App-waf,一个简单的 waf 模块。
用来实时探测 web 非法访问,统计非法访问的 ip,web状态,访问 url,来源 web url。结合 iptables 可以实现实现实时封禁。
实例说明见 example 目录(包括日志)
use App::Waf; my $filename = "example.acess";#日志文件 my $numlines = 50000; #要处理的行数,从后读。 my $line=tail($filename,$$numlines); ($log,$zcount,$zip,$zrequrl,$zstatus,$siteurl)=initCount($line); print "==============Attack Summary ==================\n"; print "\nThe total attack count: $zcount \n"; print "\nThe count from source IP: \n\n"; print "$_\=> $zip->{$_} \n" for(sort keys %{$zip}); print "The count From request Url: \n\n"; print "$_\=> $zrequrl->{$_} \n" for(sort keys %{$zrequrl}); print "\n\nThe count From Http Status: \n\n"; print "$_\=> $zstatus->{$_} \n" for(sort keys %{$zstatus}); print "\n\nThe count From Site Url: \n\n"; print "$_\=> $siteurl->{$_} \n" for(sort keys %{$siteurl});
结合 nginx 和 iptables 进行实时 banip 的实例(example/banip.pl)
加入crontab 每 5 分钟执行一次。
echo "*/5 * * * * perl $dir/banip.pl >> bianip.logs 2>&1 " >> /var/spool/cron/root
结果展示
==============Attack Summary ==================
The total attack count: 131 The count from source IP: 103.248.223.116=> 19 103.37.3.202=> 2 106.39.200.46=> 3 107.151.213.123=> 1 115.148.98.127=> 2 180.76.6.51=> 99 59.42.147.17=> 4 64.16.214.100=> 1
The count From request Url:
/?cat=%0acat%20/etc/passwd%0a&paged=3=> 1 /?cat=%22%26cat%20/etc/passwd%26%22&paged=3=> 1 /?cat=%22;print(md5(acunetix_wvs_security_test));%24a%3d%22&paged=2=> 1 /?cat=%22;print(md5(acunetix_wvs_security_test));%24a%3d%22&paged=3=> 1 /?cat=%24%7b%40print(md5(acunetix_wvs_security_test))%7d%5c&paged=2=> 1 /?cat=%24%7b%40print(md5(acunetix_wvs_security_test))%7d%5c&paged=3=> 1 /?cat=%24%7b%40print(md5(acunetix_wvs_security_test))%7d&paged=2=> 1 /?cat=%24%7b%40print(md5(acunetix_wvs_security_test))%7d&paged=3=> 1 /?cat=%26cat%20/etc/passwd%26&paged=3=> 1 /?cat=%60cat%20/etc/passwd%60&paged=3=> 1 /?cat=%7ccat%20/etc/passwd%23&paged=3=> 1 /?cat='%26cat%20/etc/passwd%26'&paged=3=> 1 /?cat=';print(md5(acunetix_wvs_security_test));%24a%3d'&paged=2=> 1 /?cat=';print(md5(acunetix_wvs_security_test));%24a%3d'&paged=3=> 1 /?cat=(select(0)from(select(sleep(15)))v)/*'%2b(select(0)from(select(sleep(15)))v)%2b'%22%2b(select(0)from(select(sleep(15)))v)%2b%22* /&paged=3=> 4 /?cat=.%5c%5c./.%5c%5c./.%5c%5c./.%5c%5c./.%5c%5c./.%5c%5c./etc/passwd&paged=3=> 1 /?cat=..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afetc/passwd&paged=3=> 1
