Nginx 的 WAF 规则 LuaJIT 低危险版

防CC攻击规则

过滤阶段:请求阶段

规则描述:当一分钟访问/api/路径频率超过360次,则在5分钟内拦截该ip访问

规则内容:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
if not waf.startWith(waf.toLower(waf.uri), "/api/") then
return false
end

local sh = ngx.shared.ipCache
local ccIp = 'cc-' .. waf.ip
local c, f = sh:get(ccIp)
if not c then
sh:set(ccIp, 1, 60, 1) -- 设置1分钟也就是60秒访问计数时间
else
if f == 2 then
return waf.block(true) -- 重置TCP连接,不记录日志
end
sh:incr(ccIp, 1)
if c + 1 >= 360 then
sh:set(ccIp, c + 1, 300, 2) -- 设置5分钟也就是300秒拦截时间
return true, ccIp, true
end
end

return false

IIS报错检测

过滤阶段:返回页面

规则描述:IIS返回页面的报错可能会泄露服务器敏感信息

规则内容:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
local rgx = waf.rgxMatch
local rb = waf.respBody

local m = rgx(rb, "[a-z]:\\x5cinetpub\\b", "jo")
if m then
return m, rb, true
end

if waf.status == 500 then
local m = rgx(rb, "Microsoft OLE DB Provider for SQL Server(?:</font>.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| \\(0x80040e31\\)<br>Timeout expired<br>)|<h1>internal server error</h1>.*?<h2>part of the server has crashed or it has a configuration error\\.</h2>|cannot connect to the server: timed out", "jo")
if m then
return m, rb, true
end
local m = rgx(rb, "\\b(?:A(?:DODB\\.Command\\b.{0,100}?\\b(?:Application uses a value of the wrong type for the current operation\\b|error')| trappable error occurred in an external object\\. The script cannot continue running\\b)|Microsoft VBScript (?:compilation (?:\\(0x8|error)|runtime (?:Error|\\(0x8))\\b|Object required: '|error '800)|<b>Version Information:</b>(?:&nbsp;|\\s)(?:Microsoft \\.NET Framework|ASP\\.NET) Version:|>error 'ASP\\b|An Error Has Occurred|>Syntax error in string in query expression|/[Ee]rror[Mm]essage\\.aspx?\\?[Ee]rror\\b", "jo")
if m then
return m, rb, true
end
end

if waf.status == 404 then
local m = rgx(rb, "\\bServer Error in.{0,50}?\\bApplication\\b", "jo")
if m then
return m, rb, true
end
end

return false

php报错检测

过滤阶段:返回页面

规则描述:返回页面的php报错可能会泄露服务器敏感信息

规则内容:

1
2
3
4
5
6
7
8
9
10
11
local check = waf.plugins.phpErrorDetection.check
local rb = waf.respBody

if waf.status == 500 then
local m, d = check(rb)
if m then
return m, "php error: " .. d, true
end
end

return false

Java报错检测

过滤阶段:返回页面

规则描述:返回页面的java报错可能会泄露服务器敏感信息

规则内容:

1
2
3
4
5
6
7
8
9
10
11
local check = waf.plugins.javaErrorDetection.check
local rb = waf.respBody

if waf.status == 500 then
local m,d = check(rb)
if m then
return m, "Java error: " .. d, true
end
end

return false

请求方法加强

过滤阶段:请求阶段

规则描述:不常用的http请求方法会出现一些安全漏洞,如:历史上Apache平台TRACE请求方法出现过XSS相关漏洞

规则内容:

1
2
3
if not waf.rgxMatch(waf.method, "^(?:GET|HEAD|POST|PUT|DELETE|OPTIONS)$") then
return true, waf.method, true
end

本文链接:https://my.lmcjl.com/post/15861.html

展开阅读全文

4 评论

留下您的评论.