Mod-Security

Joomla 的 mod_security 規則集!行政

  • June 23, 2016

我執行了幾個託管伺服器,最近我經歷了很多針對基於 joomla 的網站的暴力攻擊。攻擊者似乎試圖對administrator/index.php頁面進行暴力破解。

當他們嘗試使用以下規則集暴力破解 Wordpress 登錄時,我通常會鎖定 IP:

SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},id:5000134
<Locationmatch "/wp-login.php">
SecRule ip:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'"
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
SecRule ip:bf_counter "@gt 10" "t:none,setvar:ip.bf_block=1,expirevar:ip.bf_block=300,setvar:ip.bf_counter=0"
</Locationmatch>

但我找不到 Joomla! 的類似規則,因為響應狀態是“303 查看其他”,密碼有效,密碼無效。

有什麼幫助嗎?提前致謝!

所以,這是我的答案。

通過檢查返回標頭,我注意到 Joomla! 登錄正確時後端返回一些 HTTP 標頭,登錄無效時不返回它們。

例如,成功登錄後返回P3P標頭,所以我只查找它的長度> 0

SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},id:5000144
<Locationmatch "/administrator/index.php">
   SecRule ip:bf_block "@gt 0" "deny,status:401,log,id:5000145,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'"
   SecRule RESPONSE_HEADERS:P3P "streq 0" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000146"
   SecRule RESPONSE_HEADERS:P3P "!streq 0" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000147"
   SecRule ip:bf_counter "@gt 10" "t:none,setvar:ip.bf_block=1,expirevar:ip.bf_block=300,setvar:ip.bf_counter=0"
</locationmatch>

引用自:https://serverfault.com/questions/646590