最近网站被疯狂CC,而很不幸的源站IP被暴露。在使用了cloudflare防护盾的情况下,攻击者直接打IP:443端口导致VPS资源被耗尽。
解决的方案是配置UFW防火墙,只放行cloudflare的IP。其余的一律禁止。
使用下面的脚本可以方便的将cloudflare IP加入VPS的防火墙白名单中。
github下载地址:https://raw.githubusercontent.com/okoklai/studes/master/cfip.sh
bash#!/bin/bash
if !command -v ufw >/dev/null 2>&1; then
echo "UFW not found! please install it from your package manager!"
echo "For RHEL/CentOS/Fedora, use yum install ufw."
echo "For Ubuntu/Debian/Proxmox VE, use apt install ufw."
echo "Don't forgot to allow your ssh port before enable UFW!"
echo "When you finished it, just use command ufw enable to enable it!"
exit 1
fi
for line in `curl https://www.cloudflare.com/ips-v4`
do
echo "Reading $line from CloudFlare's offical ip list."
ufw allow from $line to any port 80
ufw allow from $line to any port 443
done
for line in `curl https://www.cloudflare.com/ips-v6`
do
echo "Reading $line from CloudFlare's offical ip list."
ufw allow from $line to any port 80
ufw allow from $line to any port 443
done