启用ufw屏蔽来自特定IP的恶意攻击

最近发现服务器很卡,看了一下access log发现有F5侠持续不断地请求大容量的request。

1
2
3
4
5
6
7
8
9
$ tail -f /var/log/nginx/access.log

54.173.0.75 - - [26/Sep/2017:06:25:05 +0900] "GET /content.json?q=%E6%B1%9F%E6%B3%BD%E6%B0%91&start=1&num=10 HTTP/1.1" 200 147128 "-" "-"
54.173.0.75 - - [26/Sep/2017:06:25:05 +0900] "GET /content.json?q=%E6%B1%9F%E6%B3%BD%E6%B0%91&start=1&num=10 HTTP/1.1" 200 81592 "-" "-"
54.173.0.75 - - [26/Sep/2017:06:25:05 +0900] "GET /content.json?q=%E6%B1%9F%E6%B3%BD%E6%B0%91&start=1&num=10 HTTP/1.1" 200 147128 "-" "-"
54.173.0.75 - - [26/Sep/2017:06:25:05 +0900] "GET /content.json?q=%E6%B1%9F%E6%B3%BD%E6%B0%91&start=1&num=10 HTTP/1.1" 200 147128 "-" "-"
54.173.0.75 - - [26/Sep/2017:06:25:14 +0900] "GET /content.json?q=%E6%B1%9F%E6%B3%BD%E6%B0%91&start=1&num=10 HTTP/1.1" 200 166855 "-" "-"
54.173.0.75 - - [26/Sep/2017:06:25:14 +0900] "GET /content.json?q=%E6%B1%9F%E6%B3%BD%E6%B0%91&start=1&num=10 HTTP/1.1" 200 166855 "-" "-"
...

这个时候就应该由ufw这个iptable的wrapper登场了。

开启防火墙

1
$sudo ufw enable

修改默认策略

默认策略是全部拒绝,所以,为了防止把自己关在墙外,首先将默认策略改成全部allow。

1
sudo ufw default ALLOW

屏蔽特定ip

1
sudo ufw deny from 54.173.0.75

更多参考

ufw