{"id":40,"date":"2012-07-13T07:26:20","date_gmt":"2014-07-13T04:26:20","guid":{"rendered":"https:\/\/furkansandal.com\/?p=40"},"modified":"2014-07-13T07:26:20","modified_gmt":"2014-07-13T04:26:20","slug":"botnet-saldirisindan-nasil-korunulur","status":"publish","type":"post","link":"https:\/\/furkansandal.com\/botnet-saldirisindan-nasil-korunulur\/","title":{"rendered":"Botnet Sald\u0131r\u0131s\u0131ndan Nas\u0131l Korunulur"},"content":{"rendered":"

Botnet sald\u0131r\u0131s\u0131<\/span>, \u00e7\u00f6z\u00fcm\u00fc en zor sald\u0131r\u0131 t\u00fcr\u00fcd\u00fcr. \u00c7\u00fcnk\u00fc botnet ile birlikte trojan bula\u015fan bilgisayarlar sizin sitenize yo\u011fun bir ziyaret ger\u00e7ekle\u015ftirerek, sunucunuzu kilitlemeye y\u00f6nelik bir giri\u015fimdi bulunurlar. \u00c7o\u011fu zaman buna ortak olan bilgisayar sahipleri (zombie <\/span>olarak adland\u0131r\u0131l\u0131r) trojan bula\u015farak b\u00f6yle bir giri\u015fimde bulunduklar\u0131n\u0131n fark\u0131nda de\u011fildirler. \u00d6rnek olarak, bir sohbet sunucusu binlerce ziyaret\u00e7isine trojan <\/span>bula\u015ft\u0131rd\u0131ysa, kolayl\u0131kla istenilen komutlar verilerek bu zombie bilgisayarlar y\u00f6nlendirilebilmektedir.<\/p>\n

Kullan\u0131c\u0131lar\u0131n yo\u011fun giri\u015fi olarak g\u00f6r\u00fclen botnet sald\u0131r\u0131s\u0131, sunucu g\u00f6z\u00fcnde normal ziyaret\u00e7iden farks\u0131zd\u0131rlar. Ancak \u00e7ok say\u0131da bilgisayar\u0131n, s\u0131k giri\u015fileri sunucuyu zora sokarak siteye ula\u015f\u0131lmas\u0131n\u0131 engellemektedir.<\/p>\n

Seohocasi.com ilk botnet sald\u0131r\u0131s\u0131n\u0131 1 \u2013 2 Aral\u0131k tarihlerinde ald\u0131. Bu konuda hi\u00e7bir tecr\u00fcbe olmad\u0131\u011f\u0131 i\u00e7in, site 2 g\u00fcn kapal\u0131 kald\u0131, Google<\/strong> botlar\u0131n\u0131n da siteye ula\u015famas\u0131 durumuyla site 3 g\u00fcn arama motorlar\u0131ndan silindi. Sald\u0131r\u0131y\u0131 giderdikten sonraki g\u00fcn arama motorlar\u0131nda g\u00f6z\u00fckmeye ba\u015flad\u0131. Sald\u0131r\u0131 s\u00fcresi ve s\u0131kl\u0131\u011f\u0131 uzad\u0131k\u00e7a, arama motorlar\u0131n\u0131n bu hatay\u0131 telafi etmesi de giderek zorla\u015fmaktad\u0131r. Dolay\u0131s\u0131yla uzun s\u00fcreli sald\u0131r\u0131lardan, geri d\u00f6n\u00fc\u015f\u00fc olmayacak \u015fekilde s\u0131ralama kay\u0131plar\u0131n\u0131z olabilir.<\/span><\/p>\n

\u00d6ncelikle sunucu se\u00e7iminde dikkat etmeniz gereken 2 \u00f6nemli unsur bulunmaktad\u0131r.<\/strong><\/p>\n

1.Litespeed kullan\u0131m\u0131 :<\/span><\/strong> Litespeed<\/span> sunucu h\u0131z\u0131n\u0131 kulland\u0131\u011f\u0131 \u00f6zel teklikle maksimum d\u00fczeylere \u00e7\u0131karan bir sunucu eklentisidir. Bu eklenti kurulu olan sunucular\u0131 sat\u0131n ald\u0131\u011f\u0131n\u0131z da, sunucu kilitlenmesi hihtimali en aza indirgenebilecektir.<\/p>\n

