访问本站的有两种ip,活人,机器人。
机器人又有两种,无恶意的机器人,恶意的机器人。
恶意的机器人又有两种,单纯的黑客,和可能有中国政府背景的、要把地球都管起来的机器人。
作为深受其害的老中,为了躲开老大哥的长臂管辖,必须想办法把它们鉴定出来并屏蔽掉。
参考
Examining How the Great Firewall Discovers Hidden Circumvention Servers
安装geoip
使用GeoLite2并不需要注册maxmind账号,但是为了自动更新,建议注册免费账号。
sudo yum install geoip geoipupdate
编辑配置文件,把AccountID和LicenseKey换成免费账号的credentials。
sudo vim /etc/GeoIP.conf
# test update
sudo geoipupdate -v
检查来自中国的ip
安装geoip后,从访问日志,可以过滤出来自中国的ip。
例如,检查最近的nginx访问日志,
sudo tail -n 2000 /var/log/nginx/access.log | awk '{print $1}' | sort | uniq | xargs -I{} sh -c 'geoiplookup {} | grep -q "China" && echo {}'
或者检查journalctl
journalctl | grep -oP '(?<=\b)(?:\d{1,3}\.){3}\d{1,3}(?=\b)' | sort | uniq | xargs -I{} sh -c 'geoiplookup {} | grep -q "China" && echo {}'
可得
106.75.47.74
110.177.181.139
115.238.44.234
183.160.194.23
218.75.38.212
36.148.*.*
这串ip里只有打了码的来自人类(hello,湖南的朋友),其他的通通都不是人,都可以进黑名单。
自动化检查
使用以下脚本,可以自动检查访问日志中出现的中国ip是否已经在黑名单里。
code
import ipaddress
import subprocess
import argparse
import gzip
# Function to load the deny list from the blockips.conf file
def load_deny_list(deny_list_path):
deny_list = []
with open(deny_list_path, 'r') as f:
for line in f:
line = line.strip()
if line.startswith('deny'):
ip_or_cidr = line.split()[1].rstrip(';')
deny_list.append(ip_or_cidr)
return deny_list
# Function to check if an IP is in the deny list
def is_denied(ip, deny_list):
for denied in deny_list:
if '/' in denied:
try:
if ipaddress.ip_address(ip) in ipaddress.ip_network(denied, strict=False):
return True
except ValueError as e:
print(f"Invalid CIDR block '{denied}' in deny list: {e}")
else:
if ip == denied:
return True
return False
# Function to check if an IP is from China using geoiplookup
def is_from_china(ip):
try:
result = subprocess.run(['geoiplookup', ip], stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True)
return 'China' in result.stdout
except Exception as e:
print(f"Error checking IP {ip}: {e}")
return False
# Function to open a log file, whether it's a .gz file or not
def open_log_file(path):
if path.endswith('.gz'):
return gzip.open(path, 'rt') # 'rt' mode for text
else:
return open(path, 'r')
# Parse the Nginx access log and check Chinese IPs against the deny list
def check_access_log(access_log_path, deny_list, verbose):
seen_ips = set() # Set to track IPs we have already processed
with open_log_file(access_log_path) as f:
for line in f:
ip = line.split()[0] # Assuming the IP is the first element in the log line
if is_from_china(ip):
if ip not in seen_ips:
seen_ips.add(ip)
if is_denied(ip, deny_list):
if verbose:
print(f"Chinese IP {ip} is already in the deny list.Line: {line.strip()}")
else:
print(f"Chinese IP {ip} is already in the deny list.")
else:
if verbose:
print(f"Chinese IP {ip} is NOT in the deny list. Line: {line.strip()}")
else:
print(f"Chinese IP {ip} is NOT in the deny list.")
