机架攻击不会将任何IP列入黑名单

时间:2016-01-31 16:14:10

标签: ruby-on-rails security rack-middleware rackattack

这是我与rack-attack的第一次互动,所以请随时指出我在代码中可能遇到的任何错误。 我正在尝试的是将那些试图访问ip之类的路由的"/azenv.php", "/setup.php" etc..列入黑名单。由于这些人经常使用一些随机的.php网址,并且可能试图取下服务器,我认为开始阻止他们可能是一个好主意,但显然机架攻击并没有阻止试图访问上述网址的任何ip

我试图运行的代码块是:

class Rack::Attack

  Rack::Attack.whitelist('allow from localhost') do |req|
  # Requests are allowed if the return value is truthy
  '127.0.0.1' == req.ip || '::1' == req.ip || '122.166.130.230' == req.ip
  end

  Rack::Attack.blacklist("Block Referrer Analytics Spam") do |request|
    spammerList = ENV.has_key?("spammerList") ? ENV["spammerList"].split(',') : []
    spammerList.find { |spammer| request.referer =~ %r{#{spammer}} }
  end

  Rack::Attack.blacklist('bad_login_ip') do |req|
   (req.post? && req.path == "/users/sign_in" && IPCat.datacenter?(req.ip))
  end

  Rack::Attack.blacklist('Stupid IP for PHP') do |req|
    if req.path == "/azenv.php" || req.path == "/testproxy.php" || req.path == "//web/scripts/setup.php"
      req.ip
    end
    # req.path.include?(".php")
  end

  Rack::Attack.throttle('req/ip', limit: 300, period: 5.minutes) do |req|
    req.remote_ip if ['/assets', '/check'].any? {|path| req.path.starts_with? path }
  end

  Rack::Attack.throttle('req/ip', :limit => 5, :period => 20.seconds) do |req|
    if req.path == '/users/sign_in' && req.post?
      req.ip
    end
  end

  Rack::Attack.throttle("logins/email", :limit => 5, :period => 20.seconds) do |req|
    if req.path == '/users/sign_in' && req.post?
      # return the email if present, nil otherwise
      req.params['email'].presence
    end
  end
end

很少有人来自他们的维基。如果这里有任何问题,请更正。

更新

这是我在给定示例中尝试的一段代码:

Rack::Attack.blacklist('fail2ban pentesters') do |req|
  # `filter` returns truthy value if request fails, or if it's from a previously banned IP
  # so the request is blocked
    Rack::Attack::Fail2Ban.filter("pentesters-#{req.ip}", :maxretry => 1, :findtime => 10.minutes, :bantime => 5.minutes) do
      # The count for the IP is incremented if the return value is truthy
      req.path.include?('/testproxy.php') ||
      req.path.include?('azenv.php') 

    end
  end

2 个答案:

答案 0 :(得分:0)

@abhinay您能否澄清一下您希望被阻止哪些请求成功?

如果你想阻止来自已经提供一些PHP请求的IP地址的所有请求,你需要一个Fail2Ban,比如@frederickcheung建议。

自述文件和维基有例子。

答案 1 :(得分:0)

您是否尝试将环境变量移出块,

例如:

  spammerList = ENV.has_key?("spammerList") ? ENV["spammerList"].split(',') : []

  Rack::Attack.blacklist("Block Referrer Analytics Spam") do |request|
    spammerList.find { |spammer| request.referer =~ %r{#{spammer}} }
  end
相关问题
最新问题