通过Nginx日志识别攻击可以帮助你及时发现并应对潜在的安全威胁。以下是一些常见的攻击类型及其在Nginx日志中的特征,以及如何识别它们:

192.168.1.1 - - [21/Jul/2023:10:00:01 +0000] "POST /login HTTP/1.1" 401 572 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3"192.168.1.1 - - [21/Jul/2023:10:00:02 +0000] "POST /login HTTP/1.1" 401 572 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3"...192.168.1.1 - - [21/Jul/2023:10:05:01 +0000] "GET /search?q=SELECT%20*%20FROM%20users HTTP/1.1" 404 572 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3"192.168.1.1 - - [21/Jul/2023:10:10:01 +0000] "GET /profile?ref=<script>alert('XSS')</script> HTTP/1.1" 200 1234 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3"192.168.1.1 - - [21/Jul/2023:10:15:01 +0000] "GET /index.html HTTP/1.1" 200 1234 "-"192.168.1.2 - - [21/Jul/2023:10:15:02 +0000] "GET /index.html HTTP/1.1" 200 1234 "-"...192.168.1.1 - - [21/Jul/2023:10:20:01 +0000] "GET /includes/config.php HTTP/1.1" 404 572 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3"使用日志分析工具:
设置警报:
定期检查日志:
使用正则表达式:
监控IP地址:
分析响应代码:
以下是一个简单的Python脚本示例,用于识别Nginx日志中的暴力破解攻击:
import refrom collections import defaultdict# 读取日志文件with open('nginx_access.log', 'r') as file:logs = file.readlines()# 正则表达式匹配失败的登录尝试login_pattern = re.compile(r'"POST /login HTTP/1.1" 401')# 记录每个IP的失败尝试次数failed_attempts = defaultdict(int)for log in logs:if login_pattern.search(log):ip = log.split()[0]failed_attempts[ip] += 1# 设置阈值threshold = 5# 检查并打印超过阈值的IPfor ip, count in failed_attempts.items():if count > threshold:print(f"Possible brute force attack detected from IP: {ip} with {count} failed attempts")通过上述方法和工具,你可以有效地识别和应对Nginx日志中的各种攻击。