Nginx主动屏蔽恶意攻击


经过nginx的日志排查,发现web服务器每天都要遭受大量的攻击啊。
虽然CDN可以拦截恶意流量,就算是多一重保障吧。主动让 Nginx 屏蔽掉攻击。

1.将sql注入相关的代码屏蔽掉

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
## black SQL injections
set $black_sql_injections 0;
if ($query_string ~ "union.*select.*\(") {
set $black_sql_injections 1;
}
if ($query_string ~ "union.*all.*select.*") {
set $black_sql_injections 1;
}
if ($query_string ~ "concat.*\(") {
set $black_sql_injections 1;
}
if ($black_sql_injections = 1) {
return 403;
}

## black file injections
set $black_file_injections 0;
if ($query_string ~ "[a-zA-Z0-9_]=http://") {
set $black_file_injections 1;
}
if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
set $black_file_injections 1;
}
if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
set $black_file_injections 1;
}
if ($black_file_injections = 1) {
return 403;
}

2.还需要屏蔽掉相关脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
## black common exploits
set $black_common_exploits 0;
if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
set $black_common_exploits 1;
}
if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
set $black_common_exploits 1;
}
if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
set $black_common_exploits 1;
}
if ($query_string ~ "proc/self/environ") {
set $black_common_exploits 1;
}
if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
set $black_common_exploits 1;
}
if ($query_string ~ "base64_(en|de)code\(.*\)") {
set $black_common_exploits 1;
}
if ($black_common_exploits = 1) {
return 403;
}

3.保存为black.conf,在nginx.conf中引入

include black.conf

4.nginx -t

然后测试配置文件是否正确

5.nginx -s reload

现在Nginx就能屏蔽恶意请求了。

RPI - 树莓派换阿里云源


1.解决方案

向速度低头.jpg
将souces.list替换为国内阿里云
官方提供的souceslist http://www.raspbian.org/RaspbianMirrors

2.实施方案

1.备份好原文件

1
2
sudo cp /etc/apt/sources.list /etc/apt/sources.list.bkp
sudo vim /etc/apt/sources.list

2.将如下两行复制到sources.list替换原文

1
2
deb http://mirrors.aliyun.com/raspbian/raspbian/ jessie main non-free contrib rpi 
deb-src http://mirrors.aliyun.com/raspbian/raspbian/ jessie main non-free contrib rpi

3.执行如下命令,更新软件list

1
2
sudo apt-get update 
sudo apt-get upgrade -y