LAMP/Apache下access_log统计访客日志不完全有遗漏(防DDoS用)
军哥你好!感谢你的一键安装包,已经成功搭建的LAMP环境并建站多时。
现在有个疑问:
按理说VPS上的所有访问应该都在access_log里有记录,也就是说不管VPS上建了几个网站,所有的记录都应该提现在总日志access_log里。
但是,我的AAA网站开启了日志记录并记录在access_log_AAA里,但是总日志access_log里居然没有。
我把网站AAA的记录关掉后,总日志access_log里还是没有。
而BBB网站和CCC网站的记录在access_log里却有。
比如,58.58.68.68这个IP访问了AAA网站,access_log_AAA里有其记录,而access_log却没有。
非常困惑。
请问军哥:如果我想VPS上所有网站的访客记录全部记录到access_log里(而非单个access_log_XXX),那么干如何设置呢?
或者说,access_log本身就是记录全部的,是因为我的某些设置错误才导致了出现这种问题呢?
非常感谢!
[ 本帖最后由 ifrederick 于 2018-5-26 08:29 编辑 ] access_log 并不是用来记录日志的
默认虚拟主机的是IP_access_log 这个文件,默认虚拟主机就只记录默认虚拟主机的,其他虚拟主机的不记录
如果你添加的域名开启了日志功能,记录的文件是 域名或自定义的名字-access_log
回复 2# 的帖子
感谢军哥的解答。经过测试,access_log里是可以记录(甚至全部)来自VPS非IP的访问的,比如 yourdomain.com/sample-url
而IP_access_log只记录直接通过IP访问的信息,比如 123.123.123.123/sample-url
而记录不完全的原因,貌似找到了,应该和开启HTTPS访问有关。
AAA域名,从80端口来的普通的HTTP访问在access_log里不记录,但是自身的access_log_AAA有记录。
我把AAA开启HTTPS加密访问后,access_log里就有记录了。
作为对比,我又验证了BBB域名,普通的HTTP访问在access_log里没有记录,但是在自身access_log_BBB里有记录。
所以,我觉得很可能是关于access_log和80、443端口设置方面出了问题。
请问,access_log有记录端口的相关设置吗?
**********背景**********
我是要抓取access_log的日志并分析,封掉违反规则的IP地址,达到缓解/阻止DDoS的目的。
试用了DDoS-Deflate,发现有点麻烦,设置起来效果并没有多大。所以自己写了一个脚本,自动屏蔽异常IP,效果还不错。
但问题是,所有加密的HTTPS域名访问日志可以直接在access_log里获取,但其他非加密的HTTP域名访问日志抓不到,DDos攻击依然存在。
开贴中,我把AAA域名开启HTTPS访问后,已经屏蔽了不少DDoS的IP地址(效果附下)。但针对HTTP访问的BBB域名,依然没有抓到,因为access_log里根本没记录到。
解决的办法目前能想到的有三个:
①全部开启HTTPS访问(略麻烦,网站较多,有的暂时也没必要);
②加密的HTTPS和非加密的HTTP都能记录到access_log里(同时记录80和443端口);
③同时统计总的access_log日志和单独的access_log_XXX日志(增加额外操作、占用VPS资源);
#防DDoS的效果(屏蔽时间、被封前攻击次数、攻击IP和被封原因):
2018-05-23 15:44:01 33 118.24.116.161 404
2018-05-23 16:34:01 64 180.76.134.115 404
2018-05-23 23:33:01 35 180.76.114.186 404
2018-05-24 07:37:01 86 183.78.180.97 404
2018-05-25 00:57:01 56 122.227.62.206 /wp-login.php
2018-05-25 00:57:01 56 122.227.62.206 302
2018-05-25 01:13:01 28 218.3.210.2 /wp-login.php
2018-05-25 01:13:01 28 218.3.210.2 302
2018-05-25 01:48:01 39 157.119.227.25 /wp-login.php
2018-05-25 01:48:01 39 157.119.227.25 302
2018-05-25 01:52:01 48 152.204.28.192 /wp-login.php
2018-05-25 01:52:01 48 152.204.28.192 302
2018-05-25 16:35:01 11 118.114.1.139 TCP(Dropped if >= 50)
2018-05-25 19:50:01 87 180.76.101.70 404
2018-05-25 22:01:01 38 180.76.232.106 404
2018-05-26 04:28:01 85 180.76.245.155 301
2018-05-26 04:28:01 83 180.76.245.155 404
2018-05-26 05:15:01 15 95.24.156.48 TCP(Dropped if >= 50)
2018-05-26 05:47:01 81 118.24.134.86 301
2018-05-26 05:47:01 61 118.24.134.86 404
#非HTTPS访问的access_log_BBB日志记录:
设置了wp-login.php保护,即便如此,一个多小时攻击了8000多次,大量的302转向还是导致CPU占用一直50%以上。
因为记录不在access_log日志里,所以没有抓住该IP并封掉。
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
……
……
[ 本帖最后由 ifrederick 于 2018-5-26 09:44 编辑 ]
回复 3# 的帖子
自己通过日志分析的话太累,nginx上的话开启lua后有很多waf可以选择,apache上的话暂时还没了解
页:
[1]