# Main function to handle command-line arguments
def main():
parser = argparse.ArgumentParser(description='Check if IPs from an access log are in a deny list.')
parser.add_argument(
'access_log_path',
nargs='?', # Makes this argument optional
default='/var/log/nginx/access.log', # Default path if no argument is provided
type=str,
help='Path to the Nginx access log file (default: /var/log/nginx/access.log)'
)
parser.add_argument(
'-v', '--verbose',
action='store_true',
help='Print detailed output for IPs from China that are not in the deny list'
)
args = parser.parse_args()
# Path to the Nginx deny list configuration file
deny_list_path = '/etc/nginx/blockips.conf'
# Load the deny list from the configuration file
deny_list = load_deny_list(deny_list_path)
# Run the check
check_access_log(args.access_log_path, deny_list, args.verbose)
if __name__ == '__main__':
main()
用法
# default access log (/var/log/nginx/access.log)
sudo python3.9 checkcnip.py
# specified access log
sudo python3.9 checkcnip.py /var/log/nginx/access.log-20240811.gz
# verbose (print out the log entry)
sudo python3.9 checkcnip.py /var/log/nginx/access.log-20240811.gz -v
# check for chinese ip with characteristic OS
sudo python3.9 checkcnip.py /var/log/nginx/access.log-20240811.gz -v | grep "NT 6.1"
可疑ip
使用abuseipdb 网站,可以检查非人类ip们的成色。
黑客的ip
106.75.47.74是部署在上海某小型云服务上的恶意ip,其相关域名niovdr.shop涉嫌诈骗,总之一看就不是好人。
运行
sudo grep "106.75.47.74" /var/log/nginx/access.log
可看到它对本站服务器的可疑访问记录(试图登陆)。
106.75.47.74 - - [16/Aug/2024:07:55:29 +0000] "{\x22method\x22:\x22login\x22,\x22params\x22:{\x22login\x22:\x2245JymPWP1DeQxxMZNJv9w2bTQ2WJDAmw18wUSryDQa3RPrympJPoUSVcFEDv3bhiMJGWaCD4a3KrFCorJHCMqXJUKApSKDV\x22,\x22pass\x22:\x22xxoo\x22,\x22agent\x22:\x22xmr-stak-cpu/1.3.0-1.5.0\x22},\x22id\x22:1}" 400 173 "-" "-" "-"
106.75.47.74 - - [16/Aug/2024:07:55:30 +0000] "{\x22id\x22:1,\x22method\x22:\x22mining.subscribe\x22,\x22params\x22:[]}" 400 173 "-" "-" "-"
106.75.47.74 - - [16/Aug/2024:07:55:32 +0000] "{\x22params\x22: [\x22miner1\x22, \x22password\x22], \x22id\x22: 2, \x22method\x22: \x22mining.authorize\x22}" 400 173 "-" "-" "-"
106.75.47.74 - - [16/Aug/2024:07:55:32 +0000] "{\x22id\x22:1,\x22jsonrpc\x22:\x222.0\x22,\x22method\x22:\x22login\x22,\x22params\x22:{\x22login\x22:\x22blue1\x22,\x22pass\x22:\x22x\x22,\x22agent\x22:\x22Windows NT 6.1; Win64; x64\x22}}" 400 173 "-" "-" "-"
106.75.47.74 - - [16/Aug/2024:07:55:34 +0000] "{\x22params\x22: [\x22miner1\x22, \x22bf\x22, \x2200000001\x22, \x22504e86ed\x22, \x22b2957c02\x22], \x22id\x22: 4, \x22method\x22: \x22mining.submit\x22}" 400 173 "-" "-" "-"
106.75.47.74 - - [16/Aug/2024:07:55:35 +0000] "{\x22id\x22:1,\x22jsonrpc\x22:\x222.0\x22,\x22method\x22:\x22login\x22,\x22params\x22:{\x22login\x22:\x22x\x22,\x22pass\x22:\x22null\x22,\x22agent\x22:\x22XMRig/5.13.1\x22,\x22algo\x22:[\x22cn/1\x22,\x22cn/2\x22,\x22cn/r\x22,\x22cn/fast\x22,\x22cn/half\x22,\x22cn/xao\x22,\x22cn/rto\x22,\x22cn/rwz\x22,\x22cn/zls\x22,\x22cn/double\x22,\x22rx/0\x22,\x22rx/wow\x22,\x22rx/loki\x22,\x22rx/arq\x22,\x22rx/sfx\x22,\x22rx/keva\x22]}}" 400 173 "-" "-" "-"
谜之ip: 部署在全国各运营商的probe
110.177.181.139是背景不一般、高度可疑ip的一例。
此类ip和单纯黑客ip有巨大差别。
第一,黑客ip极少占用整个ip段,但背景不一般的机器人往往占据多个连续的ip段,而且每个ip的活动统计上接近均匀分布。例如搜索110.177.181.0/24,可看到最近这个ip段的所有256个ip都有可疑活动。
更进一步搜索,会发现
110.177.176.0/24
110.177.177.0/24
110.177.178.0/24
110.177.179.0/24
110.177.180.0/24
110.177.181.0/24
110.177.182.0/24