2. Firewall kullan\u0131m\u0131 :<\/span><\/strong> Firewall, sald\u0131r\u0131lara kar\u015f\u0131 etkili bir g\u00fcvenlik duvar\u0131d\u0131r. Hangi sunucunun firewall <\/span>kullan\u0131p kullanmad\u0131\u011f\u0131n\u0131 bir t\u00fcketici olarak bilmemiz zor olabilir. Bu sebeple satn almadan \u00f6nce sorman\u0131z gereken ikinci \u00f6zellik sunucunun firewall kullan\u0131p kullanmamas\u0131 olmal\u0131d\u0131r.<\/p>\n

Botnet di\u011fer ad\u0131yla ddos sald\u0131r\u0131lar\u0131n\u0131 \u00f6nlemenin yollar\u0131,<\/strong><\/p>\n

1. Hedef \u015ea\u015f\u0131rtma :<\/strong> Botnet sald\u0131r\u0131lar\u0131 genellikle sitelerin ana dizinlerindeki index dosyas\u0131 hedef al\u0131narak yap\u0131lmaktad\u0131r. \u00c7\u00fcnk\u00fc bu \u015fekilde daha etkili bir sald\u0131r\u0131 yapm\u0131\u015f olurlar. Bu sebeple index.php (\u00f6zellikle wordpress<\/em> siteleri) dosyas\u0131n\u0131n hedef olmaktan \u00e7\u0131kmas\u0131 gerekir. Bunun i\u00e7in sitenin farkl\u0131 uzant\u0131da bir index dosyas\u0131n\u0131 \u00e7a\u011f\u0131rmas\u0131n\u0131 sa\u011fl\u0131yoruz. Site Anasayfas\u0131n\u0131n kaynak kodunu tamamiyle kopyalayarak index.html isminde yeni bir dosya i\u00e7erisine ekleyerek sunucuya at\u0131yoruz. Bunu yapt\u0131\u011f\u0131m\u0131zda sald\u0131r\u0131 hedefi index.php olarak devam ederken, site anasayfas\u0131 index.html den a\u00e7\u0131lmaktad\u0131r. Html statik bir sayfa oldu\u011fu i\u00e7in, sald\u0131r\u0131\u00a0 devam etmesine ra\u011fmen daha h\u0131zl\u0131 sitenin a\u00e7\u0131ld\u0131\u011f\u0131n\u0131 g\u00f6rebileceksiniz.<\/p>\n

Html klas\u00f6r\u00fcn\u00fc olu\u015fturmakla birlikte index.php nin ismini de\u011fi\u015ftirirseniz, alt sayfalara ula\u015f\u0131lamama hatas\u0131 al\u0131rs\u0131n\u0131z. \u00c7\u00fcnk\u00fc sitenin t\u00fcm sayfalar\u0131 index.php \u00fczerindeki sorgulardan olu\u015fmaktad\u0131r. Bu sebeple anasayfa index.html den \u00e7al\u0131\u015f\u0131rken, alt sayfalar da index.php \u00fczerinden a\u00e7\u0131lmaktad\u0131r.<\/p>\n

Bir botnet sald\u0131r\u0131s\u0131nda, sald\u0131r\u0131n\u0131n ne zaman bitece\u011fini hi\u00e7bir zaman kestiremezsiniz. Anasayfay\u0131 html olarak ayarlad\u0131\u011f\u0131n\u0131z, s\u00fcrekli g\u00fcncellemeniz zor olaca\u011f\u0131 i\u00e7in mutlaka yine dinamik yap\u0131ya d\u00f6nmeniz gerekmektedir. Dolay\u0131s\u0131yla index.html kullanmak sadece ge\u00e7ici bir \u00e7\u00f6z\u00fcmd\u00fcr. Arama motorlar\u0131 ve botlar\u0131n siteye ula\u015fabilmelerini sa\u011flamak ad\u0131na yapaca\u011f\u0131n\u0131z ilk uygulama olmal\u0131d\u0131r. Bundan sonras\u0131 i\u00e7in daha kal\u0131c\u0131 \u00e7\u00f6z\u00fcmler bulman\u0131z gerekmektedir. Kal\u0131c\u0131 \u00e7\u00f6z\u00fcmler i\u00e7in de a\u015fa\u011f\u0131daki taktikleri uygulaman\u0131z gerekir.<\/p>\n

