![\"\"](\"https:\/\/cdn.manvscloud.com\/wp-content\/uploads\/2022\/08\/19100041\/image-5-1024x269.png\")
<\/figure>\n\n\n\n\n\n\n\n
Web Log<\/h3>\n\n\n\n
\uba3c\uc800 \uc2a4\ud338 \ub313\uae00\uc774 \uc4f0\uc5ec\uc9c4 \uc2dc\uac04<\/strong>\uacfc \uc791\uc131\uc790 IP<\/strong>\ub97c \ucc38\uace0\ud558\uc5ec \uc6f9 \ub85c\uadf8\uc640 \ube44\uad50\ud558\uc600\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n \uc6f9 \ub85c\uadf8\ub97c \uc0b4\ud3b4\ubcf4\ub2c8 \ud574\ub2f9 \uc2a4\ud338 \ub313\uae00\uc740 request : POST, http_user_agent : python-requests\ub97c \uacf5\ud1b5\uc801\uc73c\ub85c \ub0a8\uae34\ub2e4\ub294 \uac83\uc744 \uc54c \uac8c \ub418\uc5c8\uc2b5\ub2c8\ub2e4. <\/p>\n\n\n\n (\uc815\uc0c1\uc801\uc778 \ub313\uae00\uc5d0\uc11c\ub294 user_agent\uac00 python-requests\uc778 \uacbd\uc6b0\ub294 \ubcf8 \uc801\uc774 \uc5c6\ub2e4. \uc8fc\ub85c \uc6f9 \ud06c\ub864\ub9c1\ud560 \ub54c \uc0ac\uc6a9\ub410\ub358\uac78\ub85c \uc548\ub2e4.)<\/p>\n\n\n\n \ub610\ud55c \ub370\uc774\ud130\ubca0\uc774\uc2a4\ub97c \ud655\uc778\ud574\ubcf4\uba74 \uc6cc\ub4dc\ud504\ub808\uc2a4\uc5d0\uc11c \ub313\uae00\uc774 \uad00\ub9ac\ub418\ub294 \ud14c\uc774\ube14\uc740 wp_comments \uc785\ub2c8\ub2e4.<\/p>\n\n\n\n \ud574\ub2f9 \ud14c\uc774\ube14\uc744 \uc870\ud68c\ud574\ubcf4\ub2c8 comment_agent \ud544\ub4dc\uc5d0\uc11c\ub3c4 python-requests \uac00 \ud655\uc778\ub410\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n \uc790, \uc774\uc81c \uc6f9 \ub85c\uadf8\uc5d0\uc11c \ud655\uc778\ud55c \uc815\ubcf4\ub97c \uc774\uc6a9\ud574\uc11c \ud0d0\uc9c0\ud558\uace0 \ucc28\ub2e8 \uadf8\ub9ac\uace0 \ub313\uae00 \uc815\ub9ac\uae4c\uc9c0 \ud558\ub3c4\ub85d \ud560 \uac83\uc785\ub2c8\ub2e4.<\/p>\n\n\n\n \uba3c\uc800 \uc2a4\ud06c\ub9bd\ud2b8\ub97c \uad00\ub9ac\ud560 \ub514\ub809\ud1a0\ub9ac\ub97c \uba3c\uc800 \uc0dd\uc131\ud574\uc8fc\uc5c8\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n mkdir -p \/usr\/local\/webdetector\/{bin,include,logs,tmp}<\/p>\n\n\n\n 1. env 2. start.sh <\/p>\n\n\n\n 1. log_detector.sh 2. deny.sh 3. db.sh <\/p>\n\n\n\n 1. drop.log <\/p>\n\n\n\n 1. detectCount <\/p>\n\n\n\n \ub9c8\uc9c0\ub9c9\uc73c\ub85c \/etc\/crontab\uc5d0 \uc544\ub798\uc640 \uac19\uc774 \uc2a4\ud06c\ub9bd\ud2b8\ub97c 5\ubd84\ub9c8\ub2e4 \uc2e4\ud589\ub418\ub3c4\ub85d \ud574\ub450\uc5c8\uc2b5\ub2c8\ub2e4. \ub610\ud55c \uc81c \uc6f9 \uc11c\ubc84\ub294 