110.177.183.0/24
全是类似的情况,也就是说最近整个110.177.176.0/21都被用来从事各类可疑的探测活动。
黑客因为没法使用多个ip,往往单个ip地址积攒了很多的可疑记录,在ipabusedb名声极差。而这种背景深厚的机器人,因为被分配了上千个ip,可疑活动分散后,恶名值就低很多。可能是用来规避一些服务器基于名声的屏蔽规则的策略。
第二,这种机器人被部署在中国各省份的网络上。110.177.176.0/21属于山西太原电信,而行为类似、统计特征类似的ip段,还有来自陕西西安电信,西藏山南电信,河南郑州电信,安徽合肥电信,青海西宁电信。。。的。这种规模的、全国性的长期部署,是私人组织行为的概率极低,因为ipv4是稀缺资源,租用如此多ip费用可观。
第三,同一批部署下,各省份的机器人user agent完全相同。
第四,user agent中的操作系统和浏览器版本十分过时,由此可知这些部署历史悠久。
第五,这种机器人会探测和反审查/翻墙有关的服务。例如试图探测/gaocc/g445g,搜索后发现这是某翻墙软件曾用过的默认路径。
https://www.abuseipdb.com/check-block/221.207.35.36/24 西宁联通
221.207.35.36 - - [10/Aug/2024:01:52:36 +0000] "GET /gaocc/g445g HTTP/1.1" 404 207 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0" "-"
https://www.abuseipdb.com/check-block/124.66.79.39/24 海口联通
124.66.79.39 - - [01/Sep/2024:08:15:52 +0000] "GET /gaocc/g445g HTTP/1.1" 403 571 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" "-"
https://www.abuseipdb.com/check-block/222.94.32.59/24 南京电信
222.94.32.59 - - [02/Sep/2024:04:59:35 +0000] "GET /gaocc/g445g HTTP/1.1" 403 169 "-" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko" "-"
https://www.abuseipdb.com/check-block/124.31.104.87/24 山南电信
124.31.104.87 - - [22/Aug/2024:12:19:52 +0000] "GET /gaocc/g445g HTTP/1.1" 403 571 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" "-"
https://www.abuseipdb.com/check-block/110.177.180.115/24 太原电信
110.177.180.115 - - [20/Aug/2024:18:03:12 +0000] "GET /gaocc/g445g HTTP/1.1" 403 571 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" "-"
以下是更多例子
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
https://www.abuseipdb.com/check/117.11.91.213 天津联通
117.11.91.213 - - [16/Aug/2024:00:00:31 +0000] "GET /favicon.ico HTTP/1.1" 200 32522 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" "-"
https://www.abuseipdb.com/check/123.145.13.109 重庆联通
123.145.13.109 - - [10/Aug/2024:18:48:47 +0000] "GET / HTTP/1.1" 200 48166 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" "-"
https://www.abuseipdb.com/check/123.145.36.31 重庆联通
123.145.36.31 - - [15/Aug/2024:20:11:23 +0000] "GET /favicon.ico HTTP/1.1" 200 335968 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" "-"
https://www.abuseipdb.com/check/180.95.231.12 兰州联通
180.95.231.12 - - [16/Aug/2024:00:00:32 +0000] "GET / HTTP/1.1" 200 54438 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" "-"
https://www.abuseipdb.com/check/60.13.7.214 兰州联通
60.13.7.214 - - [09/Aug/2024:17:59:25 +0000] "GET /favicon.ico HTTP/1.1" 404 571 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" "-"
https://www.abuseipdb.com/check/42.63.88.7 银川联通
42.63.88.7 - - [09/Aug/2024:21:13:37 +0000] "GET / HTTP/1.1" 200 48166 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" "-"
https://www.abuseipdb.com/check/111.162.137.226 天津联通
111.162.137.226 - - [14/Aug/2024:14:53:17 +0000] "GET / HTTP/1.1" 400 108 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" "-"
https://www.abuseipdb.com/check/43.248.108.227 昆明联通
43.248.108.227 - - [14/Aug/2024:06:51:13 +0000] "GET / HTTP/1.1" 400 108 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" "-"
https://www.abuseipdb.com/check/36.32.3.10 合肥联通
36.32.3.10 - - [14/Aug/2024:02:49:28 +0000] "GET /favicon.ico HTTP/1.1" 404 207 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" "-"
https://www.abuseipdb.com/check/120.0.52.121 石家庄联通
120.0.52.121 - - [11/Aug/2024:15:08:35 +0000] "GET /favicon.ico HTTP/1.1" 200 335968 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" "-"
