컴퓨터 / Computer

CentOS 7에서 firewall-cmd를 이용하여 ip 블럭하기

공유지기 0 68 06.08 12:02

 


갑작스레 웹 서버가 느려질때가 있는데 그때 잽싸게 httpd의 로그를 봐서 아래와 같은 내용이 있는지 확인해 보라. ( ip는 숨김 )


 X.X.XX.XX - - [04/May/2020:19:54:23 +0900] "GET /category.php?c=11917%20UNION%20ALL%20SELECT%20%28SELECT%20CONCAT%280x71716b6271%2CIFNULL%28CAST%28order_addpoint%20AS%20CHAR%29%2C0x20%29%2C0x626661766e77%2CIFNULL%28CAST%28order_amount%20AS%20CHAR%29%2C0x20%29%2C0x626661766e77%2CIFNULL%28CAST%28order_amount_point%20AS%20CHAR%29%2C0x20%29%2C0x626661766e77%2CIFNULL%28CAST%28order_amount_real%20AS%20CHAR%29%2C0x20%29%2C0x626661766e77%2CIFNULL%28CAST%28order_cart%20AS%20CHAR%29%2C0x20%29%2C0x626661766e77%2CIFNULL%28CAST%28order_dlvdate%20AS%20CHAR%29%2C0x20%29%2C0x626661766e77%2CIFNULL%28CAST%28order_id%20AS%20CHAR%29%2C0x20%29%2C0x626661766e77%2CIFNULL%28CAST%28order_method%20AS%20CHAR%29%2C0x20%29%2C0x626661766e77%2CIFNULL%28CAST%28order_quota%20AS%20CHAR%29%2C0x20%29%2C0x626661766e77%2CIFNULL%28CAST%28order_regdate%20AS%20CHAR%29%2C0x20%29%2C0x626661766e77%2CIFNULL%28CAST%28order_regip%20AS%20CHAR%29%2C0x20%29%2C0x626661766e77%2CIFNULL%28CAST%28order_request%20AS%20CHAR%29%2C0x20%29%2C0x626661766e77%2CIFNULL%28CAST%28order_shipping%20AS%20CHAR%29%2C0x20%29%2C0x626661766e77%2CIFNULL%28CAST%28order_shop%20AS%20CHAR%29%2C0x20%29%2C0x626661766e77%2CIFNULL%28CAST%28order_status%20AS%20CHAR%29%2C0x20%29%2C0x626661766e77%2CIFNULL%28CAST%28order_supplyprice%20AS%20CHAR%29%2C0x20%29%2C0x626661766e77%2CIFNULL%28CAST%28order_user%20AS%20CHAR%29%2C0x20%29%2C0x7171707671%29%20FROM%20checkbox.order_data%20LIMIT%2047860%2C1%29%2CNULL%2CNULL--%20pjNN HTTP/1.1" 200 89986 "-" "sqlmap/1.3#pip (http://sqlmap.org)"


저 로그들은 DB 인젝션 공격을 할때 생기는데, 실제 DB로 갈때는 아래와 같이 전달된다.


 select cnt from view_goods_cnt_w_status_lteq_2_by_cat1 where cat1 = '11917 UNION ALL SELECT (SELECT

 

select * from goods g join category c on g.category_id = c.category_id where c.cat1 = '11917 UNION



저런 스크립트는 DB 서버를 과부하로 이끌어 사망하게 만든다.


여러가지 방법이 있지만 이런 경우 저 위에  ip를 firewall-cmd를 이용하여 블럭 처리해 버리면 된다. 아래 명령어로.



 firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address=ip drop'



물론 저 명령어를 실행한 후에는 적용도 해 줘야 한다.


 firewall-cmd --reload




Comments

이글아이 방수 발수 코팅 필름 1P 80x80 김서림 빗물
칠성운영자
VIP 리무진엠보 가죽 QM6 대쉬보드 커버
칠성운영자
아슬란 자동차 바닥 카매트 매트 발매트 발판 카메트
칠성운영자
카렉스 블랙스CD바이져
칠성운영자