Logrotate\ub97c \uc774\uc6a9\ud558\uc5ec \ub85c\uadf8\uac00 \uad00\ub9ac\ub418\uace0 \uc788\uc2b5\ub2c8\ub2e4. \uadf8\ub807\uae30 \ub54c\ubb38\uc5d0 logrotate \uc124\uc815\uc5d0\uc11c Logrotate\uac00 \uc2e4\ud589\ub420 \ub54c detectCount\ub3c4 \ucd08\uae30\ud654\ub418\ub3c4\ub85d \uc124\uc815\ud558\uc600\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n \uc774\uc81c \uc81c \ube14\ub85c\uadf8\ub294 user agent\uac00 python-requests\uc778 \uacbd\uc6b0\uc5d0\ub294 \ud0d0\uc9c0 \ud6c4 \ucc28\ub2e8\ud558\ub3c4\ub85d \uc124\uc815\ub418\uc5c8\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n \ud558\uc9c0\ub9cc python-requests\uc5d0 \ub300\ud574\uc11c\ub9cc \ud0d0\uc9c0\ub418\uae30\ub54c\ubb38\uc5d0 \uc774\ud6c4\uc5d0 \ucd94\uac00\uc801\uc73c\ub85c \ubc1c\uacac\ub418\ub294 \uc774\uc0c1 \uc99d\uc0c1\uc740 \uc2a4\ud06c\ub9bd\ud2b8\uc5d0 \uacc4\uc18d \ucd94\uac00\uc801\uc73c\ub85c \uc5c5\ub370\uc774\ud2b8\ub418\uace0 \ub098\uc911\uc5d0\ub294 \ub530\ub85c \uc2a4\ud06c\ub9bd\ud2b8\uac00 \ubd84\ub9ac\ub420 \uc218\ub3c4 \uc788\uc744 \uac83\uc774\ub77c \uc608\uc0c1\ub429\ub2c8\ub2e4.<\/p>\n\n\n\n \uadf8\ub0e5 \ud50c\ub7ec\uadf8\uc778 \uc4f0\uba74 \uac04\ud3b8\ud569\ub2c8\ub2e4. \uc0ac\uc6a9\ud558\uba74 \uc88b\uc8e0. \uc2e4\uc81c \uae08\uc804\uc774 \uc624\uac00\ub294 \uc6b4\uc601 \ud658\uacbd\uc5d0\uc11c\ub294 \ub2f9\uc5f0\ud788 \uace0\ub824\ud574\uc57c\ud558\ub294 \ubd80\ubd84\uc774\uad6c\uc694.<\/p>\n\n\n\n \uadf8\ub7f0\ub370 \uc774\ub807\uac8c \ubc88\uac70\ub86d\uac8c \uc9c1\uc811 \ud655\uc778\ud558\uace0 \uc2a4\ud06c\ub9bd\ud2b8\ub97c \ub9cc\ub4e4\uc5b4\uac00\uba70 \ucc28\ub2e8\ud558\ub294 \uc774\uc720\ub294 \uc5b4\ub5a4 \uc720\ud615\uc73c\ub85c \uc2a4\ud338\ub313\uae00\uc774 \uc4f0\uc5ec\uc9c4\ub2e4\uac70\ub098 \uc5b4\ub5a4 \uacf5\uaca9\uc774 \uc874\uc7ac\ud558\ub294\uc9c0 \ub610 \ub313\uae00\uc740 \uc5b4\ub290 DB\uc5d0 \uc800\uc7a5\ub418\ub294\uc9c0 \uacf5\ubd80\ud560 \uc218 \uc788\uae30\ub54c\ubb38\uc785\ub2c8\ub2e4.<\/p>\n\n\n\n \uc5b4\ucc28\ud53c \uc81c \ube14\ub85c\uadf8\ub294 \uc8fc\uae30\uc801\uc73c\ub85c \ubc31\uc5c5\ub418\uace0 \uc788\uace0 \ub2e4\uc6b4\ub418\uc5b4\ub3c4 \ub3c8 \ubc1b\uace0 \uc6b4\uc601\ub418\ub294 \uc11c\ube44\uc2a4\uac00 \uc544\ub2c8\uae30\ub54c\ubb38\uc5d0 \uc81c \ub9c8\uc74c\ub300\ub85c \ud14c\uc2a4\ud2b8\ud560 \uc218 \uc788\ub294 \uc88b\uc740 \ud658\uacbd\uc785\ub2c8\ub2e4. <\/p>\n\n\n\n \uc6f9 \uc11c\ube44\uc2a4\ub294 \uac00\uc7a5 \uae30\ubcf8\uc785\ub2c8\ub2e4. free tier\uc5d0\uc11c \ucd5c\uace0 \ud6a8\uc728\uc744 \ub0bc \uc218 \uc788\ub294 \uad6c\uc131\uc744 \uc0dd\uac01\ud574\ubcf4\uace0 \uc778\uc2a4\ud134\uc2a4 \ud0c0\uc785\uc744 \ub192\uc774\uba74 \uacb0\uad6d \ube44\uc6a9\uc73c\ub85c \uc774\uc5b4\uc9c0\uae30\ub54c\ubb38\uc5d0 \uc11c\ubc84 \ub0b4\uc5d0\uc11c \ucd5c\uc801\ud654\ub97c \uace0\ubbfc\ud558\uac8c\ub418\uace0 \uc774\ud6c4\uc5d0 AWS\uc5d0\uc11c \ub124\uc774\ubc84 \ud074\ub77c\uc6b0\ub4dc\ub85c \uc774\uc804\ub3c4 \ud558\uace0 \uac01\uc885 \uacf5\uaca9\uc774 \uc0dd\uae30\uba74 \uc9c1\uc811 \uace0\ubbfc\ud558\uace0 \ud574\uacb0\ud558\uac8c \ub429\ub2c8\ub2e4.<\/p>\n\n\n45.134.225.36 - 10.0.33.10 - - [16\/Aug\/2022:17:39:48 +0900] \"POST \/?p=989 HTTP\/1.1\" 200 89 \"-\" \"python-requests\/2.27.1\"\n192.42.116.14 - 10.0.13.10 - - [16\/Aug\/2022:21:14:24 +0900] \"POST \/?p=989 HTTP\/1.1\" 200 89 \"-\" \"python-requests\/2.27.1\"\n185.243.218.41 - 10.0.13.10 - - [16\/Aug\/2022:23:58:19 +0900] \"POST \/?p=989 HTTP\/1.1\" 200 89 \"-\" \"python-requests\/2.27.1\"<\/pre>\n\n\n\n
\n\n\n\n WebDetector<\/h3>\n\n\n\n
: \ubaa8\ub4e0 \uc2a4\ud06c\ub9bd\ud2b8\uc5d0\uc11c \uacf5\ud1b5\uc801\uc73c\ub85c \uc0ac\uc6a9\ub420 \ud658\uacbd \uc124\uc815\uc774 \ub4e4\uc5b4\uac00\ub294 \ud30c\uc77c\uc785\ub2c8\ub2e4.<\/p>\n\n\n\n#!\/bin\/bash\n\n##########################################\nexport NOW=$(date +\"[%F %T]\")\nexport WD=\/usr\/local\/webdetector\nexport TEMP=$WD\/tmp\nexport LOG=$WD\/logs\nexport INCLUDE=$WD\/include\nexport WEBLOG=\/<\uc6f9\ub85c\uadf8 \uacbd\ub85c>\/manvscloud.access.log\nexport DBPWD=<DB \ud328\uc2a4\uc6cc\ub4dc>\n##########################################<\/pre>\n\n\n\n
: \uc2a4\ud06c\ub9bd\ud2b8 \uc2e4\ud589 \ud30c\uc77c\uc785\ub2c8\ub2e4.<\/p>\n\n\n\n#!\/bin\/bash\n\n#######################################################\nsource \/usr\/local\/webdetector\/bin\/env\n########################################################\n\nmain() {\n\n$INCLUDE\/log_detector.sh\n\n}\n\nmain\n<\/pre>\n\n\n\n
(include \ub514\ub809\ud1a0\ub9ac\uc5d0\ub294 \uac01\uc885 \uae30\ub2a5\ub4e4\uc744 \ucd94\uac00\ud558\uc5ec \uad00\ub9ac\ud558\uae30\ub85c \ud558\uc600\uc2b5\ub2c8\ub2e4.)<\/li><\/ul>\n\n\n\n
: \uc6f9 \ub85c\uadf8\uc5d0\uc11c \uc774\uc0c1 \ubc18\uc751\uc744 \ud0d0\uc9c0\ud569\ub2c8\ub2e4.