https://www.abuseipdb.com/check/121.29.178.111 石家庄联通
121.29.178.111 - - [10/Aug/2024:06:44:09 +0000] "GET / HTTP/1.1" 200 48166 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" "-"
https://www.abuseipdb.com/check/175.30.48.69 长春电信
175.30.48.69 - - [10/Aug/2024:05:31:12 +0000] "GET / HTTP/1.1" 200 48166 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" "-"
https://www.abuseipdb.com/check/139.212.70.79 长春电信
139.212.70.79 - - [10/Aug/2024:06:44:08 +0000] "GET /favicon.ico HTTP/1.1" 200 335968 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" "-"
https://www.abuseipdb.com/check/223.83.130.199 江西移动
223.83.130.199 - - [15/Aug/2024:13:48:38 +0000] "GET / HTTP/1.1" 400 108 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" "-"
https://www.abuseipdb.com/check-block/124.133.208.242/24 山东联通
124.133.208.242 - - [23/Nov/2024:15:32:19 +0000] "GET / HTTP/1.1" 200 1331 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" "-"
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
https://www.abuseipdb.com/check/27.98.228.216 拉萨联通
27.98.228.216 - - [10/Aug/2024:15:30:22 +0000] "GET /favicon.ico HTTP/1.1" 404 207 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36" "-"
https://www.abuseipdb.com/check/123.145.12.106 重庆联通
123.145.12.106 - - [18/Aug/2024:14:42:27 +0000] "GET / HTTP/1.1" 400 108 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36" "-"
https://www.abuseipdb.com/check/171.12.10.254 郑州电信
171.12.10.254 - - [15/Aug/2024:22:23:55 +0000] "GET / HTTP/1.1" 200 54438 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36" "-"
https://www.abuseipdb.com/check/110.177.181.139 太原电信
110.177.181.139 - - [16/Aug/2024:06:11:55 +0000] "GET /favicon.ico HTTP/1.1" 200 335968 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36" "-"
https://www.abuseipdb.com/check/223.199.180.255 海口电信
223.199.180.255 - - [14/Aug/2024:11:32:44 +0000] "GET /favicon.ico HTTP/1.1" 200 335968 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36" "-"
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36
https://www.abuseipdb.com/check/220.167.233.229 青海电信
220.167.233.229 - - [11/Aug/2024:11:48:12 +0000] "GET / HTTP/1.1" 200 1332 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36" "-"
https://www.abuseipdb.com/check/123.178.210.151 包头电信
123.178.210.151 - - [11/Aug/2024:11:48:13 +0000] "GET /favicon.ico HTTP/1.1" 404 207 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36" "-"
https://www.abuseipdb.com/check/223.199.182.119 海口电信
223.199.182.119 - - [12/Aug/2024:00:18:59 +0000] "GET / HTTP/1.1" 200 3957 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36" "-"
https://www.abuseipdb.com/check/58.245.27.195/24 长春联通
58.245.27.195 - - [03/Jan/2025:19:02:47 +0000] "GET / HTTP/1.1" 200 1332 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36" "-"
https://www.abuseipdb.com/check/59.173.134.243/24 武汉电信
59.173.134.243 - - [03/Jan/2025:19:03:41 +0000] "GET / HTTP/1.1" 301 185 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36" "-"
https://www.abuseipdb.com/check/42.92.120.52/24 甘肃电信
42.92.120.52 - - [03/Jan/2025:19:05:31 +0000] "GET / HTTP/1.1" 200 1332 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36" "-"
https://www.abuseipdb.com/check-block/111.224.221.98/24 石家庄电信
111.224.221.98 - - [03/Jan/2025:19:05:32 +0000] "GET /favicon.ico HTTP/1.1" 404 207 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36" "-"
