Назад | Перейти на главную страницу

Что это за обычный (каждые 120 секунд) HTTP 1.1 POST?

С нескольких IP-адресов мой сервер Apache 2.4 получил эту запись в журналах. Для адреса 88. * я увидел 178 записей. Временной интервал составляет от 120 до 123 секунд, обычно 122.

88.207.37.105 - - [20/May/2017:18:11:47 +0000] "POST / HTTP/1.1" 200 23110 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko"
88.207.37.105 - - [20/May/2017:18:13:49 +0000] "POST / HTTP/1.1" 200 19641 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko"
88.207.37.105 - - [20/May/2017:18:15:51 +0000] "POST / HTTP/1.1" 200 19629 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko"
88.207.37.105 - - [20/May/2017:18:17:53 +0000] "POST / HTTP/1.1" 200 23136 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko"
88.207.37.105 - - [20/May/2017:18:19:55 +0000] "POST / HTTP/1.1" 200 19661 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko"
88.207.37.105 - - [20/May/2017:18:21:56 +0000] "POST / HTTP/1.1" 200 19639 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko"
88.207.37.105 - - [20/May/2017:18:23:59 +0000] "POST / HTTP/1.1" 200 23136 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko"
88.207.37.105 - - [20/May/2017:18:26:01 +0000] "POST / HTTP/1.1" 200 19628 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko"

Адреса, по которым я это видел:

45.46.40.146
88.207.37.105
70.127.16.147
104.236.51.98
73.54.23.213
76.194.129.233
182.65.9.117

Это попытка вызвать Slowloris; если да, то почему всего 178 запросов? Это какой-то зонд? Как я могу обнаружить это с помощью fail2ban?

Нужна ли мне дополнительная информация для диагностики того, что происходит?

Я предполагаю, что отрицательного эффекта нет, но он заполняет мои журналы (у меня очень мало действительного трафика, это почти исключительно враждебные зонды, а не действительный трафик; я бы предпочел видеть как можно меньше враждебных зондирований).

Обновить

Я реализовал ведение журнала POST и установил правило fail2ban:

^.«POST / HTTP / 1.1» 200 \ d + «-».

Когда я получаю такой удар:

75.166.150.58 - - [26/May/2017:20:19:57 +0000] "POST / HTTP/1.1" 200 22730 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E)"
75.166.150.58 - - [26/May/2017:20:21:58 +0000] "POST / HTTP/1.1" 200 19730 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E)"

Я вижу это в журнале POST:

