新鲜服务器上随机IP的常量SSL握手错误
新鲜服务器上随机IP的常量SSL握手错误
提问于 2019-09-23 17:55:07
我刚刚设置了一个新的服务器,我已经了解到以下内容:
- 保护它(没有根登录或密码登录,UFW等)
- 安装了一个LEMP堆栈。
在跟踪nginx错误日志之后,我看到了不断的错误,这些错误看起来像是试图从伊朗和俄罗斯的IP中破坏SSL。
2019/09/23 17:42:38 [crit] 6611#6611: *5000095 SSL_do_handshake() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long) while SSL handshaking, client: 5.234.166.113, server: 0.0.0.0:443
2019/09/23 17:42:40 [crit] 6611#6611: *5000225 SSL_do_handshake() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long) while SSL handshaking, client: 31.2.143.221, server: 0.0.0.0:443
2019/09/23 17:42:48 [crit] 6611#6611: *5001090 SSL_do_handshake() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long) while SSL handshaking, client: 89.36.99.104, server: 0.0.0.0:443
2019/09/23 17:42:49 [crit] 6611#6611: *5001232 SSL_do_handshake() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long) while SSL handshaking, client: 86.57.113.197, server: 0.0.0.0:443
2019/09/23 17:42:50 [crit] 6611#6611: *5001276 SSL_do_handshake() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long) while SSL handshaking, client: 5.121.174.179, server: 0.0.0.0:443
2019/09/23 17:43:00 [crit] 6611#6611: *5002221 SSL_do_handshake() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long) while SSL handshaking, client: 5.74.187.51, server: 0.0.0.0:443
2019/09/23 17:43:00 [crit] 6611#6611: *5002250 SSL_do_handshake() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long) while SSL handshaking, client: 178.236.102.93, server: 0.0.0.0:443
2019/09/23 17:43:01 [crit] 6611#6611: *5002327 SSL_do_handshake() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long) while SSL handshaking, client: 5.106.78.245, server: 0.0.0.0:443
2019/09/23 17:43:05 [crit] 6611#6611: *5002733 SSL_do_handshake() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long) while SSL handshaking, client: 178.236.102.93, server: 0.0.0.0:443
2019/09/23 17:43:12 [crit] 6611#6611: *5003431 SSL_do_handshake() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long) while SSL handshaking, client: 5.212.171.209, server: 0.0.0.0:443
2019/09/23 17:43:19 [crit] 6611#6611: *5004092 SSL_do_handshake() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long) while SSL handshaking, client: 5.115.250.119, server: 0.0.0.0:443
2019/09/23 17:43:29 [crit] 6611#6611: *5005018 SSL_do_handshake() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long) while SSL handshaking, client: 158.58.64.8, server: 0.0.0.0:443
2019/09/23 17:43:34 [crit] 6611#6611: *5005514 SSL_do_handshake() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long) while SSL handshaking, client: 31.59.166.195, server: 0.0.0.0:443
2019/09/23 17:43:37 [crit] 6611#6611: *5005762 SSL_do_handshake() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long) while SSL handshaking, client: 31.2.170.98, server: 0.0.0.0:443
2019/09/23 17:43:37 [crit] 6611#6611: *5005792 SSL_do_handshake() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long) while SSL handshaking, client: 31.59.166.195, server: 0.0.0.0:443是因为我的主人公司。给我分配了一个肮脏的IP,是以前攻击的目标,还是更良性的东西?
不管怎样,除非我能解决这个问题,否则日志会很快被填满。
回答 1
Server Fault用户
发布于 2019-09-24 06:34:46
这似乎不是一个安全问题。请看一下这个答案:https://stackoverflow.com/a/28010608/9361998
作为解决办法(如果您想停止这些请求),可以使用以下脚本禁止ip地址
注意:确保以根
的形式运行
这个理论非常简单:
- 读取nginx并过滤ssl握手错误。
- 创建一个python脚本,可以基于treshold (硬编码)创建一个“iptables”命令
如果安装了python,就可以运行这个简单的脚本。
import sys
import re
# Save the input data into a string
raw = sys.stdin.read().strip()
BAN_COUNT = 3
# Split the lines of the log
data = raw.split("\n")
to_ban = {}
# Iterate the lines
for item in data:
# Extract IP
ip = re.findall(r"[0-9]+(?:\.[0-9]+){3}", item)
# Due to the filter, we can have only 1 IP
if len(ip) == 1:
# print("Found IP to BAN -> {}".format(ip[0]))
# If IP alredy found increase counter
if ip[0] in to_ban:
to_ban[ip[0]] += 1
# First time that we encounter the IP, create new entry in dict
else:
to_ban[ip[0]] = 1
# Create iptables mask for ban
for keys in to_ban.keys():
if to_ban[keys] >= BAN_COUNT:
# BAN MASK
# Use this for ban
# ban_mask = 'iptables -A INPUT -s {} -j DROP'.format(keys)
# Use this for test purpouse
ban_mask = 'echo "iptables -A INPUT -s {} -j DROP"'.format(keys)
print(ban_mask)现在我们有了一个python脚本,它接受输入行,提取ip,计算它们在文本中的比较次数,并打印iptables命令以禁止ip,我们可以解析nginx日志。
将脚本保存为ban.py
cat /var/log/nginx | egrep "1408F0C6" | python ban.py | xargs command 在这种方法中,您将禁止每一个出现握手错误的ip。
页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://serverfault.com/questions/985322
复制相关文章
相似问题
腾讯云开发者
