1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50
| #比如过滤大量POST首页恶意请求
以下规则可编写在 标签段:server,location set $flag 0; if ($request_method ~ ^(POST)$) { set $flag "${flag}1"; } #if ($document_uri ~ ^(/)$) { if ($request_uri ~ ^(/)$) { set $flag "${flag}2"; } if ($flag = "012") { return 403; }
#开启rewrite log 日志分析
rewrite_log on; error_log /home/wwwlogs/dev2.ropon.top_nginx_error.log notice;
2019/05/14 09:10:34 [notice] 7317#0: *10 "^(POST)$" matches "POST", client: 127.0.0.1, request: "POST / HTTP/1.1", host: "dev2.ropon.top" 2019/05/14 09:10:34 [notice] 7317#0: *10 "^(/)$" matches "/", client: 127.0.0.1, request: "POST / HTTP/1.1", host: "dev2.ropon.top"
[14/May/2019:09:10:34 +0800] "POST / HTTP/1.1" 403 162 "-" "PostmanRuntime/7.6.0" [14/May/2019:09:15:31 +0800] "POST /login HTTP/1.1" 200 43 "-" "PostmanRuntime/7.6.0"
大量POST 请求有规律页面,且IP分散
127.0.0.1 - - [17/May/2019:08:49:23 +0800] "POST /12-3-1.html HTTP/1.1" 403 162 "-" 127.0.0.1 - - [17/May/2019:08:51:02 +0800] "POST /12-3-1.html HTTP/1.1" 403 162 "-" 127.0.0.1 - - [17/May/2019:08:51:02 +0800] "POST /12-3-1.html HTTP/1.1" 403 162 "-" 127.0.0.1 - - [17/May/2019:08:51:02 +0800] "POST /12-3-1.html HTTP/1.1" 403 162 "-" 127.0.0.1 - - [17/May/2019:08:51:17 +0800] "POST /12-31-1.html HTTP/1.1" 403 162 "-" 127.0.0.1 - - [17/May/2019:08:51:20 +0800] "POST /11-31-1.html HTTP/1.1" 403 162 "-" 127.0.0.1 - - [17/May/2019:08:51:23 +0800] "POST /11-31-2.html HTTP/1.1" 403 162 "-" 127.0.0.1 - - [17/May/2019:08:51:26 +0800] "POST /14-31-2.html HTTP/1.1" 403 162 "-" 127.0.0.1 - - [17/May/2019:08:51:31 +0800] "POST /4-31-2.html HTTP/1.1" 403 162 "-" 127.0.0.1 - - [17/May/2019:08:51:33 +0800] "POST /4-1-2.html HTTP/1.1" 403 162 "-" 127.0.0.1 - - [17/May/2019:08:51:35 +0800] "POST /4-1-2.html HTTP/1.1" 403 162 "-" 127.0.0.1 - - [17/May/2019:08:51:37 +0800] "POST /4-1-1.html HTTP/1.1" 403 162 "-" 127.0.0.1 - - [17/May/2019:08:51:40 +0800] "POST /4-6-1.html HTTP/1.1" 403 162 "-"
同理修改下rewrite规则 if ($request_uri ~ ^(/([1-9]+)-([1-9]+)-([1-9]+)\.html)$) { set $flag "${flag}2"; }
查看rewrite log [notice] 21483#0: *1 "^(POST)$" matches "POST", client: 127.0.0.1, : "POST /4-6-1.html HTTP/1.1", host: "dev2.ropon.top" [notice] 21483#0: *1 "^(/([1-9]+)-([1-9]+)-([1-9]+)\.html)$" matches "/4-6-1.html", client: 127.0.0.1, : "POST /4-6-1.html HTTP/1.1", host: "dev2.ropon.top"
|