modSecurity规则学习(五)——DDOS攻击检测
2024-10-01 18:37:28
1、IP访问频率
SecAction phase:1,nolog,pass,setvar:IP.counter=+1
SecRule IP:UPDATE_RATE "@gt 10" \
"phase:1,block,msg:'Request rate too high for IP address: %{IP.UPDATE_RATE}'"
优化下,去掉静态资源的
# Only increment the counter if the
# request is for a non-static resource
SecRule REQUEST_FILENAME "!\.(jpg|png|gif|js|css|ico)$" \
phase:,nolog,pass,setvar:IP.counter=+
2、DURATION variable (2.6以后)
discover how long a transaction has been running. The idea is to keep track of how much
time the web server is spending, per IP address, session, or user.
# Block the IP addresses that use too
# much of the web server's time
SecRule IP.load "@gt 10000" \
"phase:1,t:none,block,\
msg:'IP address load too high: %{IP.load}'"
# Keep track of how much web server
# time is consumed by each IP address
SecAction "phase:5,nolog,pass,\
setvar:IP.load=+%{DURATION},\
deprecatevar:IP.load=/"
3、根据业务请求,比如有暴力登录的ddos,成功跳转index,php,失败跳回login.php,通过访问login.php的频率判断潜在的ddos
<Location /login.php>
# Enforce an existing IP address block
SecRule IP:bf_block "@eq 1" "phase:2,block,\
msg:'IP address blocked because of suspected brute-force attack'"
# Check for authentication failure
SecRule RESPONSE_HEADERS:Location ^/login.php \
"phase:5,chain,t:none,nolog,pass, \
msg:'Multiple authentication failures from IP address',\
setvar:IP.bf_counter=+"
SecRule IP:bf_counter "@gt 25" t:none,\
setvar:IP.bf_block,\
setvar:!IP.bf_counter,\
expirevar:IP.block=
</Location>
4、按IP||用户失败频率统计
<Location /login.php>
# Enforce an existing IP address block
SecRule IP:bf_block "@eq 1" \
"phase:2,deny,\
msg:'IP address blocked because of suspected brute-force attack'"
# Retrieve the per-username record
SecAction phase:,nolog,pass,initcol:USER=%{ARGS.username}
# Enforce an existing username block
SecRule USER:bf_block "@eq 1" \
"phase:2,deny,\
msg:'Username blocked because of suspected brute-force attack'"
# Check for authentication failure and increment counters
SecRule RESPONSE_HEADERS:Location ^/login.php \
"phase:5,t:none,nolog,pass,\
setvar:IP.bf_counter=+,\
setvar:USER.bf_counter=+"
# Check for too many failures from a single IP address
SecRule IP:bf_counter "@gt 25" \
"phase:5,pass,t:none,\
setvar:IP.bf_block,\
setvar:!IP.bf_counter,\
expirevar:IP.block="
# Check for too many failures for a single username
SecRule USER:bf_counter "@gt 25" \
"phase:5,t:none,pass,\
setvar:USER.bf_block,\
setvar:!USER.bf_counter,\
expirevar:USER.block="
</Location>
最新文章
- 服务器.htaccess 详解以及 .htaccess 参数说明(转载)
- java serializable深入了解
- HTML自动换行的问题
- Android性能优化典范 - 第2季
- 对discuz的代码分析学习(一)目录结构
- [翻译]Go语言调度器
- centos6.9关闭防火墙
- c# 判断3个数是否连续最优式子
- 恶意PDF文档分析记录
- redis进阶
- Python打包方法——Pyinstaller
- 『计算机视觉』各种Normalization层辨析
- golang的垃圾回收(GC)机制
- 微信小程序开发--模板(template)使用,数据加载,点击交互
- 用tornado实现一个简单的websocket样例
- 【小白的java成长系列】——windows下搭建和配置java环境
- Pythonic 的代码编写方法
- iOS-Core Data 详解
- LeetCode - 136. Single Number - ( C++ ) - 解题报告 - 位运算思路 xor
- apache kafka系列之客户端开发-java