https://www.abuseipdb.com/check/59.61.184.14/24 福州电信
59.61.184.14 - - [04/Jan/2025:01:48:39 +0000] "GET / HTTP/1.1" 400 108 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" "-"
https://www.abuseipdb.com/check/120.36.17.113 福州电信
120.36.17.113 - - [16/Jan/2025:21:18:16 +0000] "GET / HTTP/1.1" 200 3957 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36" "-"
https://www.abuseipdb.com/check/123.160.233.224/24 郑州电信
123.160.233.224 - - [14/Jan/2025:00:58:15 +0000] "GET / HTTP/1.1" 200 1332 "-" "Mozilla/5.0 (Windows NT 6.) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36" "-"
https://www.abuseipdb.com/check/171.36.6.95/24 南宁联通
171.36.6.95 - - [14/Jan/2025:00:58:19 +0000] "GET /favicon.ico HTTP/1.1" 404 207 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36" "-"
https://www.abuseipdb.com/check/218.104.149.52/24 湖南联通
218.104.149.52 - - [14/Jan/2025:00:59:26 +0000] "GET / HTTP/1.1" 301 185 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36" "-"
https://www.abuseipdb.com/check/123.160.232.2/24 郑州电信
123.160.232.2 - - [14/Jan/2025:01:03:05 +0000] "GET / HTTP/1.1" 200 1332 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36" "-"
https://www.abuseipdb.com/check/118.81.87.92/24 太原联通
118.81.87.92 - - [14/Jan/2025:01:03:07 +0000] "GET /favicon.ico HTTP/1.1" 404 207 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36" "-"
https://www.abuseipdb.com/check/116.167.4.232/24 联通
116.167.4.232 - - [14/Jan/2025:01:04:25 +0000] "GET / HTTP/1.1" 301 185 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36" "-"
https://www.abuseipdb.com/check/221.207.34.10/24 青海联通
221.207.34.10 - - [14/Jan/2025:01:06:38 +0000] "GET / HTTP/1.1" 200 1332 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36" "-"
https://www.abuseipdb.com/check/221.199.103.32/24 宁夏联通
221.199.103.32 - - [14/Jan/2025:01:06:39 +0000] "GET /favicon.ico HTTP/1.1" 404 207 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36" "-"
https://www.abuseipdb.com/check/123.138.79.102/24 陕西联通
123.138.79.102 - - [14/Jan/2025:01:08:02 +0000] "GET / HTTP/1.1" 301 185 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36" "-"
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
https://www.abuseipdb.com/check/221.207.35.36 西宁联通
221.207.35.36 - - [10/Aug/2024:01:52:36 +0000] "GET /gaocc/g445g HTTP/1.1" 404 207 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0" "-"
https://www.abuseipdb.com/check/223.167.169.138 上海联通
223.167.169.138 - - [10/Aug/2024:02:11:29 +0000] "GET /favicon.ico HTTP/1.1" 404 169 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0" "-"
https://www.abuseipdb.com/check/101.68.14.153 杭州联通
101.68.14.153 - - [09/Aug/2024:05:21:12 +0000] "GET /favicon.ico HTTP/1.1" 404 207 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0" "-"
https://www.abuseipdb.com/check/220.200.169.12 西安联通
220.200.169.12 - - [09/Aug/2024:19:11:28 +0000] "GET / HTTP/1.1" 200 48258 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0" "-"
https://www.abuseipdb.com/check/221.11.5.59 西安联通
221.11.5.59 - - [11/Aug/2024:15:08:36 +0000] "GET / HTTP/1.1" 200 48166 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0" "-"
https://www.abuseipdb.com/check/175.152.197.252 成都联通
175.152.197.252 - - [10/Aug/2024:05:31:05 +0000] "GET /favicon.ico HTTP/1.1" 200 335968 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0" "-"
https://www.abuseipdb.com/check/113.128.65.184 济南电信
