Question

我正在尝试构建一条规则，将xmlrpc.php身份验证失败次数限制为每分钟5次。我到目前为止的ModSecurity规则是：

SecAction phase:1,nolog,pass,initcol:IP=%{REMOTE_ADDR},id:690010
<LocationMatch "/xmlrpc.php">
SecRule IP:COUNTXYZ "@gt 5" "phase:1,deny,status:403,log,msg:'WAF Rules : IP address blocked - more than 5 xmlrpc errors in 60 seconds',id:690011"
SecRule RESPONSE_BODY "faultCode" "phase:4,pass,nolog,setvar:ip.countxyz=+1,deprecatevar:ip.countxyz=1/60,id:690012"
</LocationMatch>

尽管使用以下方法反复调用此服务器上的站点：

curl -d '<?xml version="1.0"?> <methodCall> <methodName>wp.getUsersBlogs</methodName> <params> <param> <value>username</value> </param> <param> <value>password</value> </param> </params> </methodCall>' http://victimsite/xmlrpc.php

在每种情况下发回一个包含文本＆＃39; faultCode＆＃39; - 但它永远不会阻止请求，即使每个请求来自固定的IP地址。我的规则语法中是否存在问题，或者我是否可以调试此方法？

Answer 1

您不需要在Locationmatch＆＃34; /xmlrpc.php"
您可能需要＆＃39; SecResponseBodyAccess On＆＃39;位置块或链中的等效块在尝试检查RESPONSE_BODY之前

Answer 2

正确的解决方案原来是：

SecAction phase:1,nolog,pass,initcol:IP=%{REMOTE_ADDR},id:690010     
<LocationMatch "/xmlrpc(\.php)?$">
SecAction phase:2,nolog,pass,deprecatevar:ip.count_a=1/20,id:690010
SecRule IP:COUNT_A "@gt 5" "phase:2,deny,status:403,log,msg:'WAF Rules : XMLRPC - Ratelimited to one call in 20 seconds',id:690012"
SecRule RESPONSE_BODY "fault(Code|String)" "phase:4,pass,nolog,setvar:ip.count_a=+1,id:690013"
</LocationMatch>

ModSecurity速率限制登录失败

2 个答案: