The logs you’ve provided indicate several serious issues, including potential security threats and upstream application problems. Let’s break down the issues:
1. Potential Exploit Attempts:
- The requests involving paths like
/vendor/phpunit/phpunit/...andcall_user_func_arrayare known exploit attempts targeting vulnerabilities in PHP frameworks and libraries (like PHPUnit, ThinkPHP). Attackers often scan for such vulnerabilities to execute malicious code. - These requests are clear indicators that your site is being targeted, and you should take steps to secure the environment immediately.
2. Upstream Connection Issues:
The errors
upstream prematurely closed connection while reading response header from upstreamindicate that the server on
192.168.1.30:7777is closing the connection before sending a full response to NGINX. This might be due to:
- The upstream application crashing.
- Misconfiguration of the application.
- Overload or insufficient resources on the upstream server.
Recommendations:
Immediate Security Measures:
Block Suspicious IPs:
Block the suspicious IPs, such as
45.114.124.70, which are trying to exploit vulnerabilities:
sudo ufw deny from 45.114.124.70You may also want to consider setting up rate limiting in NGINX to prevent brute-force or scanning attacks:
http { limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; server { location / { limit_req zone=one burst=5; } } }
Ensure Sensitive Files and Directories Are Secured:
Make sure directories like
/panel,
/vendor,
/public,
/appsare not publicly accessible. Update your NGINX configuration to deny access:
location ~* /(panel|vendor|public|apps) { deny all; return 403; }
Check for Vulnerable Libraries:
- If you're using PHPUnit or ThinkPHP on this server, make sure they are not exposed in a production environment. PHPUnit should never be installed on a production server. Remove or secure these libraries immediately.
Harden PHP Settings:
If you are running PHP, harden your PHP settings by disabling dangerous functions like
eval(),
exec(),
shell_exec(), etc. Edit your
php.ini:
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
Fixing Upstream Issues:
Check the Application on 192.168.1.30:7777:
Ensure that the application on
192.168.1.30:7777is running properly. Check for any application crashes or errors in the logs of that server.Ensure that the application is listening on the correct port (
7777) and is accepting connections. Test it locally on
192.168.1.30by running:
curl http://localhost:7777If the application is misconfigured or crashing, fix those issues and restart the service.
Increase Proxy Timeout in NGINX:
If the application on
192.168.1.30:7777is slow to respond, you can try increasing the timeout settings in NGINX:
location / { proxy_pass http://192.168.1.30:7777; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_connect_timeout 60s; proxy_send_timeout 60s; proxy_read_timeout 60s; send_timeout 60s; }
Monitor Resource Usage:
Check the resource usage (CPU, memory) on
192.168.1.30. If the server is under heavy load or is running out of memory, the application may crash or be unable to respond in time. Use
topor
htopto monitor the system:
top htop
Final Steps:
Log Monitoring: Keep monitoring the NGINX logs (
/var/log/nginx/error.log) and upstream application logs for any errors or further exploit attempts.SSL Configuration: Make sure your SSL certificates are correctly set up and not expired:
sudo certbot certificatesIf needed, renew them with:
sudo certbot renew
After implementing these changes, restart NGINX to apply the updated configurations:
sudo systemctl restart nginx
Let me know if you need more help with any of these steps!