[Fri May 26 20:19:56.910629 2017] [dumpio:trace7] [pid 24686:tid 140320582878976] mod_dumpio.c(140): [client 75.166.150.58:57994] mod_dumpio: dumpio_in [init-blocking] 0 readbytes
[Fri May 26 20:19:56.910713 2017] [dumpio:trace7] [pid 24686:tid 140320582878976] mod_dumpio.c(151): [client 75.166.150.58:57994] mod_dumpio: dumpio_in - 20014
[Fri May 26 20:19:56.910726 2017] [dumpio:trace7] [pid 24686:tid 140320582878976] mod_dumpio.c(140): [client 75.166.150.58:57994] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:19:56.910729 2017] [dumpio:trace7] [pid 24686:tid 140320582878976] mod_dumpio.c(151): [client 75.166.150.58:57994] mod_dumpio: dumpio_in - 103
[Fri May 26 20:19:57.373663 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(140): [client 75.166.150.58:57995] mod_dumpio: dumpio_in [init-blocking] 0 readbytes
[Fri May 26 20:19:57.600659 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(140): [client 75.166.150.58:57995] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:19:57.830272 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(63): [client 75.166.150.58:57995] mod_dumpio:  dumpio_in (data-TRANSIENT): 17 bytes
[Fri May 26 20:19:57.830323 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(103): [client 75.166.150.58:57995] mod_dumpio:  dumpio_in (data-TRANSIENT): POST / HTTP/1.1\r\n
[Fri May 26 20:19:57.830340 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(140): [client 75.166.150.58:57995] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:19:57.830350 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(63): [client 75.166.150.58:57995] mod_dumpio:  dumpio_in (data-TRANSIENT): 49 bytes
[Fri May 26 20:19:57.830356 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(103): [client 75.166.150.58:57995] mod_dumpio:  dumpio_in (data-TRANSIENT): Content-Type: application/x-www-form-urlencoded\r\n
[Fri May 26 20:19:57.830364 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(140): [client 75.166.150.58:57995] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:19:57.830384 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(63): [client 75.166.150.58:57995] mod_dumpio:  dumpio_in (data-TRANSIENT): 105 bytes
[Fri May 26 20:19:57.830390 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(103): [client 75.166.150.58:57995] mod_dumpio:  dumpio_in (data-TRANSIENT): User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E)\r\n
[Fri May 26 20:19:57.830398 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(140): [client 75.166.150.58:57995] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:19:57.830404 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(63): [client 75.166.150.58:57995] mod_dumpio:  dumpio_in (data-TRANSIENT): 20 bytes
[Fri May 26 20:19:57.830409 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(103): [client 75.166.150.58:57995] mod_dumpio:  dumpio_in (data-TRANSIENT): Host: 13.55.51.221\r\n
[Fri May 26 20:19:57.830426 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(140): [client 75.166.150.58:57995] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:19:57.830428 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(63): [client 75.166.150.58:57995] mod_dumpio:  dumpio_in (data-TRANSIENT): 21 bytes
[Fri May 26 20:19:57.830430 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(103): [client 75.166.150.58:57995] mod_dumpio:  dumpio_in (data-TRANSIENT): Content-Length: 544\r\n
[Fri May 26 20:19:57.830432 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(140): [client 75.166.150.58:57995] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:19:57.830434 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(63): [client 75.166.150.58:57995] mod_dumpio:  dumpio_in (data-TRANSIENT) : 25 bytes
[Fri May 26 20:19:57.830436 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(103): [client 75.166.150.58:57995] mod_dumpio:  dumpio_in (data-TRANSIENT): Cache-Control: no-cache\r\n
[Fri May 26 20:19:57.830438 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(140): [client 75.166.150.58:57995] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:19:57.830440 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(63): [client 75.166.150.58:57995] mod_dumpio:  dumpio_in (data-TRANSIENT): 2 bytes
[Fri May 26 20:19:57.830441 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(103): [client 75.166.150.58:57995] mod_dumpio:  dumpio_in (data-TRANSIENT): \r\n
[Fri May 26 20:19:57.830996 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(140): [client 75.166.150.58:57995] mod_dumpio: dumpio_in [readbytes-blocking] 544 readbytes
[Fri May 26 20:19:57.831005 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(63): [client 75.166.150.58:57995] mod_dumpio:  dumpio_in (data-TRANSIENT): 544 bytes
[Fri May 26 20:19:57.831008 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(103): [client 75.166.150.58:57995] mod_dumpio:  dumpio_in (data-TRANSIENT): Q6cMwNqbbGnrLl5JAdX4KhADlS5VgjCYjCiQAosXQIQWNQ4M96ktsXrihilXG9pJ6rx0F57/kgU/Den505ArYlds3entwcRvBrfSrRMpK0E/7MZ/g6/oRplLH1Vdd/BfftglJ/Ohi+/1U5WdkGVBgJb55AQ0UykVQc4+xeC+vAukp9TSc4xXa4J4xsDheaMKiHtxpLR1R8Ui805Y/lzdaYNYrlCvSH023W/EXfQ/5dDbfc5zm6d0tSEeENYwVaygD/T0kcDGuFAISYDYkXmMxuHUxO77cNCOMNEfZYEn9WiFxFZnYOb+fVLUxvkBeTpQhIBULjZqZ3Zm+UU/R4fvxqfxfdteCOBA+s90CyEZ4cNs/qOpygOiKlX67ckDmxpP08dDvKwbMeekL4+lNqgdI8u5TDN6Q1abl13KeEm+DvAfoTYCMvVnGLmcXClXX3e+nxnANdkcsd/JvjGdj8/JH+51EZLQi4a49T0hZxLZ8QNJOZKDsZRkibJBIj2xDAMctlu28GjbcVfOowAgF5PWS/jGC1MQAIA=
[Fri May 26 20:19:57.942403 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(140): [client 75.166.150.58:57995] mod_dumpio: dumpio_in [speculative-nonblocking] 1 readbytes
[Fri May 26 20:19:57.943753 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(151): [client 75.166.150.58:57995] mod_dumpio: dumpio_in - 11
