搜索

[17192] 2021-08-25_通过ModSecurity防御一个C段IP发起的CC、扫描、采集等恶意行为

文档创建者:s7ckTeam
浏览次数:1
最后更新:2025-01-18
2021-08-25_通过ModSecurity防御一个C段IP发起的CC、扫描、采集等恶意行为 M o d S e c u r i t y C I P C C   w a n g z i 2 0 4 9   F r e e B u f   2 0 2 1 - 0 8 - 2 5 W E B I P C C N g i n x H t t p L i m i t R e q M o d u l e A p a c h e m o d _ e v a s i v e O W A S P I P D O S I P 1 C I P 使 C I P I P 访 C I P 1 M o d S e c u r i t y 1 访 C I P O W A S P c r s - s e t u p . c o n f I D 9 0 0 2 6 0 9 0 0 7 0 0 O W A S P I P D O S C I P I P O W A S P I P D O S R E Q U E S T - 9 1 2 - D O S - P R O T E C T I O N . c o n f . b a k I D 9 0 0 2 6 0 C C 访 I D 9 0 0 7 0 0 6 0 t x . d o s _ b u r s t _ t i m e _ s l i c e I P 访 1 0 0 t x . d o s _ c o u n t e r _ t h r e s h o l d I P 6 0 0 t x . d o s _ b l o c k _ t i m e o u t 1 . a I P C b C C I P 访 访 t x . d o s _ b u r s t _ t i m e _ s l i c e c 访 W E B C 访 访 C 访 + 1 访 t x . d o s _ b l o c k _ t i m e o u t C I P W E B 访 2 . 3 . a b M o d S e c u r i t y M o d S e c u r i t y % { } M o d S e c u r i t y S e c A c t i o n   " i d : 9 0 0 2 6 0 , p h a s e : 1 , n o l o g , p a s s , t : n o n e , s e t v a r : ' t x . s t a t i c _ e x t e n s i o n s = / . j p g /   / . j p e g /   / . p n g /   / . g i f /   / . j s /   / . c s s /   / . i c o /   / . s v g /   / . w e b p / ' " S e c A c t i o n   " i d : 9 0 0 7 0 0 , p h a s e : 1 , n o l o g , p a s s , t : n o n e , s e t v a r : ' t x . d o s _ b u r s t _ t i m e _ s l i c e = 3 0 ' , s e t v a r : ' t x . d o s _ c o u n t e r _ t h r e s h o l d = 5 ' , s e t v a r : ' t x . d o s _ b l o c k _ t i m e o u t = 6 0 0 ' " # I P C i p i p _ c _ m s g I P C I P 1 9 2 . 1 6 8 . 1 1 . 2 i p _ c _ m s g " 1 9 2 . 1 6 8 . 1 1 . " S e c R u l e   R E M O T E _ A D D R   " ^ ( ( 2 5 [ 0 - 5 ] " 2 [ 0 - 4 ] d " [ 0 1 ] ? d d ? ) . ) { 3 } "   " i d : 1 0 0 0 0 , n o l o g , p a s s , p h a s e : 1 , c a p t u r e , s e t v a r : i p . i p _ c _ m s g = % { T X . 0 } " # I P C 访 # 访 S e c R u l e   G L O B A L : % { i p . i p _ c _ m s g }   " @ g e   % { t x . d o s _ c o u n t e r _ t h r e s h o l d } "   " i d : 1 0 0 0 1 , d r o p , l o g , p h a s e : 1 , e x p i r e v a r : g l o b a l . % { i p . i p _ c _ m s g } = % { t x . d o s _ b l o c k _ t i m e o u t } " # 访 I P C 访 + 1 % { t x . d o s _ b u r s t _ t i m e _ s l i c e } I P 1 9 2 . 1 6 8 . 1 1 . 2 g l o b a l S e c R u l e   R E Q U E S T _ B A S E N A M E   " . * ? ( . [ a - z 0 - 9 ] { 1 , 1 0 } ) ? $ "   " i d : 1 0 0 0 2 , p h a s e : 5 , t : n o n e , t : l o w e r c a s e , n o l o g , p a s s , c a p t u r e , s e t v a r : t x . e x t e n s i o n = / % { T X . 1 } / , c h a i n " S e c R u l e   T X : E X T E N S I O N   " ! @ w i t h i n   % { t x . s t a t i c _ e x t e n s i o n s } "   " s e t v a r : g l o b a l . % { i p . i p _ c _ m s g } = + 1 , e x p i r e v a r : g l o b a l . % { i p . i p _ c _ m s g } = % { t x . d o s _ b u r s t _ t i m e _ s l i c e } "
