1. 首頁
  2. 問答
  3. 環境健康已從好轉變爲嚴重。請求的81.8%,與HTTP 4XX

環境健康已從好轉變爲嚴重。請求的81.8%,與HTTP 4XX

2017-08-01 36 views
0

示數,我想詢問一下彈性魔豆錯誤的幫助:環境健康已從好轉變爲嚴重。請求的81.8%,與HTTP 4XX

環境健康已經從好的轉變爲嚴重。有81.8%的請求出現HTTP 4xx錯誤。

我在這裏讀了一些文章,我也跟着用WAF解決方案,所以我創建ACL分配給我們的CloudFront的,然後我創建的規則,該塊包含在HTTP方法字頭上所有 請求。當我嘗試發送郵遞員的HEAD請求時,它就像我想要的那樣工作(我收到錯誤403),但不幸的是仍然存在錯誤 ,我每天都會在apache日誌中看到很多HEAD請求。請求

列表:

[01/Aug/2017:07:42:09 +0000] "HEAD /mysql/dbadmin/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:11 +0000] "HEAD /mysql/mysqlmanager/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:11 +0000] "HEAD /phpMyadmin/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:11 +0000] "HEAD /phpmyAdmin/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:12 +0000] "HEAD /phpmyadmin3/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:13 +0000] "HEAD /2phpmyadmin/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:13 +0000] "HEAD /phppma/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:14 +0000] "HEAD /shopdb/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:15 +0000] "HEAD /program/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:15 +0000] "HEAD /dbadmin/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:16 +0000] "HEAD /db/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:16 +0000] "HEAD /mysql/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:17 +0000] "HEAD /db/phpmyadmin/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:17 +0000] "HEAD /sqlmanager/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:18 +0000] "HEAD /php-myadmin/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:19 +0000] "HEAD /mysqladmin/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:19 +0000] "HEAD /admin/phpmyadmin/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:20 +0000] "HEAD /admin/sysadmin/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:20 +0000] "HEAD /admin/db/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:21 +0000] "HEAD /admin/pMA/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:22 +0000] "HEAD /mysql/db/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:23 +0000] "HEAD /mysql/pMA/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:24 +0000] "HEAD /sql/php-myadmin/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:24 +0000] "HEAD /sql/sql/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:25 +0000] "HEAD /sql/webadmin/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:26 +0000] "HEAD /sql/websql/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:30 +0000] "HEAD /sql/sqladmin/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:30 +0000] "HEAD /sql/phpmyadmin2/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:31 +0000] "HEAD /sql/phpMyAdmin/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:38 +0000] "HEAD /db/webadmin/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:43 +0000] "HEAD /db/websql/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:49 +0000] "HEAD /db/dbadmin/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:49 +0000] "HEAD /db/phpmyadmin3/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:51 +0000] "HEAD /db/phpMyAdmin-3/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:52 +0000] "HEAD /administrator/phpMyAdmin/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:52 +0000] "HEAD /administrator/web/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:54 +0000] "HEAD /administrator/PMA/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:54 +0000] "HEAD /phpMyAdmin2/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:55 +0000] "HEAD /phpMyAdmin4/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:55 +0000] "HEAD /php-my-admin/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:56 +0000] "HEAD /PMA2012/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:56 +0000] "HEAD /PMA2014/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:57 +0000] "HEAD /PMA2016/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:57 +0000] "HEAD /PMA2018/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:58 +0000] "HEAD /pma2012/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:42:59 +0000] "HEAD /pma2014/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:43:00 +0000] "HEAD /pma2016/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:43:01 +0000] "HEAD /pma2018/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:43:01 +0000] "HEAD /phpmyadmin2012/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:43:02 +0000] "HEAD /phpmyadmin2014/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:43:02 +0000] "HEAD /phpmyadmin2016/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

[01/Aug/2017:07:43:04 +0000] "HEAD /phpmyadmin2018/ HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee"

感謝您的幫助。

來源

2017-08-01 David Roušar

回答

0

我接觸直接AWS的支持,這是他們給我提供的解決方案:

I looked at the logs that you posted in case, I found that the agent is Jorgee, which is a common malware agent. I came across the blog regarding to this agent [1], though it is not official one but got insights of it.

A daemon named "healthd" in Elastic Beanstalk environment instances monitor health by watching special log files. If the agent find lots of 4xx in this file, the environment go to Severe state.

$ sudo tail /var/log/nginx/healthd/application.log.2017-08-21-07 1503299631.249"/asdf"404"0.075"0.075"- 1503299631.379"/asdf"404"0.002"0.002"-

I see you have environments launched with the solution stack "64bit Amazon Linux 2017.03 v2.7.2 running Docker 17.03.1-ce", thus I would like to provide a workaround of this issue for this solution stack.

In the solution stack "64bit Amazon Linux 2017.03 v2.7.2 running Docker 17.03.1-ce", log format above is defined in "/etc/nginx/nginx.conf", and enabled in "/etc/nginx/sites-enabled/elasticbeanstalk-nginx-docker-proxy.conf".

Therefore, you could configure nginx in your environments to ignore requests which HTTP status is 404 or 403. Please try to add following config file under .ebextensions directory of your application source code bundle.

.ebextensions/healthd_ignore_4xx.config

files: 
    "/etc/nginx/sites-enabled/elasticbeanstalk-nginx-docker-proxy.conf": 
    mode: "000644" 
    owner: root 
    group: root 
    content: | 
    # modification No.1 
     map $status $logflag { 
      404 0; 
      403 0; 
      default 1; 
     } 

     map $http_upgrade $connection_upgrade { 
      default  "upgrade"; 
      ""   ""; 
     } 

     server { 
      listen 80; 

      gzip on; 
       gzip_comp_level 4; 
       gzip_types text/html text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; 

      if ($time_iso8601 ~ "^(\d{4})-(\d{2})-(\d{2})T(\d{2})") { 
       set $year $1; 
       set $month $2; 
       set $day $3; 
       set $hour $4; 
      } 

      # modification No.2 
      # access_log /var/log/nginx/healthd/application.log.$year-$month-$day-$hour healthd; 
      access_log /var/log/nginx/healthd/application.log.$year-$month-$day-$hour healthd if=$logflag; 

      access_log /var/log/nginx/access.log; 

      location/{ 
       proxy_pass   http://docker; 
       proxy_http_version 1.1; 

       proxy_set_header Connection   $connection_upgrade; 
       proxy_set_header Upgrade    $http_upgrade; 
       proxy_set_header Host    $host; 
       proxy_set_header X-Real-IP   $remote_addr; 
       proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for; 
      } 
     }

This config will replace default /etc/nginx/sites-enabled/elasticbeanstalk-nginx-docker-proxy.conf file with the content you defined. Modifications I made are:

  • No.1: added map directive which maps from $status to $logflag. when the request is 404 or 403, set $logflag to 0. set 1 for other status.
  • No.2: added if=$logflag in access_log [2] directive. Write to healthd monitoring logs only when the HTTP status is not 404 or 403.

After you deploy the new version application with ebextensions config above, your environment status will not be affected by invalid 404 or 403 requests.

References [1]: http://www.skepticism.us/2015/05/new-malware-user-agent-value-jorgee/ [2]: http://nginx.org/en/docs/stream/ngx_stream_log_module.html#access_log

來源

2017-08-22 18:31:58

相關問題

 相關問題