LAMP/Apache下access_log统计访客日志不完全有遗漏（防DDoS用）

ifrederick · 发表于 2018-5-25 15:34:55

军哥你好！

感谢你的一键安装包，已经成功搭建的LAMP环境并建站多时。

现在有个疑问：

按理说VPS上的所有访问应该都在access_log里有记录，也就是说不管VPS上建了几个网站，所有的记录都应该提现在总日志access_log里。

但是，我的AAA网站开启了日志记录并记录在access_log_AAA里，但是总日志access_log里居然没有。

我把网站AAA的记录关掉后，总日志access_log里还是没有。

而BBB网站和CCC网站的记录在access_log里却有。

比如，58.58.68.68这个IP访问了AAA网站，access_log_AAA里有其记录，而access_log却没有。

非常困惑。

请问军哥：如果我想VPS上所有网站的访客记录全部记录到access_log里（而非单个access_log_XXX），那么干如何设置呢？

或者说，access_log本身就是记录全部的，是因为我的某些设置错误才导致了出现这种问题呢？

非常感谢！

[ 本帖最后由 ifrederick 于 2018-5-26 08:29 编辑 ]

licess · 发表于 2018-5-25 21:10:44

access_log 并不是用来记录日志的
默认虚拟主机的是IP_access_log 这个文件，默认虚拟主机就只记录默认虚拟主机的，其他虚拟主机的不记录
如果你添加的域名开启了日志功能，记录的文件是域名或自定义的名字-access_log

ifrederick · 发表于 2018-5-26 09:08:47

感谢军哥的解答。

经过测试，access_log里是可以记录（甚至全部）来自VPS非IP的访问的，比如 yourdomain.com/sample-url
而IP_access_log只记录直接通过IP访问的信息，比如 123.123.123.123/sample-url

而记录不完全的原因，貌似找到了，应该和开启HTTPS访问有关。

AAA域名，从80端口来的普通的HTTP访问在access_log里不记录，但是自身的access_log_AAA有记录。
我把AAA开启HTTPS加密访问后，access_log里就有记录了。

作为对比，我又验证了BBB域名，普通的HTTP访问在access_log里没有记录，但是在自身access_log_BBB里有记录。
所以，我觉得很可能是关于access_log和80、443端口设置方面出了问题。

请问，access_log有记录端口的相关设置吗？

**********背景**********

我是要抓取access_log的日志并分析，封掉违反规则的IP地址，达到缓解/阻止DDoS的目的。

试用了DDoS-Deflate，发现有点麻烦，设置起来效果并没有多大。所以自己写了一个脚本，自动屏蔽异常IP，效果还不错。

但问题是，所有加密的HTTPS域名访问日志可以直接在access_log里获取，但其他非加密的HTTP域名访问日志抓不到，DDos攻击依然存在。

开贴中，我把AAA域名开启HTTPS访问后，已经屏蔽了不少DDoS的IP地址（效果附下）。但针对HTTP访问的BBB域名，依然没有抓到，因为access_log里根本没记录到。

解决的办法目前能想到的有三个：

①全部开启HTTPS访问（略麻烦，网站较多，有的暂时也没必要）；
②加密的HTTPS和非加密的HTTP都能记录到access_log里（同时记录80和443端口）；
③同时统计总的access_log日志和单独的access_log_XXX日志（增加额外操作、占用VPS资源）；

#  防DDoS的效果（屏蔽时间、被封前攻击次数、攻击IP和被封原因）：

2018-05-23 15:44:01       33       118.24.116.161             404
2018-05-23 16:34:01       64       180.76.134.115             404
2018-05-23 23:33:01       35       180.76.114.186             404
2018-05-24 07:37:01       86       183.78.180.97                404
2018-05-25 00:57:01       56       122.227.62.206             /wp-login.php
2018-05-25 00:57:01       56       122.227.62.206             302
2018-05-25 01:13:01       28       218.3.210.2                /wp-login.php
2018-05-25 01:13:01       28       218.3.210.2                302
2018-05-25 01:48:01       39       157.119.227.25             /wp-login.php
2018-05-25 01:48:01       39       157.119.227.25             302
2018-05-25 01:52:01       48       152.204.28.192             /wp-login.php
2018-05-25 01:52:01       48       152.204.28.192             302
2018-05-25 16:35:01       11       118.114.1.139                TCP(Dropped if >= 50)
2018-05-25 19:50:01       87       180.76.101.70                404
2018-05-25 22:01:01       38       180.76.232.106             404
2018-05-26 04:28:01       85       180.76.245.155             301
2018-05-26 04:28:01       83       180.76.245.155             404
2018-05-26 05:15:01       15       95.24.156.48                TCP(Dropped if >= 50)
2018-05-26 05:47:01       81       118.24.134.86                301
2018-05-26 05:47:01       61       118.24.134.86                404

#  非HTTPS访问的access_log_BBB日志记录：
设置了wp-login.php保护，即便如此，一个多小时攻击了8000多次，大量的302转向还是导致CPU占用一直50%以上。
因为记录不在access_log日志里，所以没有抓住该IP并封掉。

54.36.168.175 - - [26/May/2018:06:05:17 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:18 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:19 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:19 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:20 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:20 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:21 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:22 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:22 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:23 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:23 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:24 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:24 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:25 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:26 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:26 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:27 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:27 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:28 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:28 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:29 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:30 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:30 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:31 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:31 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:32 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:32 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:33 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:34 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:34 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:35 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:35 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:36 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:37 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:37 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:38 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:38 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:39 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:40 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:40 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:41 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:41 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:42 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:42 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:43 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:44 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:44 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
54.36.168.175 - - [26/May/2018:06:05:45 +0800] "POST /wp-login.php HTTP/1.0" 302 3424 "-" "-"
……
……

[ 本帖最后由 ifrederick 于 2018-5-26 09:44 编辑 ]

licess · 发表于 2018-5-26 11:08:07

自己通过日志分析的话太累，nginx上的话开启lua后有很多waf可以选择，apache上的话暂时还没了解

		自动登录	找回密码
密码			注册

LAMP/Apache下access_log统计访客日志不完全有遗漏（防DDoS用）

回复 2# 的帖子

回复 3# 的帖子