C I P 访 G L O B A L : % { i p . i p _ c _ m s g } M o d S e c u r i t y % { } i p . i p _ c _ m s g 1 9 2 . 1 6 8 . 1 1 . G L O B A L 1 9 2 . 1 6 8 . 1 1 . % { } M o d S e c u r i t y G L O B A L % { i p . i p _ c _ m s g } I P G L O B A L : % { i p . i p _ c _ m s g } s e t v a r : i p . i p _ c _ c o u n t = % { g l o b a l . % { i p . i p _ c _ m s g } } % { } M o d S e c u r i t y i p . i p _ c _ m s g 1 9 2 . 1 6 8 . 1 1 . G L O B A L 1 9 2 . 1 6 8 . 1 1 . % { g l o b a l . % { i p . i p _ c _ m s g } } } M o d S e c u r i t y % { } % { g l o b a l . % { i p . i p _ c _ m s g } } M o d S e c u r i t y % { } g l o b a l . % { i p . i p _ c _ m s g } i p . i p _ c _ c o u n t } C 1 1 . 1 M o d S e c u r i t y I P C 2 . 3 . M o d S e c u r i t y a 访 p h a s e 5 b C C I P 访 1 9 2 . 1 6 8 . 1 1 . 2 1 9 2 . 1 6 8 . 1 1 I P 1 9 2 . 1 6 8 . 1 1 . 3 访 访 访 访 C 访 I P 1 0 0 0 3 p h a s e 1 访 便 1 9 2 . 1 6 8 . 1 1 . 3 I P 访 访 i p i p I P + I P 使 访 i p i p 访 1 . M o d S e c u r i t y + L u a + i p s e t + i p t a b l e s C I P i p s e t C I P S e c R u l e   G L O B A L : % { i p . i p _ c _ m s g } " @ g e   % { t x . d o s _ c o u n t e r _ t h r e s h o l d } "   " i d : 1 0 0 0 1 , d r o p , l o g , p h a s e : 1 , e x p i r e v a r : g l o b a l . % { i p . i p _ c _ m s g } = % { t x . d o s _ b l o c k _ t i m e o u t } " # I P C i p i p _ c _ m s g I P C I P 1 9 2 . 1 6 8 . 1 1 . 2 i p _ c _ m s g " 1 9 2 . 1 6 8 . 1 1 . "   S e c R u l e   R E M O T E _ A D D R   " ^ ( ( 2 5 [ 0 - 5 ] | 2 [ 0 - 4 ] d | [ 0 1 ] ? d d ? ) . ) { 3 } "   " i d : 1 0 0 0 0 , n o l o g , p a s s , p h a s e : 1 , c a p t u r e , s e t v a r : i p . i p _ c _ m s g = % { T X . 0 } " # I P D O S _ B L O C K _ C 1 , I P C # 1 I P 访 i d 1 0 0 0 3 # D O S _ B L O C K _ C _ F L A G # 0 1 % { t x . d o s _ b l o c k _ t i m e o u t } # I P S e c R u l e   I P : D O S _ B L O C K _ C   " @ e q   1 "   " i d : 1 0 0 0 1 , p h a s e : 1 , d r o p , l o g , c h a i n , m s g : ' D e t e c t   D o s   A t t a c k   f r o m   % { i p . i p _ c _ m s g } 0 / 2 4 ' " S e c R u l e   & I P : D O S _ B L O C K _ C _ F L A G   " @ e q   0 "   " s e t v a r : i p . d o s _ b l o c k _ c _ f l a g = 1 , e x p i r e v a r : i p . d o s _ b l o c k _ c _ f l a g = % { t x . d o s _ b l o c k _ t i m e o u t } " # I P D O S _ B L O C K _ C 1 , I P C # 1 I P 访 i d 1 0 0 0 3 # 1 0 0 0 1 S e c R u l e   I P : D O S _ B L O C K _ C   " @ e q   1 "   " i d : 1 0 0 0 4 , p h a s e : 1 , d r o p , n o l o g " # 访 # I P C 访 + 1 # % { t x . d o s _ b u r s t _ t i m e _ s l i c e } # I P 1 9 2 . 