博客后台被逗比不断尝试暴力破解~

之前博客后台一直用Basic HTTP Authentication用户认证 再加一次保护,自己大意只加了wp-admin后台,忘记将wp-login也加入,导致可以直接通过wp-login访问后台暴力破解后台密码。

查看ng日志,登录是post请求没有更详细的信息,于是乎开启之。

记录post请求参数的日志格式


log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                '"$http_referer" $status $body_bytes_sent $request_body '
                '"$http_user_agent" "$http_x_forwarded_for"';

其实就是增加$request_body字段到log_format里。
如果为了调试程序可以打开开该字段,不然不推荐记录,以免泄露信息给恶意攻击者。
日志现身了


61.160.224.137 - - [03/Jun/2014:10:33:32 +0800] "POST /wp-login.php HTTP/1.0" "-" 200 4664 log=admin&pwd=snoopy1 "-" "213.239.201.157"
61.160.224.137 - - [03/Jun/2014:10:33:33 +0800] "POST /wp-login.php HTTP/1.0" "-" 200 4664 log=admin&pwd=pipeline "-" "213.239.201.157"
61.160.224.137 - - [03/Jun/2014:10:33:34 +0800] "POST /wp-login.php HTTP/1.0" "-" 200 4664 log=admin&pwd=pocket "-" "213.239.201.157"
61.160.224.137 - - [03/Jun/2014:10:33:35 +0800] "POST /wp-login.php HTTP/1.0" "-" 200 4664 log=admin&pwd=legs "-" "213.239.201.157"
61.160.224.137 - - [03/Jun/2014:10:33:41 +0800] "POST /wp-login.php HTTP/1.0" "-" 200 4664 log=admin&pwd=maple "-" "213.239.201.157"
61.160.224.137 - - [03/Jun/2014:10:33:42 +0800] "POST /wp-login.php HTTP/1.0" "-" 200 4664 log=admin&pwd=mickey1 "-" "213.239.201.157"
61.160.224.137 - - [03/Jun/2014:10:33:42 +0800] "POST /wp-login.php HTTP/1.0" "-" 200 4664 log=admin&pwd=manuela "-" "213.239.201.157"
61.160.224.137 - - [03/Jun/2014:10:33:43 +0800] "POST /wp-login.php HTTP/1.0" "-" 200 4664 log=admin&pwd=mermaid "-" "213.239.201.157"
61.160.224.137 - - [03/Jun/2014:10:33:44 +0800] "POST /wp-login.php HTTP/1.0" "-" 200 4664 log=admin&pwd=micro "-" "213.239.201.157"
61.160.224.137 - - [03/Jun/2014:10:33:45 +0800] "POST /wp-login.php HTTP/1.0" "-" 200 4664 log=admin&pwd=meowmeow "-" "213.239.201.157"
61.160.224.137 - - [03/Jun/2014:10:33:46 +0800] "POST /wp-login.php HTTP/1.0" "-" 200 4664 log=admin&pwd=redbird "-" "213.239.201.157"
61.160.224.137 - - [03/Jun/2014:10:33:47 +0800] "POST /wp-login.php HTTP/1.0" "-" 200 4664 log=admin&pwd=alisha "-" "213.239.201.157"
61.160.224.137 - - [03/Jun/2014:10:33:48 +0800] "POST /wp-login.php HTTP/1.0" "-" 200 4664 log=admin&pwd=baura "-" "213.239.201.157"
61.160.224.137 - - [03/Jun/2014:10:33:49 +0800] "POST /wp-login.php HTTP/1.0" "-" 200 4664 log=admin&pwd=battery "-" "213.239.201.157"
61.160.224.137 - - [03/Jun/2014:10:33:50 +0800] "POST /wp-login.php HTTP/1.0" "-" 200 4664 log=admin&pwd=grass "-" "213.239.201.157"
61.160.224.137 - - [03/Jun/2014:10:33:51 +0800] "POST /wp-login.php HTTP/1.0" "-" 200 4664 log=admin&pwd=chevys "-" "213.239.201.157"
61.160.224.137 - - [03/Jun/2014:10:33:52 +0800] "POST /wp-login.php HTTP/1.0" "-" 200 4664 log=admin&pwd=chestnut "-" "213.239.201.157"
