一台装有Apache服务的Zabbix服务器,一直有被当成代理节点遭受攻击的情况,之前处理就是将攻击IP从日志中提取出来,加入ipset名单中拒绝连接,如下。今天则好好处理下。
tail -f logs/main-access_log | grep -Ev "zabbix|grafana|::1|127.0.0.1|172.29.|your_public_ipaddr." | awk '{print $1}' | while read line; do ipset add blocklist $line;done
可以看到,在 blocklist 中被阻止的流量已有146G。
访问日志中的攻击信息如下:
5.203.227.3 - - [12/Mar/2025:17:33:15 +0800] "CONNECT 1gym-n-filad.att.sch.gr:443:443 HTTP/1.1" 400 226 "-" "-" 84.247.184.167 - - [12/Mar/2025:17:33:15 +0800] "CONNECT biologi.unimed.ac.id:443:443 HTTP/1.1" 400 226 "-" "-" 38.242.150.240 - - [12/Mar/2025:17:33:16 +0800] "CONNECT umkm.sumbawakab.go.id:443:443 HTTP/1.1" 400 226 "-" "-" 52.164.121.91 - - [12/Mar/2025:17:32:16 +0800] "GET http://www.google.com/search?q=%28%22uncategorized%22%29+Atwood+site%3Aus&num=100&start=0 HTTP/1.1" 503 299 "-" "Go-http-client/1.1" 38.242.150.245 - - [12/Mar/2025:17:33:17 +0800] "CONNECT umkm.sumbawakab.go.id:443:443 HTTP/1.1" 400 226 "-" "-" 52.164.121.91 - - [12/Mar/2025:17:32:16 +0800] "GET http://www.google.com/search?q=%28%22uncategorized%22%29+Detienne+site%3Aco.uk&num=100&start=100 HTTP/1.1" 503 299 "-" "Go-http-client/1.1" 52.140.227.162 - - [12/Mar/2025:17:32:17 +0800] "GET http://www.google.com/search?q=%28%22uncategorized%22%29+boost+site%3Afr&num=100&start=0 HTTP/1.1" 503 299 "-" "Go-http-client/1.1" 52.164.121.91 - - [12/Mar/2025:17:32:17 +0800] "GET http://www.google.com/search?q=%28%22uncategorized%22%29+kehitys+site%3Ade&num=100&start=200 HTTP/1.1" 503 299 "-" "Go-http-client/1.1" 138.197.123.185 - - [12/Mar/2025:17:33:17 +0800] "CONNECT barracudaaustin.com:443:443 HTTP/1.1" 400 226 "-" "-" 178.128.241.124 - - [12/Mar/2025:17:33:18 +0800] "CONNECT lakilakibujangan.online:443:443 HTTP/1.1" 400 226 "-" "-" ::1 - - [12/Mar/2025:17:33:18 +0800] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.57 (Unix) OpenSSL/3.0.8 PHP/8.2.5 (internal dummy connection)" 52.169.48.232 - - [12/Mar/2025:17:32:18 +0800] "GET http://www.google.com/search?q=%28%22uncategorized%22%29+Cardoso+site%3Abr&num=100&start=100 HTTP/1.1" 503 299 "-" "Go-http-client/1.1" 138.197.123.185 - - [12/Mar/2025:17:33:18 +0800] "CONNECT barracudaaustin.com:443:443 HTTP/1.1" 400 226 "-" "-" 45.89.63.186 - - [12/Mar/2025:17:33:18 +0800] "-" 408 - "-" "-" 188.166.182.147 - - [12/Mar/2025:17:33:18 +0800] "CONNECT annesbeach.com:443:443 HTTP/1.1" 400 226 "-" "-" ::1 - - [12/Mar/2025:17:33:19 +0800] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.57 (Unix) OpenSSL/3.0.8 PHP/8.2.5 (internal dummy connection)" 146.190.97.233 - - [12/Mar/2025:17:33:19 +0800] "CONNECT smpn4kaliwiro.sch.id:443:443 HTTP/1.1" 400 226 "-" "-" 172.248.165.232 - - [13/Mar/2025:09:42:43 +0800] "GET http://beard.works/__media__/js/netsoltrademark.php?d=cervomediagroupinc.com%2Fclients HTTP/1.1" 404 196 "http://beard.works/__media__/js/netsoltrademark.php?d=www.smartherald.com%2Fpandoras-box-and-cabo-ella-group-inc-join-forces-to-launch-the-perfect-8th--" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:114.0) Gecko/20100101 Firefox/114.0" 172.248.165.232 - - [13/Mar/2025:09:42:44 +0800] "GET