问题
有人试图使用随机恶意 URL 来抓取我们的网站(至今已有大约 12 个小时)。
这是日志文件
2016-06-29 08:17:02 10.X.X.X GET /assets/plugins/lightbox/Images/url - 443 - 10.X.X.X Mozilla/5.0+(X11;+Ubuntu;+Linux+x86_64;+rv:47.0)+Gecko/20100101+Firefox/47.0 - 302 0 2 0 212.83.40.238
2016-06-29 08:17:02 10.X.X.X GET /assets/plugins/lightbox/Images/urlrewriter - 443 - 10.X.X.X Mozilla/5.0+(X11;+Ubuntu;+Linux+x86_64;+rv:47.0)+Gecko/20100101+Firefox/47.0 - 302 0 2 15 212.83.40.238
2016-06-29 08:17:02 10.X.X.X GET /assets/plugins/lightbox/Images/urls - 443 - 10.X.X.X Mozilla/5.0+(X11;+Ubuntu;+Linux+x86_64;+rv:47.0)+Gecko/20100101+Firefox/47.0 - 302 0 2 0 212.83.40.238
2016-06-29 08:17:03 10.X.X.X GET /assets/plugins/lightbox/Images/US - 443 - 10.X.X.X Mozilla/5.0+(X11;+Ubuntu;+Linux+x86_64;+rv:47.0)+Gecko/20100101+Firefox/47.0 - 302 0 2 0 212.83.40.238
2016-06-29 08:17:03 10.X.X.X GET /assets/plugins/lightbox/Images/usa - 443 - 10.X.X.X Mozilla/5.0+(X11;+Ubuntu;+Linux+x86_64;+rv:47.0)+Gecko/20100101+Firefox/47.0 - 302 0 2 0 212.83.40.238
2016-06-29 08:17:03 10.X.X.X GET /assets/plugins/lightbox/Images/us - 443 - 10.X.X.X Mozilla/5.0+(X11;+Ubuntu;+Linux+x86_64;+rv:47.0)+Gecko/20100101+Firefox/47.0 - 302 0 2 0 212.83.40.238
2016-06-29 08:17:04 10.X.X.X GET /assets/plugins/lightbox/Images/user - 443 - 10.X.X.X Mozilla/5.0+(X11;+Ubuntu;+Linux+x86_64;+rv:47.0)+Gecko/20100101+Firefox/47.0 - 302 0 2 0 212.83.40.238
2016-06-29 08:17:04 10.X.X.X GET /assets/plugins/lightbox/Images/usage - 443 - 10.X.X.X Mozilla/5.0+(X11;+Ubuntu;+Linux+x86_64;+rv:47.0)+Gecko/20100101+Firefox/47.0 - 302 0 2 15 212.83.40.238
2016-06-29 08:17:04 10.X.X.X GET /assets/plugins/lightbox/Images/user_upload - 443 - 10.X.X.X Mozilla/5.0+(X11;+Ubuntu;+Linux+x86_64;+rv:47.0)+Gecko/20100101+Firefox/47.0 - 302 0 2 0 212.83.40.238
因此我安装了 ModSecurity,并开始使用experimental_rules\modsecurity_crs_11_proxy_abuse.conf 文件,因为它似乎最接近我需要的。
问题是使用“@geoLookup”进行查找使用的是 REMOTE_ADDR,它始终与我的 AWS Elastic Load Balancer(内部 10.xxx)相同。我如何根据 X-Forwarded-For IP(这始终存在于 AWS Elastic Load Balancer 中)执行“@geoLookup”?
这是我目前所拥有的
SecGeoLookupDb GeoLiteCity.dat
SecRule REQUEST_HEADERS:X-Forwarded-For "^\b\d{1,3}(?<!192|127|10)\.\d{1,3}\.\d{1,3}\.\d{1,3}\b" "chain,phase:1,id:'992210',t:none,capture,block,rev:'2.2.9',msg:'Potential Open Proxy Abuse - GeoIP Country Code Mismatch of X-Forwarded-For Request Header and Client REMOTE_ADDR',logdata:'IP Country is: %{geo.country_code} and X-Forwarded-For is: %{tx.geo_x-forwarded-for}'"
SecRule TX:0 "@geoLookup" "chain,setvar:tx.geo_x-forwarded-for=%{geo.country_code},setvar:tx."
SecRule REMOTE_ADDR "@geoLookup" "chain,t:none"
SecRule GEO:COUNTRY_CODE "!@streq %{tx.geo_x-forwarded-for}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}"
SecRule GEO:COUNTRY_CODE3 "!@streq USA" "id:'992211',phase:1,t:none,log,deny,msg:'Client IP not from USA'"
但我觉得我对这种奇怪的语言还没有有足够的了解,因为我昨晚从 12 点到凌晨 4 点一直在研究这个问题,我的大脑很痛。
答案1
他们说得对,午夜后不会有什么好事发生。
如果其他人需要,这里是解决方案:
SecGeoLookupDb GeoLiteCity.dat
SecRule REQUEST_HEADERS:X-FORWARDED-FOR "@geoLookup" "id:'992210',phase:1,t:none,pass,nolog"
SecRule GEO:COUNTRY_CODE3 "!@streq USA" "id:'992211',phase:1,t:none,log,deny,msg:'Client IP not from USA'"