我有一个托管在amazon ec2 linux (centos)上的测试服务器。我看到了服务器的访问日志,看到一些条目,如:
访问日志:
217.153.182.206 - - [04/May/2014:03:39:45 -0700] "GET http://chek.zennolab.com/proxy.php HTTP/1.1" 301 315
217.150.7.21 - - [04/May/2014:03:40:30 -0700] "GET http://images.google.com/ HTTP/1.1" 301 315
117.214.190.73 - - [04/May/2014:03:41:06 -0700] "GET http://www.baidu.com/ HTTP/1.1" 301 250
198.56.193.214 - - [09/May/2014:04:45:52 -0700] "GET http://ads.yahoo.com/st?ad_type=iframe&ad_size=300x250§ion=5713092&pub_url=${PUB_URL} HTTP/1.0" 403 381 "http://www.mufinancepro.com/?p=512" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.2.4) Gecko/20100503 Firefox/3.6.4 ( .NET CLR 3.5.30729)"
142.54.168.227 - - [09/May/2014:04:45:52 -0700] "GET http://ib.adnxs.com/tt?id=2632471 HTTP/1.0" 302 - "http://www.advisablefinance.com/?p=1817" "Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
142.54.166.201 - - [09/May/2014:04:45:52 -0700] "GET http://ib.adnxs.com/tt?id=2620691 HTTP/1.0" 302 - "http://www.affordfinance.com/?p=1165" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/3.0.195.1 Safari/532.0"
173.208.129.99 - - [09/May/2014:04:45:52 -0700] "GET http://ib.adnxs.com/tt?id=2620681 HTTP/1.0" 302 - "http://www.allowhealth.com/?p=150" "Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.5; AOLBuild 4337.42; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
142.54.166.220 - - [09/May/2014:04:45:52 -0700] "GET http://ib.adnxs.com/ttj?id=2631551&position=above HTTP/1.0" 302 - "http://www.educationaffair.com/tag/upper-division-transfer/" "Mozilla/4.0 (compatible; MSIE 8.0; AOL 9.6; AOLBuild 4340.27; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
162.211.123.38 - - [09/May/2014:04:45:52 -0700] "GET http://ib.adnxs.com/seg?add=357270&t=2 HTTP/1.0" 200 - "http://ads.yahoo.com/st?ad_type=iframe&ad_size=160x600§ion=5741811&pub_url=${PUB_URL}" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; AT&T CSM6.0; AT&T CSM 6; YComp 5.0.0.0)"
142.54.186.132 - - [09/May/2014:04:45:52 -0700] "GET http://ib.adnxs.com/ttj?id=2631551&position=above HTTP/1.0" 302 - "http://www.educationaffair.com/tag/university-of-southern-california/feed/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_0; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/4.0.206.1 Safari/532.0"
142.54.186.132 - - [09/May/2014:04:45:52 -0700] "GET http://ib.adnxs.com/ttj?id=2631551&position=above HTTP/1.0" 302 - "http://www.educationaffair.com/tag/correspondence-courses/" "Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; Windows NT 5.1; SV1; FunWebProducts; .NET CLR 1.1.4322; InfoPath.1; HbTools 4.8.0)"
172.246.42.214 - - [09/May/2014:04:45:52 -0700] "GET http://ads.yahoo.com/st?ad_type=ad&ad_size=728x90§ion=5200398&pub_url=${PUB_URL} HTTP/1.0" 403 376 "http://www.autoinlife.com/?p=656" "Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-TW; rv:1.9.2.4) Gecko/20100611 Firefox/3.6.4 ( .NET CLR 3.5.30729)"
问题:
-
Apache访问日志包含入站请求-所以为什么对http://chek.zennolab.com/proxy.php或http://images.google.com的请求是来我的服务器的访问日志?
-
为什么我有这么多的ads.yahoo请求?我该如何阻止这些呢?
我想你最近买了测试服务器,可能这就是发生这种情况的原因。
问题的答案:1
由于IP地址在互联网上是稀缺资源,很可能你当前IP地址的前任所有者以某种方式使用/允许来自ads.yahoo.com, images.google.com或任何你在日志中得到的请求。
问题解答:2
虽然这不是一个很好的解决办法,但它会在一定程度上帮助你。
- 写所有的IP地址到一个文件(如果你这样做更好),当你这样做,不发送任何真正的请求到服务器。
- 编写shell脚本逐行读取该文件并执行iptables -I INPUT -s $FILE_LINE -j DROP(您需要root权限)
基本上这个命令将通过在内核的iptable中创建条目来阻止这些IP地址
在apache web服务器上安装mod_security并创建以下规则:
SecRule SERVER_NAME "www.yourdomain.com$" "id:'200000',phase:1,nolog,allow,ctl:ruleEngine=off
如果出现任何问题,请将日志更改为日志,并查看日志以了解发生了什么