1、IP访问频率
SecAction phase:1,nolog,pass,setvar:IP.counter=+1 SecRule IP:UPDATE_RATE "@gt 10" "phase:1,block,msg:‘Request rate too high for IP address: %{IP.UPDATE_RATE}‘"
优化下,去掉静态资源的
# Only increment the counter if the # request is for a non-static resource SecRule REQUEST_FILENAME "!\.(jpg|png|gif|js|css|ico)$" phase:1,nolog,pass,setvar:IP.counter=+1
2、DURATION variable (2.6以后)
discover how long a transaction has been running. The idea is to keep track of how much
time the web server is spending, per IP address, session, or user.
# Block the IP addresses that use too # much of the web server‘s time SecRule IP.load "@gt 10000" "phase:1,t:none,block,\ msg:‘IP address load too high: %{IP.load}‘" # Keep track of how much web server # time is consumed by each IP address SecAction "phase:5,nolog,pass,\ setvar:IP.load=+%{DURATION},deprecatevar:IP.load=250/1"
3、根据业务请求,比如有暴力登录的ddos,成功跳转index,php,失败跳回login.php,通过访问login.php的频率判断潜在的ddos
<Location /login.php> # Enforce an existing IP address block SecRule IP:bf_block "@eq 1" "phase:2,block,\ msg:‘IP address blocked because of suspected brute-force attack‘" # Check for authentication failure SecRule RESPONSE_HEADERS:Location ^/login.php "phase:5,chain,t:none,nolog,pass, \ msg:‘Multiple authentication failures from IP address‘,setvar:IP.bf_counter=+1" SecRule IP:bf_counter "@gt 25" t:none,setvar:IP.bf_block,setvar:!IP.bf_counter,expirevar:IP.block=3600 </Location>
4、按IP||用户失败频率统计
<Location /login.php> # Enforce an existing IP address block SecRule IP:bf_block "@eq 1" "phase:2,deny,\ msg:‘IP address blocked because of suspected brute-force attack‘" # Retrieve the per-username record SecAction phase:2,nolog,pass,initcol:USER=%{ARGS.username} # Enforce an existing username block SecRule USER:bf_block "@eq 1" "phase:2,deny,\ msg:‘Username blocked because of suspected brute-force attack‘" # Check for authentication failure and increment counters SecRule RESPONSE_HEADERS:Location ^/login.php "phase:5,t:none,nolog,pass,\ setvar:IP.bf_counter=+1,setvar:USER.bf_counter=+1" # Check for too many failures from a single IP address SecRule IP:bf_counter "@gt 25" "phase:5,pass,t:none,\ setvar:IP.bf_block,setvar:!IP.bf_counter,expirevar:IP.block=1800" # Check for too many failures for a single username SecRule USER:bf_counter "@gt 25" "phase:5,t:none,pass,\ setvar:USER.bf_block,setvar:!USER.bf_counter,expirevar:USER.block=1800" </Location>