App-waf,一个简单的waf模块。
用来实时探测web非法访问,统计非法访问的ip,web状态,访问url,来源weburl。结合iptables可以实现实现实时封禁。
实例说明见example目录(包括日志)
use App::Waf;my $filename = "example.acess";#日志文件my $numlines = 50000; #要处理的行数,从后读。my $line=tail($filename,$$numlines); ($log,$zcount,$zip,$zrequrl,$zstatus,$siteurl)=initCount($line);print "==============Attack Summary ==================\n";print "\nThe total attack count: $zcount \n";print "\nThe count from source IP: \n\n";print "$_\=> $zip->{$_} \n" for(sort keys %{$zip});print "The count From request Url: \n\n";print "$_\=> $zrequrl->{$_} \n" for(sort keys %{$zrequrl});print "\n\nThe count From Http Status: \n\n";print "$_\=> $zstatus->{$_} \n" for(sort keys %{$zstatus});print "\n\nThe count From Site Url: \n\n";print "$_\=> $siteurl->{$_} \n" for(sort keys %{$siteurl});结合nginx和iptables进行实时banip的实例(example/banip.pl)
加入crontab每5分钟执行一次。
echo "*/5 * * * * perl $dir/banip.pl >> bianip.logs 2>&1 " >> /var/spool/cron/root结果展示
==============AttackSummary==================
The total attack count: 131The count from source IP:103.248.223.116=> 19103.37.3.202=> 2106.39.200.46=> 3107.151.213.123=> 1115.148.98.127=> 2180.76.6.51=> 9959.42.147.17=> 464.16.214.100=> 1ThecountFromrequestUrl:
/?cat=%0acat%20/etc/passwd%0a&paged=3=> 1/?cat=%22%26cat%20/etc/passwd%26%22&paged=3=> 1/?cat=%22;print(md5(acunetix_wvs_security_test));%24a%3d%22&paged=2=> 1/?cat=%22;print(md5(acunetix_wvs_security_test));%24a%3d%22&paged=3=> 1/?cat=%24%7b%40print(md5(acunetix_wvs_security_test))%7d%5c&paged=2=> 1/?cat=%24%7b%40print(md5(acunetix_wvs_security_test))%7d%5c&paged=3=> 1/?cat=%24%7b%40print(md5(acunetix_wvs_security_test))%7d&paged=2=> 1/?cat=%24%7b%40print(md5(acunetix_wvs_security_test))%7d&paged=3=> 1/?cat=%26cat%20/etc/passwd%26&paged=3=> 1/?cat=%60cat%20/etc/passwd%60&paged=3=> 1/?cat=%7ccat%20/etc/passwd%23&paged=3=> 1/?cat='%26cat%20/etc/passwd%26'&paged=3=> 1/?cat=';print(md5(acunetix_wvs_security_test));%24a%3d'&paged=2=> 1/?cat=';print(md5(acunetix_wvs_security_test));%24a%3d'&paged=3=> 1/?cat=(select(0)from(select(sleep(15)))v)/*'%2b(select(0)from(select(sleep(15)))v)%2b'%22%2b(select(0)from(select(sleep(15)))v)%2b%22*/&paged=3=> 4/?cat=.%5c%5c./.%5c%5c./.%5c%5c./.%5c%5c./.%5c%5c./.%5c%5c./etc/passwd&paged=3=> 1/?cat=..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afetc/passwd&paged=3=> 1
评论