[Fri May 26 20:21:58.710000 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(140): [client 75.166.150.58:58268] mod_dumpio: dumpio_in [init-blocking] 0 readbytes
[Fri May 26 20:21:58.933562 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(140): [client 75.166.150.58:58268] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:21:58.943419 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(63): [client 75.166.150.58:58268] mod_dumpio:  dumpio_in (data-TRANSIENT): 17 bytes
[Fri May 26 20:21:58.943436 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(103): [client 75.166.150.58:58268] mod_dumpio:  dumpio_in (data-TRANSIENT): POST / HTTP/1.1\r\n
[Fri May 26 20:21:58.943445 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(140): [client 75.166.150.58:58268] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:21:58.943448 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(63): [client 75.166.150.58:58268] mod_dumpio:  dumpio_in (data-TRANSIENT): 49 bytes
[Fri May 26 20:21:58.943451 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(103): [client 75.166.150.58:58268] mod_dumpio:  dumpio_in (data-TRANSIENT): Content-Type: application/x-www-form-urlencoded\r\n
[Fri May 26 20:21:58.943454 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(140): [client 75.166.150.58:58268] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:21:58.943456 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(63): [client 75.166.150.58:58268] mod_dumpio:  dumpio_in (data-TRANSIENT) : 105 bytes
[Fri May 26 20:21:58.943459 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(103): [client 75.166.150.58:58268] mod_dumpio:  dumpio_in (data-TRANSIENT): User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E)\r\n
[Fri May 26 20:21:58.943462 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(140): [client 75.166.150.58:58268] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:21:58.943464 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(63): [client 75.166.150.58:58268] mod_dumpio:  dumpio_in (data-TRANSIENT): 20 bytes
[Fri May 26 20:21:58.943467 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(103): [client 75.166.150.58:58268] mod_dumpio:  dumpio_in (data-TRANSIENT): Host: 13.55.51.221\r\n
[Fri May 26 20:21:58.943469 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(140): [client 75.166.150.58:58268] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:21:58.943471 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(63): [client 75.166.150.58:58268] mod_dumpio:  dumpio_in (data-TRANSIENT): 21 bytes
[Fri May 26 20:21:58.943473 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(103): [client 75.166.150.58:58268] mod_dumpio:  dumpio_in (data-TRANSIENT): Content-Length: 588\r\n
[Fri May 26 20:21:58.943476 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(140): [client 75.166.150.58:58268] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:21:58.943478 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(63): [client 75.166.150.58:58268] mod_dumpio:  dumpio_in (data-TRANSIENT): 25 bytes
[Fri May 26 20:21:58.943480 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(103): [client 75.166.150.58:58268] mod_dumpio:  dumpio_in (data-TRANSIENT): Cache-Control: no-cache\r\n
[Fri May 26 20:21:58.943482 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(140): [client 75.166.150.58:58268] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:21:58.943484 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(63): [client 75.166.150.58:58268] mod_dumpio:  dumpio_in (data-TRANSIENT): 2 bytes
[Fri May 26 20:21:58.943492 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(103): [client 75.166.150.58:58268] mod_dumpio:  dumpio_in (data-TRANSIENT): \r\n
[Fri May 26 20:21:58.943625 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(140): [client 75.166.150.58:58268] mod_dumpio: dumpio_in [readbytes-blocking] 588 readbytes
[Fri May 26 20:21:58.943632 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(63): [client 75.166.150.58:58268] mod_dumpio:  dumpio_in (data-TRANSIENT): 588 bytes
[Fri May 26 20:21:58.943634 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(103): [client 75.166.150.58:58268] mod_dumpio:  dumpio_in (data-TRANSIENT): EaxYwY/ObMZzC55ZNfIqJ7jo01xnYm4mllgnEYQLf0GZjMuL31ox6b6iKMdQfnql6Y1hIUq6dP701/FdlAX/NMgSnKD6Zn0onykSEVVykGwjiBZjhAcM02dW2VDUTb/eZ40NzWmkPrDJi8czUCkTXodfwV8y7Bya0STzhYj4D8gC99qAG30UImObAiDHNIkLheNyDX7lK4lbjunEBYRsPfUgkT1g62GKZRYkmM34JDo74NpsWx/5SHbSR0xX4fOxUzGrmBlY0EhlOjcZ6J0NZ0y42ix0jamuC7L2xHzAJ70w+Wxld7x/lGoLbYWfJcZwBIqwgiSNQDQo8okaJR5pK2Wd68G14PEhxeZpKoYhmjF7S9USjgKhtKA2fs+DegUtuobw57IagY+5ZPVihlOQyXXPR49Nny/VXZcZ6iqbxlbyZGqEQkCg+VLqPVO52YKG/opFtUTFTHr8o/rGO7/aUnUfagbdlbw8MFpAcVdz1R1D59RZ1sYCyRO5tEEc4EFd8rhwvXarXzpHWbNlnVJF6oTFUTjgP/QgKYuZT3uv3bGwLY0Kn9Ivg0K7EwC5rqoJOjoHJrCGjUM=
[Fri May 26 20:21:59.054773 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(140): [client 75.166.150.58:58268] mod_dumpio: dumpio_in [speculative-nonblocking] 1 readbytes
[Fri May 26 20:21:59.056133 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(151): [client 75.166.150.58:58268] mod_dumpio: dumpio_in - 11

Что 75.166.150.58 пытается использовать мой сервер для работы с 13.55.51.221 (поиск rdns ничего не дает)? Успешно?

Это похоже на зондирование. Если ваш веб-сервер и приложения на нем обновлены, вы сделали почти все, что могли. Это именно то, что вам определенно нужно регистрировать. Просто получите решение для журналов, которое позволяет выполнять поиск в журналах и гистограммах.

Возможность использования fail2ban зависит от легитимного трафика. Если легитимный трафик не достиг более 150 запросов за 300 минут, вы можете настроить fail2ban, не влияя на легитимный трафик.