1 6 8 . 1 1 . 2 g l o b a l " i p _ c _ 1 9 2 . 1 6 8 . 1 1 . " # + 1 S e c R u l e   R E Q U E S T _ B A S E N A M E   " . * ? ( . [ a - z 0 - 9 ] { 1 , 1 0 } ) ? $ "   " p h a s e : 5 , i d : 1 0 0 0 2 , t : n o n e , t : l o w e r c a s e , n o l o g , p a s s , c a p t u r e , s e t v a r : t x . e x t e n s i o n = / % { T X . 1 } / , c h a i n " S e c R u l e   T X : E X T E N S I O N   " ! @ w i t h i n   % { t x . s t a t i c _ e x t e n s i o n s } "   " s e t v a r : ' g l o b a l . i p _ c _ % { i p . i p _ c _ m s g } = + 1 ' , e x p i r e v a r : g l o b a l . i p _ c _ % { i p . i p _ c _ m s g } = % { t x . d o s _ b u r s t _ t i m e _ s l i c e } " # G L O B A L i p _ c # C , i p _ c % { t x . d o s _ b l o c k _ t i m e o u t } # C I P i p . d o s _ b l o c k _ c 1 # i p . d o s _ b l o c k _ c % { t x . d o s _ b l o c k _ t i m e o u t }   S e c R u l e   G L O B A L : / ^ i p _ c /   " @ g e   % { t x . d o s _ c o u n t e r _ t h r e s h o l d } "   " p h a s e : 5 , i d : 1 0 0 0 3 , p a s s , n o l o g , c h a i n " S e c R u l e   M A T C H E D _ V A R _ N A M E   " ( ( 2 5 [ 0 - 5 ] | 2 [ 0 - 4 ] d | [ 0 1 ] ? d d ? ) . ) { 3 } "   " c a p t u r e , s e t v a r : t x . e x t e n s i o n = % { T X . 0 } , c h a i n , e x p i r e v a r : g l o b a l . i p _ c _ % { T X . 0 } = % { t x . d o s _ b l o c k _ t i m e o u t } "   S e c R u l e   T X : E X T E N S I O N   " @ s t r e q   % { i p . i p _ c _ m s g } "   " s e t v a r : i p . d o s _ b l o c k _ c = 1 , e x p i r e v a r : i p . d o s _ b l o c k _ c = % { t x . d o s _ b l o c k _ t i m e o u t } "
2 . L u a 使 i p s e t - s e r v i c e 4 i p s e t i p s e t r o o t W E B w w w d a e m o n w w w 3 . a i p s e t - s e r v i c e b i p s e t 1 . i p s e t H T T P i p s e t 访 + 2 . # I P C i p i p _ c _ m s g I P C I P 1 9 2 . 1 6 8 . 1 1 . 2 i p _ c _ m s g " 1 9 2 . 1 6 8 . 1 1 . "   S e c R u l e   R E M O T E _ A D D R   " ^ ( ( 2 5 [ 0 - 5 ] | 2 [ 0 - 4 ] d | [ 0 1 ] ? d d ? ) . ) { 3 } "   " i d : 1 0 0 0 0 , n o l o g , p a s s , p h a s e : 1 , c a p t u r e , s e t v a r : i p . i p _ c _ m s g = % { T X . 0 } " # 访 # I P C 访 + 1 # % { t x . d o s _ b u r s t _ t i m e _ s l i c e } # I P 1 9 2 . 1 6 8 . 1 1 . 2 g l o b a l " i p _ c _ 1 9 2 . 1 6 8 . 1 1 . " # + 1 S e c R u l e   R E Q U E S T _ B A S E N A M E   " . * ? ( . [ a - z 0 - 9 ] { 1 , 1 0 } ) ? $ "   " p h a s e : 5 , i d : 1 0 0 0 2 , t : n o n e , t : l o w e r c a s e , n o l o g , p a s s , c a p t u r e , s e t v a r : t x . e x t e n s i o n = / % { T X . 