2. \u0130p ve Browser engelleme :<\/strong> Botnet sald\u0131r\u0131s\u0131na i\u015ftirak eden zombie bilgisayarlar\u0131n, normal kullan\u0131c\u0131lara g\u00f6re fark\u0131, siteyi onlarca veya y\u00fczlerce defa sorgulamas\u0131d\u0131r. Normal bir ziyaret\u00e7i, siteye g\u00fcnde max 3 \u2013 5 kez giriyorsa, zombie bilgisayarlar dakikada onlarca kez girebilmektedir. Bu sebeple yo\u011fun giri\u015f yapan ipleri ve browserlar\u0131 tespit ederek, htaccess ile giri\u015fleri engellemeniz gerekir.<\/p>\n

2. a. Yo\u011fun ip ve browser giri\u015flerini tespit etme :<\/span><\/span> Sitenize ait cpanele girdikten sonra\u00a0 Raw Access Logs linkine t\u0131kl\u0131yoruz. Buradan siteye son zamanlarda giri\u015f yapan ip ve taray\u0131c\u0131lar\u0131n\u0131 listeleyebiliyoruz. Sitenin ziyaret\u00e7i say\u0131s\u0131na veya botnet sald\u0131r\u0131s\u0131na g\u00f6re dosyas\u0131n\u0131n boyutu artacakt\u0131r. Yakla\u015f\u0131k 15 \u2013 20 mb boyutlar\u0131nda dosyay\u0131 indirdikten sonra herhangi bir text program\u0131 ile a\u00e7\u0131yoruz. Notepad i\u00e7in y\u00fck olu\u015fturabilir, bu sebeple notepad2 kullanman\u0131z\u0131 tavsiye ediyorum.<\/span><\/span><\/p>\n

\"botnet<\/p>\n

\"botnet<\/p>\n

Yukar\u0131daki listede sald\u0131r\u0131 g\u00fcnlerinde siteye gelen ziyaret\u00e7i veya zombielerin ipleri g\u00f6r\u00fclmektedir. Bak\u0131ld\u0131\u011f\u0131 zaman baz\u0131 iplerin yo\u011fun giri\u015f yapt\u0131\u011f\u0131 g\u00f6r\u00fcl\u00fcr. Tabi bu resim sadece bir kesit, ald\u0131\u011f\u0131m raporda yakla\u015f\u0131k 2 milyon ip listesi bulunmaktayd\u0131. \u00dcstelik 2 g\u00fcnl\u00fck raporda. Bu raporda daima en sondan ba\u015flayarak g\u00f6z gezdirmenizi tavsiye ediyorum.
\n<\/span><\/span><\/p>\n

Resimde g\u00f6r\u00fcld\u00fc\u011f\u00fc gibi, <\/span>111.160.70.130 adresi birka\u00e7 kez tekrar etmektedir. Ancak bunun yan\u0131nda 111.160.70.226 gibi bir adres de tekrar ediyoruz. Burada k\u0131s\u0131tlamay\u0131 yaparken 4 haneyi de dikkate al\u0131rsan\u0131z sadece 1 zombie engellersiniz, ilk haneyi engellerseniz milyonlarca 111 ipsiyle ba\u015flayan giri\u015fleri engellersiniz. Tabi bunun yan\u0131nda normal ziyaret\u00e7i de etkilenebilir. Ancak bir s\u00fcre i\u00e7in bu normal ziyaret\u00e7ilerden bir k\u0131sm\u0131n\u0131n giri\u015fini engellemeyi g\u00f6ze almak gerekir. Bunun gibi ben tekrar eden ipleri bulup ilk hanelerini engelledim. Ancak hala yo\u011funluk olup olmad\u0131\u011f\u0131n\u0131 anlamak gerekiyor. Bunu i\u00e7in index.html ismini index1.html olarak de\u011fi\u015ftirdim. Site bu sefer index.php \u00fczerinden \u00e7al\u0131\u015facak ve sitenin a\u00e7\u0131lmas\u0131 uzun s\u00fcr\u00fcyorsa ba\u015fka iplerden giri\u015f devam ediyor anlam\u0131na gelir. Di\u011fer ipleri de bulup engelleyebilirsiniz. Bunun d\u0131\u015f\u0131nda MSIE 6.0; Windows NT 5.1 giri\u015flerini de engellemek b\u00fcy\u00fck rahatl\u0131k getirecektir.<\/p>\n