\uae30\uc874 detectCount\ubcf4\ub2e4 \uc218\uce58\uac00 \ub192\uc544\uc9c0\uba74 deny.sh\uc744 \uc2e4\ud589\uc2dc\ucf1c IP\ub97c \uc120\ucc28\ub2e8 \uc870\uce58\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n#!\/bin\/bash\n\nCUR_LOG=`cat $WEBLOG | grep POST | grep \"python-requests\" | awk '{print $1}' | sort | uniq | wc -l`\nCOUNT=`cat $TEMP\/detectCount`\n\ndetector() {\n\nif [ $CUR_LOG -gt $COUNT ]; then\n\necho \"$NOW \uc774\uc0c1 \ub85c\uadf8\uac00 \uac10\uc9c0 \ub418\uc5c8\uc2b5\ub2c8\ub2e4.\" >> $LOG\/drop.log\n\n$INCLUDE\/deny.sh\n\nfi\n\n}\n\ndetector\n<\/pre>\n\n\n\n
: \uc6f9 \ub85c\uadf8\uc5d0\uc11c \ud574\ub2f9\ud558\ub294 \uc870\uac74\uc5d0 \ud0d0\uc9c0\ub41c IP\ub97c \ucc28\ub2e8\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n#!\/bin\/bash\n\n############################################################################################################################\nATKIP=(`cat $WEBLOG | grep POST | grep \"python-requests\" | awk '{print $1}' | sort | uniq`)\niptables -nL | grep DROP | awk '{print $4}' | sort | uniq | grep -vE \"[a-Z]|0.0.0.0\/0\" > $TEMP\/drop_ip_list.txt\nOVLLIST=`cat $TEMP\/drop_ip_list.txt`\n############################################################################################################################\n\ndropIP() {\n\n for i in ${ATKIP[@]};\n\n do\n\n OVLIP=`echo $OVLLIST | grep $i | wc -l`\n\n if [ $OVLIP == 1 ]; then\n\n echo \"$NOW $i IP\ub294 \uc774\ubbf8 \ucc28\ub2e8\ub418\uc5b4 \uc788\uc2b5\ub2c8\ub2e4.\"\n\n else\n\n iptables -I INPUT -s $i -j DROP\n echo \"$NOW $i IP\uac00 \ucc28\ub2e8 \ub418\uc5c8\uc2b5\ub2c8\ub2e4.\" >> $LOG\/drop.log\n $INCLUDE\/db.sh\n fi\n\n done\n\n##############################################################################################################\ncat $WEBLOG | grep POST | grep \"python-requests\" | awk '{print $1}' | sort | uniq | wc -l > $TEMP\/detectCount\nrm $TEMP\/drop_ip_list.txt\n##############################################################################################################\n\n}\n\ndropIP<\/pre>\n\n\n\n
: DB\uc5d0\uc11c \uc870\uac74\uc5d0 \ud574\ub2f9\ud558\ub294 \ub313\uae00\uc744 \uc81c\uac70\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n#!\/bin\/bash\n\n\ndelSPAM() {\n\nSPAMCOMMENT=(`mysql -uusername -p$DBPWD -D dbname -e \"select comment_ID from wp_comments where comment_agent like 'python-requests%';\" | awk '{print $1}' | grep -v [a-Z]`)\n\n for i in ${SPAMCOMMENT[@]};\n\n do\n\n mysql -uusername -p$DBPWD -D dbname -e \"delete from wp_comments where comment_ID=$i;\"\n\n done\n\n}\n\ndelSPAM<\/pre>\n\n\n\n
