Apache2充斥着GET请求

时间:2014-03-24 13:27:51

标签: apache security proxy ddos abuse

我正在运行Redmine,Continuum或Tomcat等多项服务。最近所有这些都非常缓慢。在最糟糕的情况下,我只需要等待5分钟才能看到我的tomcat服务器的首页。

我决定从apache2查看access.log文件并注意到,我的服务器已经充斥着GET请求。这是一个剪切的日志文件。

66.249.67.238 - - [24/Mar/2014:14:10:15 +0100] "GET /maven2/com/sun/jersey/jersey-server/1.7-SNAPSHOT/maven-metadata-maven2-repository.dev.java.net.xml.md5 HTTP/1.1" 500 1084 "-" "SAMSUNG-SGH-E250/1.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0 (compatible; Googlebot-Mobile/2.1; +http://www.google.com/bot.html)"
23.239.123.39 - - [24/Mar/2014:14:10:22 +0100] "GET http://ads.yashi.com/12976 HTTP/1.0" 500 1153 "http://www.edunyc.com" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16"
198.13.111.248 - - [24/Mar/2014:14:10:23 +0100] "GET http://ib.adnxs.com/tt?id=2249888&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.thebankparent.com/?p=5426" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; Media Center PC 5.0; .NET CLR 2.0.50727)"
66.249.66.120 - - [24/Mar/2014:14:10:25 +0100] "GET /maven2/org/apache/maven/surefire/surefire-junit/2.4.2/ HTTP/1.1" 500 1084 "-" "DoCoMo/2.0 N905i(c100;TB;W24H16) (compatible; Googlebot-Mobile/2.1; +http://www.google.com/bot.html)"
23.91.20.235 - - [24/Mar/2014:14:10:26 +0100] "GET http://ib.adnxs.com/tt?id=2287590&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.agtvbi.com/?cat=1" "Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; c .NET CLR 3.0.04506; .NET CLR 3.5.30707; InfoPath.1)"
198.13.111.243 - - [24/Mar/2014:14:10:26 +0100] "GET http://ib.adnxs.com/tt?id=2249973&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.finank.com/?tag=tv" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:5.0) Gecko/20100101 Firefox/5.0"
23.91.20.238 - - [24/Mar/2014:14:10:32 +0100] "GET http://ib.adnxs.com/tt?id=2249973&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.finank.com/?p=12004" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727)"
23.91.20.236 - - [24/Mar/2014:14:10:34 +0100] "GET http://ib.adnxs.com/tt?id=2287590&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.agtvbi.com/?tag=kids" "Mozilla/4.0 (Mozilla/4.0; MSIE 7.0; Windows NT 5.1; FDM; SV1)"
184.105.203.51 - - [24/Mar/2014:14:10:35 +0100] "GET http://ib.adnxs.com/tt?id=2208504&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.tvlucifer.com/online-videos/friends-and-family/8-near-death-experience-nahtoderfahrung-8.html#comments" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/4.0; FDM; MSIECrawler; Media Center PC 5.0)"
66.249.66.120 - - [24/Mar/2014:14:10:36 +0100] "GET /maven2/org/apache/maven/jxr/jxr/2.2/ HTTP/1.1" 500 1084 "-" "DoCoMo/2.0 N905i(c100;TB;W24H16) (compatible; Googlebot-Mobile/2.1; +http://www.google.com/bot.html)"
23.228.234.125 - - [24/Mar/2014:14:10:40 +0100] "GET http://ib.adnxs.com/tt?id=2249888&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.thebankparent.com/?tag=trucks" "Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/5.0"
23.91.20.236 - - [24/Mar/2014:14:10:42 +0100] "GET http://ib.adnxs.com/tt?id=2287590&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.agtvbi.com/?p=31177" "Mozilla/5.0 (X11; CrOS i686 1193.158.0) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7"
23.91.20.238 - - [24/Mar/2014:14:10:44 +0100] "GET http://ib.adnxs.com/tt?id=2249973&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.finank.com/?tag=trance" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Tablet PC 2.0)"
198.13.111.243 - - [24/Mar/2014:14:10:44 +0100] "GET http://ib.adnxs.com/tt?id=2249973&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.finank.com/?p=5430" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; chromeframe/11.0.696.57)"
23.228.234.121 - - [24/Mar/2014:14:10:49 +0100] "GET http://ib.adnxs.com/tt?id=2249481&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.tvluck.net/?p=272" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; Alexa Toolbar)"
221.215.112.238 - - [24/Mar/2014:14:10:51 +0100] "GET http://www.mmadsgadget.com/t?id=9c527de6-0d69-4d59-af9e-09e2ee635eaa&size=300x250 HTTP/1.0" 500 1075 "http://www.travelandleisure.com/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
72.52.98.142 - - [24/Mar/2014:14:10:59 +0100] "GET http://ads.yahoo.com/st?ad_type=iframe&ad_size=300x250&section=5141612&pub_url=${PUB_URL} HTTP/1.0" 500 1153 "http://www.wdhcc.com/?p=13760" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)"
23.91.20.235 - - [24/Mar/2014:14:11:03 +0100] "GET http://ib.adnxs.com/tt?id=2287590&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.agtvbi.com/?p=28749" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/18.6.872.0 Safari/535.2 UNTRUSTED/1.0 3gpp-gba UNTRUSTED/1.0"
23.228.234.121 - - [24/Mar/2014:14:11:04 +0100] "GET http://ib.adnxs.com/tt?id=2249481&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.tvluck.net/?p=4130" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT 4.0; Alexa Toolbar)"
