更新:我编辑了此内容并添加了 fail2ban 标签。也许这可能是处理此问题的另一种方法。
我正在运行 phpbb 3.0.13-PL1,我想保护登录页面免受暴力破解。我想知道是否有人可以告诉我应该将哪个 php 页面放在 LocationMatch 下。看起来 ucp.php?mode=login 是登录页面,但这也是用户控制面板,我不想意外地将人们锁定在论坛的核心功能之外。有人知道 LocationMatch 的正确 php 页面吗?此外,PHPBB 的 RESPONSE_STATUS 是否正确?下面的代码应该如果 3 分钟内 PHPBB 登录尝试失败 10 次,则禁止用户。
/etc/modsecurity/modsecurity_custom_rules.conf:
# PHPBB Bruteforce Protection
SecDataDir /tmp
SecAuditLogType Concurrent
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=% {REMOTE_ADDR},id:500 0134
<LocationMatch "ucp.php?mode=login">
# Setup brute force detection.
# React if block flag has been set.
SecRule user:bf_block "@gt 0" "deny,status:401,log,auditlog,msg:'10 PHPBB failed login attempts in 3 minutes.',severity:'2',id:5000135,tag:'PHPBB/BRUTEFORCE'"
# Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed.
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_cou nter=1/180,id:5000137"
SecRule ip:bf_counter "@gt 10" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter =0"
如果这有帮助,这是我的 mod_security 版本信息:
[notice] ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/) configured.
[notice] ModSecurity: APR compiled version="1.4.6"; loaded version="1.4.6"
[notice] ModSecurity: PCRE compiled version="8.30"; loaded version="8.30 2012-02-04"
[notice] ModSecurity: LUA compiled version="Lua 5.1"
[notice] ModSecurity: LIBXML compiled version="2.8.0"