2.b. Yo\u011fun ip ve browser giri\u015flerini engelleme :<\/span> Yo\u011fun giri\u015f yapan ip ve taray\u0131c\u0131lar\u0131 tespit ettikten sonra a\u015fa\u011f\u0131daki kodlar\u0131 htaccess dosyan\u0131za ekleyerek bu giri\u015fleri engellemeniz gerekmektedir.<\/p>\n

htaccess ile ip giri\u015fi engelleme<\/p>\n

order allow,deny
\ndeny from 111.*.*.*
\ndeny from 95.*.*.*
\n<\/span>allow from all<\/span><\/p>\n

htaccess ile taray\u0131c\u0131 giri\u015fi engelleme<\/p>\n

RewriteCond %{HTTP_USER_AGENT} !^Microsoft Internet Explorer\/[34].[0-9]{1,2}<\/span><\/p>\n

Ekstra htaccess g\u00fcvenlikleri<\/strong><\/p>\n

# .htaccess dosyas\u0131na eri\u015fimi engelle<\/span>
\n<files .htaccess>
\norder allow,deny
\ndeny from all
\n<\/files><\/p>\n

# sunucu imzas\u0131n\u0131 kald\u0131r<\/span>
\nServerSignature Off<\/p>\n

# dosya y\u00fckleme boyutunu 10mb ile s\u0131n\u0131rland\u0131r<\/span>
\nLimitRequestBody 10240000<\/p>\n

# wpconfig.php dosyas\u0131na eri\u015fimi engelle<\/span>
\n<files wp-config.php>
\norder allow,deny
\ndeny from all
\n<\/files><\/p>\n

# wp-load.php dosyas\u0131na eri\u015fimi engelle<\/span>
\n<files wp-load.php>
\norder allow,deny
\ndeny from all
\n<\/files><\/p>\n

# dizin listelemeyi iptal et<\/span>
\nOptions All -Indexes<\/p>\n

# zararl\u0131 botlar\u0131 engelle<\/span>
\nRewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^Bot mailto:craftbot@yahoo.com [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^Download Demon [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^eCatch [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^Express WebPictures [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^GetRight [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^Grafula [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^HMView [OR]
\nRewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR]
\nRewriteCond %{HTTP_USER_AGENT} ^Image Stripper [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^Image Sucker [OR]
\nRewriteCond %{HTTP_USER_AGENT} Indy Library [NC,OR]
\nRewriteCond %{HTTP_USER_AGENT} ^InterGET [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^Internet Ninja [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^JetCar [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^JOC Web Spider [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^larbin [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^Mass Downloader [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^MIDown tool [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^Mister PiX [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^Navroad [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^NearSite [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^Net Vampire [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^Octopus [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^Offline Explorer [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^Offline Navigator [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^Papa Foto [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^pavuk [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^ReGet [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^Teleport Pro [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^Web Image Collector [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^Web Sucker [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^WebGo IS [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^Website eXtractor [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^Website Quester [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^Widow [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^Xaldon WebSpider [OR]
\nRewriteCond %{HTTP_USER_AGENT} ^Zeus<\/p>\n

Bu \u015fekildede Bot-Net Sald\u0131r\u0131lar\u0131n\u0131 Bi haylide Olsa Azaltm\u0131\u015f Olduk.<\/p>\n","protected":false},"excerpt":{"rendered":"

Botnet sald\u0131r\u0131s\u0131, \u00e7\u00f6z\u00fcm\u00fc en zor sald\u0131r\u0131 t\u00fcr\u00fcd\u00fcr. \u00c7\u00fcnk\u00fc botnet ile birlikte trojan bula\u015fan bilgisayarlar sizin sitenize yo\u011fun bir ziyaret ger\u00e7ekle\u015ftirerek,…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","footnotes":""},"categories":[6,9,7,4],"tags":[],"aioseo_notices":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p6BM7I-E","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/posts\/40"}],"collection":[{"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/comments?post=40"}],"version-history":[{"count":0,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/posts\/40\/revisions"}],"wp:attachment":[{"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/media?parent=40"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/categories?post=40"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/tags?post=40"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}