113.128.65.184 - - [09/Aug/2024:12:10:21 +0000] "GET / HTTP/1.1" 200 46210 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0" "-"
https://www.abuseipdb.com/check/182.138.158.54 成都电信
182.138.158.54 - - [16/Aug/2024:01:21:47 +0000] "GET /favicon.ico HTTP/1.1" 404 207 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0" "-"
https://www.abuseipdb.com/check/175.30.48.167 长春电信
175.30.48.167 - - [14/Aug/2024:16:19:36 +0000] "GET /favicon.ico HTTP/1.1" 200 335968 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0" "-"
https://www.abuseipdb.com/check/125.82.242.227 重庆电信
125.82.242.227 - - [14/Aug/2024:20:49:36 +0000] "GET /favicon.ico HTTP/1.1" 200 335968 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0" "-"
https://www.abuseipdb.com/check/120.192.27.51 济宁移动
120.192.27.51 - - [16/Aug/2024:18:11:29 +0000] "GET / HTTP/1.1" 400 108 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0" "-"
https://www.abuseipdb.com/check/1.83.125.217/24 陕西电信
1.83.125.217 - - [27/Dec/2024:07:20:02 +0000] "GET / HTTP/1.1" 403 169 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0" "-"
notes
https://www.abuseipdb.com/check/106.52.179.144 腾讯云
106.52.179.144 - - [15/Jan/2025:00:50:04 +0000] "GET /xmlrpc.php HTTP/1.1" 403 169 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0" "-"
https://www.abuseipdb.com/check-block/106.75.137.190/24 广州ucloud
106.75.137.190 - - [11/Jan/2025:23:39:25 +0000] "GET /xmlrpc.php HTTP/1.1" 403 169 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0" "-"
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
https://www.abuseipdb.com/check-block/61.52.76.2/24 郑州联通
61.52.76.2 - - [13/Aug/2024:15:31:22 +0000] "GET /favicon.ico HTTP/1.1" 404 207 "-" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko" "-"
https://www.abuseipdb.com/check-block/1.24.16.247/24 包头联通
1.24.16.247 - - [13/Aug/2024:15:31:23 +0000] "GET / HTTP/1.1" 400 108 "-" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko" "-"
https://www.abuseipdb.com/check-block/60.13.138.105/24 昌吉联通
60.13.138.105 - - [22/Aug/2024:15:42:06 +0000] "GET / HTTP/1.1" 403 169 "-" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko" "-"
https://www.abuseipdb.com/check-block/222.221.230.50/24 昆明电信
222.221.230.50 - - [10/Aug/2024:18:48:46 +0000] "GET /favicon.ico HTTP/1.1" 200 335968 "-" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko" "-"
https://www.abuseipdb.com/check-block/113.128.67.0/24 济南电信
113.128.67.0 - - [14/Aug/2024:14:53:14 +0000] "GET /favicon.ico HTTP/1.1" 404 207 "-" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko" "-"
https://www.abuseipdb.com/check-block/223.199.186.79/24 海口电信
223.199.186.79 - - [14/Aug/2024:20:49:38 +0000] "GET / HTTP/1.1" 200 53424 "-" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko" "-"
https://www.abuseipdb.com/check-block/183.236.7.198/24 广州移动
183.236.7.198 - - [17/Aug/2024:16:28:55 +0000] "GET / HTTP/1.1" 400 108 "-" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko" "-"
https://www.abuseipdb.com/check-block/124.133.215.154/24 山东联通
124.133.215.154 - - [23/Nov/2024:04:52:32 +0000] "GET / HTTP/1.1" 403 169 "-" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko" "-"
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
This user agent belongs to 360 Secure Browser. Qihoo 360 Technology Co. Ltd. developed this Browser. This Browser run on Win10 and it renders web contents with WebKit on Windows Desktop.
