码迷,mamicode.com
首页 > 其他好文 > 详细

modSecurity规则学习(五)——DDOS攻击检测

时间:2018-03-22 15:02:35      阅读:462      评论:0      收藏:0      [点我收藏+]

标签:png   count   eve   each   sum   keep   ade   duration   pos   

1、IP访问频率

SecAction phase:1,nolog,pass,setvar:IP.counter=+1
SecRule IP:UPDATE_RATE "@gt 10" "phase:1,block,msg:‘Request rate too high for IP address: %{IP.UPDATE_RATE}‘"

  优化下,去掉静态资源的

# Only increment the counter if the
# request is for a non-static resource
SecRule REQUEST_FILENAME "!\.(jpg|png|gif|js|css|ico)$" phase:1,nolog,pass,setvar:IP.counter=+1

2、DURATION variable (2.6以后)

discover how long a transaction has been running. The idea is to keep track of how much
time the web server is spending, per IP address, session, or user.

# Block the IP addresses that use too
# much of the web servers time
SecRule IP.load "@gt 10000" "phase:1,t:none,block,\
msg:IP address load too high: %{IP.load}‘"
# Keep track of how much web server
# time is consumed by each IP address
SecAction "phase:5,nolog,pass,\
setvar:IP.load=+%{DURATION},deprecatevar:IP.load=250/1"

3、根据业务请求,比如有暴力登录的ddos,成功跳转index,php,失败跳回login.php,通过访问login.php的频率判断潜在的ddos

 

<Location /login.php>
# Enforce an existing IP address block
SecRule IP:bf_block "@eq 1" "phase:2,block,\
msg:IP address blocked because of suspected brute-force attack‘"
# Check for authentication failure
SecRule RESPONSE_HEADERS:Location ^/login.php "phase:5,chain,t:none,nolog,pass, \
msg:Multiple authentication failures from IP address,setvar:IP.bf_counter=+1"
SecRule IP:bf_counter "@gt 25" t:none,setvar:IP.bf_block,setvar:!IP.bf_counter,expirevar:IP.block=3600
</Location>

4、按IP||用户失败频率统计

<Location /login.php>
# Enforce an existing IP address block
SecRule IP:bf_block "@eq 1" "phase:2,deny,\
msg:IP address blocked because of suspected brute-force attack‘"
# Retrieve the per-username record
SecAction phase:2,nolog,pass,initcol:USER=%{ARGS.username}
# Enforce an existing username block
SecRule USER:bf_block "@eq 1" "phase:2,deny,\
msg:Username blocked because of suspected brute-force attack‘"
# Check for authentication failure and increment counters
SecRule RESPONSE_HEADERS:Location ^/login.php "phase:5,t:none,nolog,pass,\
setvar:IP.bf_counter=+1,setvar:USER.bf_counter=+1"
# Check for too many failures from a single IP address
SecRule IP:bf_counter "@gt 25" "phase:5,pass,t:none,\
setvar:IP.bf_block,setvar:!IP.bf_counter,expirevar:IP.block=1800"
# Check for too many failures for a single username
SecRule USER:bf_counter "@gt 25" "phase:5,t:none,pass,\
setvar:USER.bf_block,setvar:!USER.bf_counter,expirevar:USER.block=1800"
</Location>

 

 

 

modSecurity规则学习(五)——DDOS攻击检测

标签:png   count   eve   each   sum   keep   ade   duration   pos   

原文地址:https://www.cnblogs.com/wuweidong/p/8623794.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!