: \ucc28\ub2e8\ub41c IP\uc758 \ub85c\uadf8\uc785\ub2c8\ub2e4.<\/p>\n\n\n\n[2022-08-17 02:49:34] 185.220.100.241 IP\uac00 \ucc28\ub2e8 \ub418\uc5c8\uc2b5\ub2c8\ub2e4.\n[2022-08-17 02:52:55] 37.120.185.177 IP\uac00 \ucc28\ub2e8 \ub418\uc5c8\uc2b5\ub2c8\ub2e4.\n[2022-08-17 07:50:01] 185.7.33.146 IP\uac00 \ucc28\ub2e8 \ub418\uc5c8\uc2b5\ub2c8\ub2e4.<\/pre>\n\n\n\n
: \ud0d0\uc9c0 \uce74\uc6b4\ud2b8\uc785\ub2c8\ub2e4. \ud0d0\uc9c0\uac00 \ub420 \ub54c\ub9c8\ub2e4 \uc218\uce58\uac00 \ub2ec\ub77c\uc9d1\ub2c8\ub2e4.<\/p>\n\n\n\n0<\/pre>\n\n\n\n
5\ubd84\ub9c8\ub2e4 \uc774\uc0c1 \ub85c\uadf8\uac00 \uc788\ub294\uc9c0 \uc9c0\uc18d\uc801\uc73c\ub85c \ud0d0\uc9c0\ud558\uac8c \ub420 \uac83\uc785\ub2c8\ub2e4.<\/p>\n\n\n\n## webdetector\n*\/5 * * * * root \/usr\/local\/webdetector\/bin\/start.sh<\/pre>\n\n\n\n
\uc989, \ub85c\uadf8\uac00 \uc555\ucd95\ub418\uace0 \ubd84\ud560\ub420 \ub54c \uae30\uc874 detectCount\uc640 \uc218\uce58\uac00 \ub2ec\ub77c\uc9c0\uac8c \ub429\ub2c8\ub2e4.<\/p>\n\n\n\n\/var\/log\/nginx\/*.log {\n weekly\n rotate 5\n compress\n delaycompress\n missingok\n create 644 root root\n dateext\n postrotate\n if [ -f \/var\/run\/nginx.pid ]; then\n kill -USR1 `cat \/var\/run\/nginx.pid`\n echo \"0\" > \/usr\/local\/webdetector\/tmp\/detectCount\n fi\n endscript\n}<\/pre>\n\n\n\n
\n\n\n\n Personal Comments<\/h3>\n\n\n\n
\uc774\ubbf8 \uc874\uc7ac\ud558\ub294 \ud234\ub4e4\uc774\ub098 IPS, WAF \ub4f1\uc744 \uc0ac\uc6a9\ud558\uba74 \ub429\ub2c8\ub2e4.
\ub300\ubd80\ubd84 \uc774\ub7ec\ud55c \uc2a4\ud338 \ub313\uae00\ub4e4\uc740 \uc678\uad6d\uc5d0\uc11c \uc4f0\uc5ec\uc9c0\ub2c8 \uad6d\ub0b4\uc5d0\uc11c\ub9cc \ub313\uae00\uc744 \uc4f8 \uc218 \uc788\uac8c\ud558\uba74 \uad73\uc774 \uc2e0\uacbd\uc4f8 \uc77c\uc774 \uc904\uc5b4\ub4ed\ub2c8\ub2e4.<\/p>\n\n\n\n
\uc804 \uc9c1\uc7a5\uc5d0\uc11c \uc81c \uc0ac\uc218\uc600\ub358 Linuxer\ub2d8\uc774 WordPress\ub97c \uc774\uc6a9\ud574\uc11c \ube14\ub85c\uadf8 \uc6b4\uc601\uc744 \uc9c1\uc811\ud574\ubcf4\ub77c\uace0 \ud558\uc168\uc5c8\ub294\ub370 \uc774\uac8c \ub9ce\uc774 \ub3c4\uc6c0\uc774 \ub410\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n
![](\"https:\/\/linuxer.name\/wp-content\/uploads\/2022\/08\/image-12-824x1024.png\")
<\/div><\/div>