1 } / , c h a i n " S e c R u l e   T X : E X T E N S I O N   " ! @ w i t h i n   % { t x . s t a t i c _ e x t e n s i o n s } "   " s e t v a r : ' g l o b a l . i p _ c _ % { i p . i p _ c _ m s g } = + 1 ' , e x p i r e v a r : g l o b a l . i p _ c _ % { i p . i p _ c _ m s g } = % { t x . d o s _ b u r s t _ t i m e _ s l i c e } " # G L O B A L i p _ c # C , # L u a i p s e t C I P i p t a b l e s   S e c R u l e   G L O B A L : / ^ i p _ c /   " @ g e   % { t x . d o s _ c o u n t e r _ t h r e s h o l d } "   " p h a s e : 5 , i d : 1 0 0 0 3 , p a s s , l o g , c a p t u r e , m s g : ' D e t e c t   D o s   A t t a c k   f r o m   % { T X . 0 } 0 / 2 4 ' , c h a i n "   S e c R u l e   M A T C H E D _ V A R _ N A M E   " ( ( 2 5 [ 0 - 5 ] | 2 [ 0 - 4 ] d | [ 0 1 ] ? d d ? ) . ) { 3 } "   " c a p t u r e , s e t v a r : ! g l o b a l . i p _ c _ % { T X . 0 } , e x e c : / t m p / m s _ c _ d o s . l u a " f u n c t i o n   m a i n ( ) l o c a l   i p   =   m . g e t v a r ( " R E M O T E _ A D D R " ) ;   l o c a l   r t =   { } ;   l o c a l   p = ' % . ' ;   s t r i n g . g s u b ( i p ,   ' [ ^ ' . . p . . ' ] + ' ,   f u n c t i o n ( w )   t a b l e . i n s e r t ( r t ,   w )   e n d   ) ;   i f   # r t   = =   4   t h e n   l o c a l   i p _ c = r t [ 1 ] . . " . " . . r t [ 2 ] . . " . " . . r t [ 3 ] . . " . 0 / 2 4 " ;   o s . e x e c u t e ( " s u d o   i p s e t   a d d   l i s t _ c _ d o s   " . . i p _ c ) ;   e n d   r e t u r n   n i l ;   e n d # / e t c / s u d o e r s c h m o d   6 4 0   / e t c / s u d o e r s # v i v i   / e t c / s u d o e r s # r o o t   A L L = ( A L L )   A L L d a e m o n         A L L = ( A L L )               N O P A S S W D :   / u s r / s b i n / i p s e t # / e t c / s u d o e r s c h m o d   4 4 0   / e t c / s u d o e r s # I P C i p i p _ c _ m s g I P C I P 1 9 2 . 1 6 8 . 1 1 . 2 i p _ c _ m s g " 1 9 2 . 1 6 8 . 1 1 . "   S e c R u l e   R E M O T E _ A D D R   " ^ ( ( 2 5 [ 0 - 5 ] | 2 [ 0 - 4 ] d | [ 0 1 ] ? d d ? ) . ) { 3 } "   " i d : 1 0 0 0 0 , n o l o g , p a s s , p h a s e : 1 , c a p t u r e , s e t v a r : i p . i p _ c _ m s g = % { T X . 0 } " # 访 # I P C 访 + 1 # % { t x . d o s _ b u r s t _ t i m e _ s l i c e } # I P 1 9 2 . 1 6 8 . 1 1 . 2 g l o b a l " i p _ c _ 1 9 2 . 1 6 8 . 1 1 . " # + 1 S e c R u l e   R E Q U E S T _ B A S E N A M E   " . * ? ( . [ a - z 0 - 9 ] { 1 , 1 0 } ) ? $ "   " p h a s e : 5 , i d : 1 0 0 0 2 , t : n o n e , t : l o w e r c a s e , n o l o g , p a s s , c a p t u r e , s e t v a r : t x . e x t e n s i o n = / % { T X . 1 } / , c h a i n " S e c R u l e   T X : E X T E N S I O N   " ! @ w i t h i n   % { t x . s t a t i c _ e x t e n s i o n s } "   " s e t v a r : ' g l o b a l . i p _ c _ % { i p . i p _ c _ m s g } = + 1 ' , e x p i r e v a r : g l o b a l . i p _ c _ % { i p . i p _ c _ m s g } = % { t x . d o s _ b u r s t _ t i m e _ s l i c e } " # G L O B A L i p _ c # C ,
