我已经看到我的 nginx 错误日志充满了这样的消息:
(*date*) [info] 69487#0: *1064573 peer closed connection in SSL handshake while SSL handshaking, client: 95.64.*.*, server: 0.0.0.0:443
(*date*) [info] 69487#0: *1064574 peer closed connection in SSL handshake (104: Connection reset by peer) while SSL handshaking, client: 95.162.*.*, server: 0.0.0.0:443
(*date*) [info] 69487#0: *1064572 peer closed connection in SSL handshake while SSL handshaking, client: 5.112.*.*, server: 0.0.0.0:443
(*date*) [info] 69487#0: *1064576 peer closed connection in SSL handshake (104: Connection reset by peer) while SSL handshaking, client: 188.211.*.*, server: 0.0.0.0:443
(*date*) [info] 69487#0: *1064578 peer closed connection in SSL handshake while SSL handshaking, client: 185.120.*.*, server: 0.0.0.0:443
(*date*) [info] 69487#0: *1064577 peer closed connection in SSL handshake while SSL handshaking, client: 5.126.*.*, server: 0.0.0.0:443
注意:我有匿名日期和 ip
服务器日志包含很多类似的日志行。我创建了一个 fail2ban 规则来过滤它们,一天后它已将超过 6000 个 ips 列入黑名单。快速浏览其中一些列入黑名单的内容表明,几乎所有内容都来自伊朗,但并未出现在https://www.abuseipdb.com中。
这是攻击吗?或者可能是我错误配置了 nginx 服务器?如果是攻击,它是什么类型的攻击?如果 IP 地址是恶意的,我需要知道这一点以报告 IP 地址。