我的服务器经常受到攻击,当并发连接过多时,我的防火墙会阻止它们的 IP。问题在于每次攻击之间的 IP 都会发生变化。
这是我从 WHM/cPANEL 内的 CSF FIREWALL 收到的两个示例:
Time: Thu Aug 22 16:10:01 2024 -0400
IP: 144.202.54.156 (US/United States/144.202.54.156.vultrusercontent.com)
Connections: 105
Blocked: Temporary Block for 14400 seconds [CT_LIMIT]
tcp: 144.202.54.156:17670 -> 192.99.xxx.xxx:80 (SYN_RECV)
tcp: 144.202.54.156:9409 -> 192.99.xxx.xxx:443 (SYN_RECV)
tcp: 144.202.54.156:16559 -> 192.99.xxx.xxx:80 (SYN_RECV)
tcp: 144.202.54.156:62481 -> 192.99.xxx.xxx:443 (SYN_RECV)
tcp: 144.202.54.156:37763 -> 192.99.xxx.xxx9:443 (SYN_RECV)
Time: Thu Aug 22 16:07:51 2024 -0400
IP: 95.179.150.178 (NL/Netherlands/95.179.150.178.vultrusercontent.com)
Connections: 99
Blocked: Temporary Block for 14400 seconds [CT_LIMIT]
Connections:
tcp: 95.179.150.178:7850 -> 192.99.xxx.xxx:443 (SYN_RECV)
tcp: 95.179.150.178:28736 -> 192.99.xxx.xxx:80 (SYN_RECV)
tcp: 95.179.150.178:58110 -> 192.99.xxx.xxx:80 (SYN_RECV)
tcp: 95.179.150.178:35048 -> 192.99.xxx.xxx:80 (SYN_RECV)
tcp: 95.179.150.178:3525 -> 192.99.xxx.xxx:80 (SYN_RECV)
一旦反向 DNS 返回 *.vultrusercontent.com,我想阻止该 IP 地址的所有流量。
我在 WHM 中使用 MODSECURITY,所以我尝试添加此规则:
SecRule REMOTE_HOST "\.vultrusercontent\.com$" "id:9990002,deny,status:403, \
msg:'Vulturuser FQDN detected by MODSECURITY.'"
但是我在点击列表中没有看到点击,并且我不断收到来自 CSF FIREWALL 的电子邮件,显示流量已通过。
我错过了什么?是 MODSECURITY 检测流量太慢,还是 CSF 太快阻止流量?
谢谢你:-)