背景
最近网站被疯狂CC,很不幸的源站IP被暴露。在使用了cloudflare防护盾的情况下,攻击者直接打IP:443端口导致明升m88资源被耗尽。
解决方案
配置UFW防火墙,只放行cloudflare的IP。其余的一律禁止。
使用下面的脚本可以方便的将cloudflare IP加入明升m88的防火墙白名单中。
github下载地址:http://raw.githubusercontent.com/okoklai/studes/master/cfip.sh
#!/bin/bash
if !command -v ufw >/dev/null 2>&1; then
echo "UFW not found! please install it from your package manager!"
echo "For RHEL/CentOS/Fedora, use yum install ufw."
echo "For Ubuntu/Debian/Proxmox VE, use apt install ufw."
echo "Don't forgot to allow your ssh port before enable UFW!"
echo "When you finished it, just use command ufw enable to enable it!"
exit 1
fi
for line in `curl http://www.cloudflare.com/ips-v4`
do
echo "Reading $line from CloudFlare's offical ip list."
ufw allow from $line to any port 80
ufw allow from $line to any port 443
done
for line in `curl http://www.cloudflare.com/ips-v6`
do
echo "Reading $line from CloudFlare's offical ip list."
ufw allow from $line to any port 80
ufw allow from $line to any port 443
done此脚本只会设置固定ip允许访问80、443端口,其他的ufw设置不会修改。
发表回复