Mod-Security
Joomla 的 mod_security 規則集!行政
我執行了幾個託管伺服器,最近我經歷了很多針對基於 joomla 的網站的暴力攻擊。攻擊者似乎試圖對
administrator/index.php
頁面進行暴力破解。當他們嘗試使用以下規則集暴力破解 Wordpress 登錄時,我通常會鎖定 IP:
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},id:5000134 <Locationmatch "/wp-login.php"> SecRule ip:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'" SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136" SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137" SecRule ip:bf_counter "@gt 10" "t:none,setvar:ip.bf_block=1,expirevar:ip.bf_block=300,setvar:ip.bf_counter=0" </Locationmatch>
但我找不到 Joomla! 的類似規則,因為響應狀態是“303 查看其他”,密碼有效,密碼無效。
有什麼幫助嗎?提前致謝!
所以,這是我的答案。
通過檢查返回標頭,我注意到 Joomla! 登錄正確時後端返回一些 HTTP 標頭,登錄無效時不返回它們。
例如,成功登錄後返回P3P標頭,所以我只查找它的長度
> 0
:SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},id:5000144 <Locationmatch "/administrator/index.php"> SecRule ip:bf_block "@gt 0" "deny,status:401,log,id:5000145,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'" SecRule RESPONSE_HEADERS:P3P "streq 0" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000146" SecRule RESPONSE_HEADERS:P3P "!streq 0" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000147" SecRule ip:bf_counter "@gt 10" "t:none,setvar:ip.bf_block=1,expirevar:ip.bf_block=300,setvar:ip.bf_counter=0" </locationmatch>