER > [' HTTP_HOST '] > domain.txt");
Es85en.txt will hold the domain names that have been visited, and the sites that have been attacked by CC will be the majority of them.
iv, start blocking IP
Create a file ban.php
 
  $threshold = 10; 
  $ips = array_count_values(file('ips.txt')); 
  $ban_num = 0; 
  foreach($ips as $ip=>$num){ 
  if($num > $threshold){ 
  $ip = trim($ip); 
  $cmd = "iptables -I INPUT -p tcp --dport 80 -s $ip -j DROP"; 
  shell_exec($cmd); 
  echo "$ip baned! "; 
  $ban_num ++; 
  } 
  } 
  $proxy_arr = array_unique(file('ips.txt'))' 
  foreach($proxy_arr as $proxy){ 
  $proxy = trim($proxy); 
  $cmd = "iptables -I INPUT -p tcp --dport 80 -s $ip -j DROP"; 
  shell_exec($cmd); 
  echo "$ip baned! "; 
  $ban_num ++; 
  } 
  echo "total: $ban_num ips "; 
  ?> 

Execute the script with the following command (make sure the php command is in PATH)
php ban. php
This script relies on the results saved in Web.txt in the second paragraph, and is shielded as the source of the attack when more than 10 accesses to IP are recorded. If it is a proxy server, The Times are not judged directly blocked.
After you've blocked IP, all the site Settings are back to normal and the site can continue to function normally.
Run removed.
v, some details
In order to keep the description of the operation process as simple as possible, do not add too much explanation in the above content, stay in this paragraph unified description.
1. Some essence of "proxy server"
Two values related to the TCP&HTTP protocol, REMOTE_ADDR and HTTP_X_FORWARDED_FOR.
(1) REMOTE_ADDR always take from Web servers closest to a host of IP, if don't use the proxy server, this value is the visitor itself IP, if using the proxy, the value is a proxy server IP, if through the multiple proxy server connection, this value is arrived at last a proxy server IP Web server.
REMOTE_ADDR is determined by the TCP/IP layer and cannot be modified or forged.
(2) HTTP_X_FORWARDED_FOR, since this value is part of HTTP, not TCP/IP, whatever this value is, it does not affect the data transmission. In fact, in general, this value is null if a visitor is directly accessing the Web server. Through the transparent proxy, this value is set by the proxy server to the visitor's IP; When connected through an anonymous proxy, this value may be the IP of the proxy server or it may be empty or random.
HTTP_X_FORWARDED_FOR can be modified at will. Most proxy servers are transparent proxies, that is, they set this value to IP of the original visitor.
2.
on the level of CC attack In order of processing efficiency from high to low.
(since this article is written for VPS server, VPS is simply a low-end substitute for server, with low memory and CPU resources, of course, the higher the processing efficiency, the better.)
(1) network transport layer. iptables, the tool used in this article, works on the system kernel itself, denying the attacker a connection when establishing a network connection. After the attack source is disposed of at this level, the resources consumed are almost negligible.
(2) Web Server layer. Most Web Server can set IP which is not accessible. The solution at this level has the same meaning as above, but is less efficient.
(3) script layer, from the script program to develop the appropriate strategy to filter out the attack source. There are a lot of solutions floating around on the web at this level, but they don't work well with VPS, and the setup can be several or dozens times harder.
3. Why not collect IP from the logs?
There are two main considerations. First, most VPS users simply disable logging because their hard disk space is too small and it is troublesome to clean up logs frequently.
Second, if you collect IP from the log, the script is much more complex and may need to be adjusted according to the situation. Considering that most people who will read this article may not have more technology, the purpose of this article is to follow this article step by step to solve the problem.

Related articles: