Today, I suddenly found that a website I created N years ago (a corporate display website) suddenly couldn't be opened. The loading bar kept spinning. It seemed like there was too much pressure and the response speed couldn't keep up.
This is a small site that not many people visit. I feel like something must have happened. Maybe the number of visits is too high? First confirm, open the nginx log directory (the specific directory can be viewed in the virtual host configuration file), and you tail -f xxx.logcan view the access records in real time. If the file refresh speed is very slow, it means that the immediate access volume is not large, but if the file content is refreshed Soon, please be aware that your website may currently be under attack.
Steps:
Open the virtual host configuration file to view the access log path,
copy it, and then use tail -f [log path] to view, for example, taif -f /data/log/XXX.log, and then a page will open that will refresh the website access records in real time. , as shown below:
The underlined in the picture is the IP of the access source, and the red circle is the status code. If it is found that a certain IP sends a large number of requests and the source is unknown, or it is obviously using random parameters or paths for heuristic access The interface or page is likely to be the source of the attack. Copy the abnormal IP to Notepad, and then add the corresponding IP to the blacklist. In this way, when the web server receives the request, it will directly return 403 (Access Forbidden). ) status code will not put any pressure on the database.
So how to add the IP to the nginx blacklist? You can /opt/nginx/confcreate a new file in the directory. It is usually called according to international conventions ip.black. The content is deny X.X.X.X;in this format, and then nginx.confjust add a line in front of the file include ip.black;. The content is as shown below. Tip:
After making the changes, remember to /opt/nginx/sbin/nginx -tcheck if there are any problems with the configuration first. If everything is normal, reloadjust execute the command.
Under normal circumstances, when you open the log again, you will find that the status codes of all request responses of this IP have changed from the original 200 to 403. That means the configuration has taken effect. When this IP accesses the website, it will be directly changed to the nginx layer. If this request is rejected, it will not go to the level of executing logic code. These junk requests will no longer put any pressure on your server or database, and normal website access requests can be responded to normally.
The effect is like this. The request of the corresponding IP directly returns the 403 status code, and the world is quiet.