23.91.20.235 - - [24/Mar/2014:14:11:04 +0100] "GET http://ib.adnxs.com/tt?id=2287590&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.agtvbi.com/?p=32312" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; Media Center PC 6.0; InfoPath.2; MS-RTC LM 8)"
23.228.234.124 - - [24/Mar/2014:14:11:05 +0100] "GET http://ib.adnxs.com/tt?id=2249921&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.pcemar.com/?category_name=lifestyle-2" "Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 6.0; fr-FR)"
222.141.201.109 - - [24/Mar/2014:14:11:06 +0100] "GET http://ads.mopub.com/m/ad?v=6&id=e97c43fa9d4311e295fa123138070049&nv=1.12.0.0&udid=sha:24cd3e740e7a4f0ade96ceb5bc5ae5dc8c7a114f&ll=38.658724,-92.535656&z=CDT&o=l&sc_a=1.3&mr=1&mcc=302&mnc=720&iso=US&cn=Wireless%20Rogers%20Communications HTTP/1.0" 500 1069 "-" "Opera/9.80 (Android 2.2.2; Linux; Opera Mobi/ADR-1111101157; U; en) Presto/2.9.201 Version/11.50"
23.91.20.237 - - [24/Mar/2014:14:11:09 +0100] "GET http://ib.adnxs.com/tt?id=2287590&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.agtvbi.com/?p=29929" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0)"
23.228.234.115 - - [24/Mar/2014:14:11:10 +0100] "GET http://ads.yahoo.com/st?ad_type=iframe&ad_size=300x250&section=4819271&pub_url=${PUB_URL} HTTP/1.0" 500 1153 "http://www.linnama.com/?p=993" "Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20110814 Firefox/6.0"
184.105.203.51 - - [24/Mar/2014:14:11:10 +0100] "GET http://ib.adnxs.com/tt?id=2208504&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.tvlucifer.com/tag/love" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; Media Center PC 6.0; InfoPath.2; MS-RTC LM 8)"
198.13.111.248 - - [24/Mar/2014:14:11:12 +0100] "GET http://ib.adnxs.com/tt?id=2249888&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.thebankparent.com/?category_name=driving-style-and-technique" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.813.0 Safari/535.1"
198.13.111.242 - - [24/Mar/2014:14:11:13 +0100] "GET http://ib.adnxs.com/tt?id=2249973&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.finank.com/?p=13741" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.861.0 Safari/535.2"
198.13.111.246 - - [24/Mar/2014:14:11:18 +0100] "GET http://ib.adnxs.com/tt?id=2249921&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.pcemar.com/?p=974" "Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20110814 Firefox/6.0"
72.52.98.140 - - [24/Mar/2014:14:11:18 +0100] "GET http://ads.yahoo.com/st?ad_type=iframe&ad_size=728x90&section=5141612&pub_url=${PUB_URL} HTTP/1.0" 500 1153 "http://www.wdhcc.com/?tag=scare" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; SLCC2; .NET CLR 2.0.50727; InfoPath.3; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729; MS-RTC LM 8)"
23.228.234.117 - - [24/Mar/2014:14:11:19 +0100] "GET http://ads.yahoo.com/st?ad_type=iframe&ad_size=300x250&section=4819271&pub_url=${PUB_URL} HTTP/1.0" 500 1153 "http://www.linnama.com/?p=850" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
23.91.20.235 - - [24/Mar/2014:14:11:20 +0100] "GET http://ib.adnxs.com/tt?id=2287590&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.agtvbi.com/?cat=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.0; Trident/4.0; InfoPath.1; SV1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 3.0.04506.30)"
23.228.234.116 - - [24/Mar/2014:14:11:24 +0100] "GET http://ads.yahoo.com/st?ad_type=iframe&ad_size=300x250&section=4819271&pub_url=${PUB_URL} HTTP/1.0" 500 1153 "http://www.linnama.com/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; InfoPath.2)"
23.228.234.124 - - [24/Mar/2014:14:11:24 +0100] "GET http://ib.adnxs.com/tt?id=2249921&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.pcemar.com/" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; .NET CLR 1.1.4322; Alexa Toolbar; .NET CLR 2.0.50727)"
198.13.111.243 - - [24/Mar/2014:14:11:24 +0100] "GET http://ib.adnxs.com/tt?id=2249973&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.finank.com/?tag=upc" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; yie8)"

阅读this我知道我在某种ProxyAbuse下,但是停用mod_proxy模块并不能完全停止这些请求。我发现工作的唯一方法是阻止listen.conf文件中的端口80。但当然不能从外面到达Redmine,Continuum和Tomcat。

有什么想法吗?提前谢谢......

2 个答案:

答案 0 :(得分:1)

如此处所述:https://serverfault.com/questions/242292/apache-getting-hammered-by-nonsense-requests-how-to-stop

您可以使用fail2ban或hosts.deny来阻止有问题的主机访问您的服务器。

此外,如果适用于阻止滥用IP,您可以配置防火墙。

答案 1 :(得分:0)

Fail2ban使用iptables工作,iptables维护一个恶意的IP列表,它将阻止来自这些IP的任何入站请求。这是一种负面的安全模型。我建议您使用一个积极的安全模型,您应该将403状态返回到所有不属于您的服务器名称的入站请求。

您应该在apache Web服务器上安装mod_security并创建以下规则:

SecRule SERVER_NAME "www\.yourdomain\.com$"  "id:'200000',phase:1,nolog,allow,ctl:ruleEngine=off"

如果您遇到任何问题,可以将nolog更改为日志并查看日志以了解最新情况。希望这会有所帮助。