61.160.224.137 - - [03/Jun/2014:10:33:53 +0800] "POST /wp-login.php HTTP/1.0" "-" 200 4664 log=admin&pwd=caravan "-" "213.239.201.157"
61.160.224.137 - - [03/Jun/2014:10:33:54 +0800] "POST /wp-login.php HTTP/1.0" "-" 200 4664 log=admin&pwd=carina "-" "213.239.201.157"
61.160.224.137 - - [03/Jun/2014:10:33:55 +0800] "POST /wp-login.php HTTP/1.0" "-" 200 4664 log=admin&pwd=charmed "-" "213.239.201.157"
61.160.224.137 - - [03/Jun/2014:10:33:55 +0800] "POST /wp-login.php HTTP/1.0" "-" 200 4664 log=admin&pwd=fraser "-" "213.239.201.157"
61.160.224.137 - - [03/Jun/2014:10:33:56 +0800] "POST /wp-login.php HTTP/1.0" "-" 200 4664 log=admin&pwd=frogman "-" "213.239.201.157"
61.160.224.137 - - [03/Jun/2014:10:33:57 +0800] "POST /wp-login.php HTTP/1.0" "-" 200 4664 log=admin&pwd=diving "-" "213.239.201.157"
61.160.224.137 - - [03/Jun/2014:10:33:59 +0800] "POST /wp-login.php HTTP/1.0" "-" 200 4664 log=admin&pwd=dogger "-" "213.239.201.157"
61.160.224.137 - - [03/Jun/2014:10:34:00 +0800] "POST /wp-login.php HTTP/1.0" "-" 200 4664 log=admin&pwd=draven "-" "213.239.201.157"
61.160.224.137 - - [03/Jun/2014:10:34:01 +0800] "POST /wp-login.php HTTP/1.0" "-" 200 4664 log=admin&pwd=drifter "-" "213.239.201.157"
61.160.224.137 - - [03/Jun/2014:10:34:02 +0800] "POST /wp-login.php HTTP/1.0" "-" 200 4664 log=admin&pwd=oatmeal "-" "213.239.201.157"
61.160.224.137 - - [03/Jun/2014:10:34:03 +0800] "POST /wp-login.php HTTP/1.0" "-" 200 4664 log=admin&pwd=paris1 "-" "213.239.201.157"
61.160.224.137 - - [03/Jun/2014:10:34:04 +0800] "POST /wp-login.php HTTP/1.0" "-" 200 4664 log=admin&pwd=longdong "-" "213.239.201.157"
61.160.224.137 - - [03/Jun/2014:10:34:05 +0800] "POST /wp-login.php HTTP/1.0" "-" 200 4664 log=admin&pwd=quant4307s "-" "213.239.201.157"
61.160.224.137 - - [03/Jun/2014:10:34:06 +0800] "POST /wp-login.php HTTP/1.0" "-" 200 4664 log=admin&pwd=rachel1 "-" "213.239.201.157"
61.160.224.137 - - [03/Jun/2014:10:34:07 +0800] "POST /wp-login.php HTTP/1.0" "-" 200 4664 log=admin&pwd=vegitta "-" "213.239.201.157"
61.160.224.137 - - [03/Jun/2014:10:34:07 +0800] "POST /wp-login.php HTTP/1.0" "-" 200 4664 log=admin&pwd=cole "-" "213.239.201.157"
61.160.224.137 - - [03/Jun/2014:10:34:08 +0800] "POST /wp-login.php HTTP/1.0" "-" 200 4664 log=admin&pwd=cobras "-" "213.239.201.157"

呵呵,一看就是黑客小菜。为了安全关闭post参数记录。

将ip   61.160.224.137,213.239.201.157给禁了

新建 blockips.conf 需要屏蔽的ip列表文件


deny 113.108.12.154;    #此为屏蔽IP
deny 124.115.0.0/24;    #此为屏蔽124.115.0.1 ~ 124.115.0.255整个网段IP
deny 124.115.4.0/24;    #此为屏蔽124.115.4.1 ~ 124.115.4.255整个网段IP
屏蔽整个网段的IP时有可能会造成错杀,不过几率很低。

继续,将blockips.conf 加入到nginx配置中


在http中加入代码

http {
    #载入禁止访问的IP配置
    include blockips.conf;    #处理好相对目录问题

    ...(以下省略)

这样搞之后就暂时安全了,也感谢黑客让自己也学习到了一些东西~~

发表评论

电子邮件地址不会被公开。 必填项已用*标注