L u a 使 i p s e t - s e r v i c e 4 3 . a b H T T P 便 H T T P I P H T T P 1 . O W A S P R E Q U E S T - 9 0 1 - I N I T I A L I Z A T I O N . c o n f 2 . I D I D 3 . c r s - s e t u p . c o n f S e c C o l l e c t i o n T i m e o u t t x . d o s _ b l o c k _ t i m e o u t ; 4 . i p s e t - s e r v i c e 5 . M o d S e c u r i t y   V 3 M o d S e c u r i t y 使 M o d S e c u r i t y   V 3 e x p i r e v a r 6 0 访 1 0 0 C I P 6 0 e x p i r e v a r V 3 I P 访 访 1 0 0 I P I P W E B # C , # L u a 访 H T T P i p s e t C I P i p t a b l e s   S e c R u l e   G L O B A L : / ^ i p _ c /   " @ g e   % { t x . d o s _ c o u n t e r _ t h r e s h o l d } "   " p h a s e : 5 , i d : 1 0 0 0 3 , p a s s , l o g , c a p t u r e , m s g : ' D e t e c t   D o s   A t t a c k   f r o m   % { T X . 0 } 0 / 2 4 ' , c h a i n "   S e c R u l e   M A T C H E D _ V A R _ N A M E   " ( ( 2 5 [ 0 - 5 ] | 2 [ 0 - 4 ] d | [ 0 1 ] ? d d ? ) . ) { 3 } "   " c a p t u r e , s e t v a r : ! g l o b a l . i p _ c _ % { T X . 0 } , e x e c : / t m p / m s _ c _ d o s . l u a " f u n c t i o n   m a i n ( ) l o c a l   i p   =   m . g e t v a r ( " R E M O T E _ A D D R " ) ;   l o c a l   r t =   { } ;   l o c a l   p = ' % . ' ;   s t r i n g . g s u b ( i p ,   ' [ ^ ' . . p . . ' ] + ' ,   f u n c t i o n ( w )   t a b l e . i n s e r t ( r t ,   w )   e n d   ) ;   i f   # r t   = =   4   t h e n   l o c a l   i p _ c = r t [ 1 ] . . " . " . . r t [ 2 ] . . " . " . . r t [ 3 ] . . " . 0 / 2 4 " ;   o s . e x e c u t e ( " c u r l   h t t p : / / l o c a l h o s t : / f o r b i d d e n . p h p ? i p _ c = " . . i p _ c . . " & a u t h = 1 2 3 4 5 6 " ) ;   e n d   r e t u r n   n i l ;   e n d # i p s e t y u m   i n s t a l l   i p s e t - s e r v i c e # s y s t e m c t l   e n a b l e   i p s e t # l i s t _ c _ d o s I P 3 6 0 0 , i p s e t   c r e a t e   l i s t _ c _ d o s   h a s h : i p   t i m e o u t   3 6 0 0 # i p s e t l i s t _ c _ d o s i p s e t s e r v i c e   i p s e t   s a v e # / e t c / s y s c o n f i g / i p t a b l e s I P 访 8 0   - A   I N P U T   - m   s e t   - - m a t c h - s e t   l i s t _ c _ d o s   s r c   - p   t c p   - - d p o r t   8 0   - j   D R O P # i p t a b l e s s e r v i c e   i p t a b l e s   r e s t a r t # l i s t _ c _ d o s I P d e m o # i p s e t   a d d   l i s t _ c _ d o s   1 9 2 . 1 6 8 . 1 4 2 . 0 / 2 4

回复

举报

高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

使用Markdown编辑器编辑 使用富文本编辑器编辑

Archiver| 手机版| 小黑屋|
Powered by Discuz! X3.4 Copyright © 2001-2020, Tencent Cloud. 商业源码建议获取授权,如侵犯您的权益,请联系客服处理