fail2ban 配置用于阻止对 magento payflow 端点的攻击

fail2ban 配置用于阻止对 magento payflow 端点的攻击

这是关于阻止针对 Magento 支付网关的 DDoS 攻击的报告: https://support.magento.com/hc/en-us/articles/360025515991-PayPal-Payflow-Pro-active-carding-activity

我正在尝试创建 Fail2Ban 规则来限制对“/paypal/transparent/requestSecureToken/”url 的访问速率。

以下是我尝试过但不起作用的一些规则:

fail2ban-regex /etc/fail2ban/test.log '<HOST> - - \[.*?\] "GET /paypal/transparent/requestSecureToken/ HTTP/1.1" 200' |grep ^Lines
fail2ban-regex /etc/fail2ban/test.log '<HOST>.* "(GET|POST) \/paypal\/transparent\/requestSecureToken\/ HTTP\/.\..".*$' |grep ^Lines
fail2ban-regex /etc/fail2ban/test.log '<HOST> - - \[(\d{2})/\w{3}/\d{4}:\1:\1:\1 -\d{4}\] "GET /paypal/transparent/requestSecureToken/ HTTP/1.1".*$' |grep ^Lines
fail2ban-regex /etc/fail2ban/test.log '^<HOST> -.*"(GET|POST) \/paypal\/transparent\/requestSecureToken\/ HTTP\/.\..".*$' |grep ^Lines
fail2ban-regex /etc/fail2ban/test.log '^<HOST> -.*"(GET|POST|HEAD).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$' |grep ^Lines
fail2ban-regex /etc/fail2ban/test.log '<HOST>.*"(GET|POST) \/paypal\/transparent\/requestSecureToken\/ HTTP\/.\..".*$' |grep ^Lines
fail2ban-regex /etc/fail2ban/test.log '^<HOST>.* "(GET|POST) \/paypal\/transparent\/requestSecureToken\/ HTTP\/.\..".*$' |grep ^Lines
fail2ban-regex /etc/fail2ban/test.log '<HOST> - - \[.*?\] "GET \/paypal\/transparent\/requestSecureToken\/ HTTP\/" 200' |grep ^Lines
fail2ban-regex /etc/fail2ban/test.log '<HOST> - - \[(\d{2})/\w{3}/\d{4}:\1:\1:\1 -\d{4}\] "GET \/paypal\/transparent\/requestSecureToken\/ HTTP\/".*$' |grep ^Lines

以下是我的 Apache 访问日志中的几行:

104.200.152.54 - - [23/Mar/2019:00:02:20 -0700] "GET / HTTP/1.1" 200 31417 "-" "Mozilla/5.0 (compatible; monitis - premium monitoring service; http://www.monitis.com)"
70.35.205.208 - - [23/Mar/2019:00:02:22 -0700] "GET /paypal/transparent/requestSecureToken/ HTTP/1.1" 302 917 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36"
70.35.205.208 - - [23/Mar/2019:00:02:22 -0700] "GET /paypal/transparent/requestSecureToken/ HTTP/1.1" 302 917 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36"
70.35.205.208 - - [23/Mar/2019:00:02:22 -0700] "GET /paypal/transparent/requestSecureToken/ HTTP/1.1" 200 4164 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36"
157.55.39.150 - - [23/Mar/2019:00:02:21 -0700] "GET /products/diagnostic-kits/elisa/cow-elisa/cow-probable-atp-dependent-rna-helicase-dhx36-dhx36-elisa-kit.html HTTP/1.1" 200 37613 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

有人能建议正确的正则表达式吗?这将帮助数千个网站防止黑客入侵。

相关内容