1. LNMP防CC说明
LNMP的web环境现在非常的流行,海草吧也是采用LNMP搭建的WEB环境。CC攻击大家也不陌生,在HOSTLOC上经常有人求DDCC的大牛,海草吧今天就分享一篇LNMP防CC攻击的方法。说明下,此LNMP防CC应该只能防小量,大的还是需要硬防。
2. LNMP防CC建议
- 将CC攻击的IP自动添加进机房路由器防火墙(有条件的话)
- 将CC攻击的IP自动添加进iptables防火墙
- 将CC攻击的IP封禁自定义时间,过后自动释放
- 将被CC攻击的页面进行缓存,降低后端资源
- 将CC攻击的IP转向自定义网页,或随机网页
- ……
3. LNMP防CC实现方法
3.1 停止LNMP服务
[php]
/root/lnmp stop
/etc/init.d/nginx stop
/etc/init.d/mysql stop
/etc/init.d/redis_6379 stop
/usr/local/php/sbin/php-fpm stop
killall nginx mysqld redis php-cgi
[/php]
3.2 备份LNMP配置
[php]
mkdir -p ~/src && cd ~/src
cp -rf /usr/local/nginx/conf ~/src/conf.bak
cp -rf /etc/init.d/nginx ~/src/nginx.bak
[/php]
3.3 重编译nginx + limit_req2_nginx_module
[php]
wget http://zlib.net/zlib-1.2.8.tar.gz -O -|tar xz
wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.32.tar.gz -O -|tar xz
wget http://www.openssl.org/source/openssl-1.0.1e.tar.gz -O -|tar xz
wget http://nginx.org/download/nginx-1.2.8.tar.gz -O -|tar xz
git clone https://github.com/monadbobo/limit_req2_nginx_module
rm -rf /usr/local/nginx
cd nginx-1.2.8/
./configure –prefix=/usr/local/nginx
–user=www –group=www
–with-zlib=../zlib-1.2.8
–with-pcre=../pcre-8.32
–with-openssl=../openssl-1.0.1e
–with-http_gzip_static_module
–with-http_stub_status_module
–with-http_realip_module
–with-http_ssl_module
–with-ipv6
–add-module=../limit_req2_nginx_module
–with-cc-opt=’-O3′
make && make install
cd ../
chkconfig nginx on
rm -rf /usr/local/nginx/conf
cp -rf ~/src/conf.bak /usr/local/nginx/conf
cp -rf /usr/local/nginx/conf/nginx.conf /usr/local/nginx/conf/nginx.conf.bak
[/php]
3.4 修改Nginx配置
[php]
log_format lazyzhu.com ‘$remote_addr – $remote_user [$time_local] $request ‘
‘$status $body_bytes_sent $http_referer ‘
‘$http_user_agent $http_x_forwarded_for’;
limit_req2_zone $request_uri zone=lazyzhu.com.one:2m rate=5r/s;
limit_req2_zone $binary_remote_addr zone=lazyzhu.com.two:2m rate=30r/s;
server {
listen 80;
server_name lazyzhu.com;
root /home/wwwroot/lazyzhu.com;
location / {
index index.html index.htm index.php default.html default.htm default.php;
}
include none.conf;
## folder disable limit
location ^~ /(wp-admin|admin)/ {
limit_req2 off;
try_files $uri =404;
fastcgi_pass unix:/tmp/php-cgi.sock;
fastcgi_index index.php;
include fcgi.conf;
}
## file disable limit
location ~ .*(admin|p).(php|php5)?$ {
limit_req2 off;
try_files $uri =404;
fastcgi_pass unix:/tmp/php-cgi.sock;
fastcgi_index index.php;
include fcgi.conf;
}
location ~ .*.(php|php5)?$ {
limit_req2 zone=lazyzhu.com.one [email protected] nodelay;
limit_req2 zone=lazyzhu.com.two [email protected] nodelay;
try_files $uri =404;
fastcgi_pass unix:/tmp/php-cgi.sock;
fastcgi_index index.php;
include fcgi.conf;
}
location @444 {
return 444;
}
location ~ .*.(js|css)?$ {
expires 12h;
}
location ~ .*.(gif|jpg|jpeg|png|bmp|swf)$ {
expires 30d;
}
location /status {
stub_status on;
access_log off;
}
access_log /home/wwwlogs/lazyzhu.com.log lazyzhu.com;
}
[/php]
3.5启动LNMP服务
[php]
/etc/init.d/nginx start
/etc/init.d/mysql start
/etc/init.d/php-fpm start
[/php]
4.LNMP防CC声明
[warning]
声明,此LNMP防CC方法由lazyzhu提供,海草吧转载收藏,切勿试水海草吧!
[/warning]
1