nginx.service - nginx - high performance web server Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled) Active: active (running) since Mon 2015-08-03 06:07:44 UTC; 2s ago Docs: http://nginx.org/en/docs/ Process: 12642 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=0/SUCCESS) Process: 12641 ExecStartPre=/usr/sbin/nginx -t -c /etc/nginx/nginx.conf (code=exited, status=0/SUCCESS) Main PID: 12645 (nginx) CGroup: /system.slice/nginx.service ├─12645 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.... └─12646 nginx: worker process
Aug 03 06:07:44 ip-172-31-19-253 systemd[1]: Starting nginx - high performan.... Aug 03 06:07:44 ip-172-31-19-253 nginx[12641]: nginx: the configuration file...k Aug 03 06:07:44 ip-172-31-19-253 nginx[12641]: nginx: configuration file /et...l Aug 03 06:07:44 ip-172-31-19-253 systemd[1]: Failed to read PID from file /r...t Aug 03 06:07:44 ip-172-31-19-253 systemd[1]: Started nginx - high performanc.... Hint: Some lines were ellipsized, use -l to show in full.
Nginx 設定ファイル修正
1
# vim /etc/nginx/conf.d/default.conf
1 2 3 4 5 6 7
server { listen 80; server_name ec2-xx-xx-xx-xxx.ap-northeast-1.compute.amazonaws.com;
$ gdb --version GNU gdb (GDB) 7.9 Copyright (C) 2015 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-apple-darwin14.1.0". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word".
証明書 作成
gdb に gdb-cert の署名を適用
1 2
$ codesign -s gdb-cert /usr/local/Cellar/gdb/7.9/bin/gdb [master] gdb-cert: ambiguous (matches "gdb-cert" and "gdb-cert" in /Library/Keychains/System.keychain)
| | Docker Server | | | Linux VM | | Docker Client | VirtualBox | +-------------------------------+ | Mac OSX or Windows |
導入手順
Boot2Docker 公式サイト : より 「MacOSXボタン」クリック
Boot2Docker パッケージインストール
インストーラを実行
Terminal等で以下実行
Linux VM作成
1
$ boot2docker init
Linux VM起動
1 2 3 4 5 6 7 8 9 10 11 12 13
$ boot2docker start
Waiting for VM and Docker daemon to start... ...........................ooooooooooooooooo Started. Writing /Users/kenzo/.boot2docker/certs/boot2docker-vm/ca.pem Writing /Users/kenzo/.boot2docker/certs/boot2docker-vm/cert.pem Writing /Users/kenzo/.boot2docker/certs/boot2docker-vm/key.pem
To connect the Docker client to the Docker daemon, please set: export DOCKER_HOST=tcp://192.168.59.103:2376 export DOCKER_CERT_PATH=/Users/kenzo/.boot2docker/certs/boot2docker-vm export DOCKER_TLS_VERIFY=1
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ローカルループバックアドレス許可
1
iptables -A INPUT -i lo -j ACCEPT
ICMP許可
1
iptables -A INPUT -p icmp -j ACCEPT
プライベートIPアドレス拒否
1 2 3 4 5 6
iptables -A INPUT -s 10.0.0.0/8 -j DROP iptables -A INPUT -d 10.0.0.0/8 -j DROP iptables -A INPUT -s 172.16.0.0/12 -j DROP iptables -A INPUT -d 172.16.0.0/12 -j DROP iptables -A INPUT -s 192.168.0.0/16 -j DROP iptables -A INPUT -d 192.168.0.0/16 -j DROP
ブロードキャストアドレス拒否
1 2
iptables -A INPUT -d 0.0.0.0/8 -j DROP iptables -A INPUT -d 255.255.255.255 -j DROP
フラグメントパケット攻撃対策
1
iptables -A INPUT -f -j DROP
ステルススキャン禁止
1
iptables -A INPUT -p tcp -m state --state NEW ! --syn -j DROP
iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP
設定確認
1
iptables -L --line-numbers -n
設定保存 反映
1 2
service iptables save service iptables restart
まとめ
現状この設定をしてからは特に被害にはあっていないです。
友人のさくらVPSでも同様の攻撃を受けたので教えてあげたら被害はなくなったとのことで
一定の効果はあるかと存じます。
##コマンドまとめ
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p icmp -j ACCEPT iptables -A INPUT -s 10.0.0.0/8 -j DROP iptables -A INPUT -d 10.0.0.0/8 -j DROP iptables -A INPUT -s 172.16.0.0/12 -j DROP iptables -A INPUT -d 172.16.0.0/12 -j DROP iptables -A INPUT -s 192.168.0.0/16 -j DROP iptables -A INPUT -d 192.168.0.0/16 -j DROP iptables -A INPUT -d 0.0.0.0/8 -j DROP iptables -A INPUT -d 255.255.255.255 -j DROP iptables -A INPUT -f -j DROP iptables -A INPUT -p tcp -m state --state NEW ! --syn -j DROP iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset iptables -A INPUT -p icmp --icmp-type echo-request -m hashlimit --hashlimit 1/s --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name input_icmp --hashlimit-htable-expire 300000 -j DROP