https://www.abuseipdb.com/check-block/36.106.166.9/24 天津电信
36.106.166.9 - - [26/Nov/2024:14:59:42 +0000] "GET / HTTP/1.1" 200 62834 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36" "-"
https://www.abuseipdb.com/check-block/125.82.243.6/24 重庆
125.82.243.6 - - [27/Nov/2024:01:01:01 +0000] "GET /favicon.ico HTTP/1.1" 404 207 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36" "-"
https://www.abuseipdb.com/check-block/1.202.114.67/24 北京电信
1.202.114.67 - - [27/Nov/2024:01:01:03 +0000] "GET / HTTP/1.1" 200 1340 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36" "-"
谜之ip: 中国互联网络信息中心的probe
监测到来自42.83.147.34的流量,而这个ip的拥有者竟然是中国互联网络信息中心。
42.83.147.34 - - [13/Aug/2024:05:40:20 +0000] "GET / HTTP/1.1" 200 3957 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)Chrome/74.0.3729.169 Safari/537.36" "-"
查一下整个ip段42.83.147.0/24,可以看到CNNIC运行有多种probe,例如42.83.147.32在扫描port 53,853,443。
谜之ip:腾讯爬虫
referrer是https://weixin110.qq.com/的用户访问过后,会出现大量腾讯爬虫的后续访问。
user-agent例子:“Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Mobile Safari/537.36 MicroMessenger/7.0.1” “-”
deny 14.152.91.194;
deny 129.204.118.204;
deny 27.44.122.236;
deny 27.44.125.87;
deny 27.44.125.50;
deny 42.194.245.125;
deny 42.194.192.36;
deny 106.52.249.139;
deny 106.52.146.234;
deny 193.112.35.218;
deny 81.71.98.166;
封锁可疑ip
nginx封锁
添加至nginx黑名单
sudo vim /etc/nginx/blockips.conf
# sort
sudo sort -t ' ' -k2,2V -k3,3V -k4,4V -k5,5V /etc/nginx/blockips.conf
# restart nginx
sudo systemctl restart nginx
由于目前看来所有疑似有中国政府背景的ip都使用的NT 6.1系统,也可以在nginx服务器配置(如/etc/nginx/sites-available/default)中将其统一禁掉:
# Block requests with "NT 6.1" in the User-Agent
if ($http_user_agent ~* "NT 6.1") {
return 403;
}
全局封锁
如果不仅限于nginx,还可以用以下封锁方式。
iptables
# install
sudo yum install iptables-services
# start
systemctl start iptables
# restart
sudo service iptables restart
# restart docker (you need to restart your docker images btw otherwise they will not work properly)
sudo systemctl restart docker
# make sure that docker related rules are properly set
sudo iptables -t nat -L -n -v
# ban individual ip
sudo iptables -A INPUT -s 101.126.11.251 -j DROP
sudo iptables -A INPUT -s 101.126.11.0/24 -j DROP
# ban all Chinese ips showing up in journalctl
journalctl | grep -oP '(?<=\b)(?:\d{1,3}\.){3}\d{1,3}(?=\b)' | sort | uniq | xargs -I{} sh -c 'geoiplookup {} | grep -q "China" && sudo iptables -A INPUT -s {} -j DROP'
sudo service iptables save
# view the list of banned ips
sudo iptables -L INPUT -v -n
sudo cat /etc/sysconfig/iptables
fail2ban
使用fail2ban