http://beard.works/ HTTP/1.1" 200 - "http://beard.works/__media__/js/netsoltrademark.php?d=www.smartherald.com%2Fpandoras-box-and-cabo-ella-group-inc-join-forces-to-launch-the-perfect-8th--" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:114.0) Gecko/20100101 Firefox/114.0" 172.248.165.232 - - [13/Mar/2025:09:42:44 +0800] "GET http://beard.works/ HTTP/1.1" 200 - "http://beard.works/__media__/js/netsoltrademark.php?d=www.smartherald.com%2Fpandoras-box-and-cabo-ella-group-inc-join-forces-to-launch-the-perfect-8th--" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:114.0) Gecko/20100101 Firefox/114.0" 178.128.116.38 - - [13/Mar/2025:09:42:44 +0800] "CONNECT smpn4kaliwiro.sch.id:443:443 HTTP/1.1" 400 226 "-" "-" 172.248.165.232 - - [13/Mar/2025:09:42:44 +0800] "GET http://beard.works/ HTTP/1.1" 200 - "http://beard.works/__media__/js/netsoltrademark.php?d=www.smartherald.com%2Fpandoras-box-and-cabo-ella-group-inc-join-forces-to-launch-the-perfect-8th--" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:114.0) Gecko/20100101 Firefox/114.0" 121.139.173.71 - - [13/Mar/2025:09:42:45 +0800] "GET http://www.bing.com/ HTTP/1.0" 200 - "http://www.bing.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0" 178.128.116.38 - - [13/Mar/2025:09:42:46 +0800] "CONNECT smpn4kaliwiro.sch.id:443:443 HTTP/1.1" 400 226 "-" "-" 31.220.100.150 - - [13/Mar/2025:09:42:46 +0800] "CONNECT legos.cloud:443:443 HTTP/1.1" 400 226 "-" "-" 139.59.246.216 - - [13/Mar/2025:09:42:46 +0800] "CONNECT sipapa.pusdataru.jatengprov.go.id:443:443 HTTP/1.1" 400 226 "-" "-" 84.247.184.178 - - [13/Mar/2025:09:42:46 +0800] "CONNECT biologi.unimed.ac.id:443:443 HTTP/1.1" 400 226 "-" "-" 217.227.115.10 - - [13/Mar/2025:09:42:47 +0800] "GET http://proxyjudge.us/ HTTP/1.0" 200 - "-" "-"
从Apache 日志来看,服务器可能正在被用作代理节点进行攻击。日志中出现了大量非本地网站的请求(如 CONNECT 请求指向外部域名,以及针对 www.google.com 的 GET 请求)。
问题分析
- CONNECT 请求:
- 日志中大量 CONNECT 请求(如 CONNECT umkm.sumbawakab.go.id:443:443 HTTP/1.1)表明攻击者试图通过你的服务器建立到外部 HTTPS 服务器的隧道。这是典型的代理滥用行为。
- 返回状态码 400(Bad Request)说明 Apache 当前配置拒绝了这些请求,但请求量仍然可能导致服务器负载过高。
- GET 请求指向外部网站:
- 如 GET http://www.google.com/search?…,这些请求的目标是外部网站,且使用了完整的 URL 而非相对路径。这表明你的服务器被配置为开放代理(open proxy),或者存在配置漏洞。
- 返回状态码 503(Service Unavailable)表明服务器可能因负载过高或配置问题无法正常响应。
- 来源 IP 多样性:
- 请求来自多个不同的 IP 地址(如 5.203.227.3、52.164.121.91 等),可能是分布式攻击的一部分,或者是多个被控主机(僵尸网络)发起的。
- 潜在风险:
- 服务器可能被用于 DDoS 攻击、数据窃取或其他非法活动。
- 如果不及时处理,服务器 IP 可能被列入黑名单,影响正常服务。
处理步骤
确认服务器是否配置代理
由于服务器上还要处理正常的后端程序代理请求,故代理模块不能直接关闭;
[root@monitor ~]# apachectl -M | grep proxy proxy_module (shared) proxy_http_module (shared)
若你的服务器不需要代理后端服务,则可以在配置文件中注释掉相关proxy模块:
LoadModule proxy_module modules/mod_proxy.so #LoadModule proxy_connect_module modules/mod_proxy_connect.so LoadModule proxy_http_module modules/mod_proxy_http.so
Tips:由于我没有开启mod_proxy_connect模块,所以上面的 CONNECT 请求报 400错误。
限制非本地请求
默认情况下,Apache 不应处理指向外部域名的请求。检查是否有以下配置允许代理请求:
ProxyRequests On
如果存在,将其改为 ProxyRequests Off,或直接删除。
测试和验证
配置调整后,观察日志是否仍有外部请求(如 GET http://beard.works/ 或 CONNECT 请求)。
使用外部工具测试服务器是否仍被用作代理:
curl -x http://127.0.0.1:80 http://www.baidu.com
如果未返回错误,则还需做后续限制。
页码: 1 2