From 0fd966ca6581a5f3eb122c9509752f737ca9f76d Mon Sep 17 00:00:00 2001 From: midoks Date: Mon, 10 Oct 2022 02:14:31 +0800 Subject: [PATCH] up --- plugins/op_waf/conf/luawaf.conf | 4 ++-- plugins/op_waf/index.py | 2 +- plugins/op_waf/t/cc.py | 7 ------ plugins/op_waf/t/index.py | 24 +++++++++++++++---- plugins/op_waf/waf/config.json | 2 +- plugins/op_waf/waf/lua/common.lua | 4 +++- plugins/op_waf/waf/lua/init.lua | 40 +++++++++++++++++++++---------- 7 files changed, 54 insertions(+), 29 deletions(-) delete mode 100644 plugins/op_waf/t/cc.py diff --git a/plugins/op_waf/conf/luawaf.conf b/plugins/op_waf/conf/luawaf.conf index 985cfca01..336df56a1 100755 --- a/plugins/op_waf/conf/luawaf.conf +++ b/plugins/op_waf/conf/luawaf.conf @@ -1,6 +1,6 @@ lua_shared_dict limit 30m; -lua_shared_dict drop_ip 30m; -lua_shared_dict drop_sum 30m; +lua_shared_dict drop_ip 10m; +lua_shared_dict drop_sum 10m; lua_package_path "{$WAF_PATH}/lua/?.lua;{$ROOT_PATH}/openresty/lualib/?.lua;;"; access_by_lua_file {$WAF_PATH}/lua/init.lua; diff --git a/plugins/op_waf/index.py b/plugins/op_waf/index.py index 15b83859a..eb816be3b 100755 --- a/plugins/op_waf/index.py +++ b/plugins/op_waf/index.py @@ -111,7 +111,7 @@ def initSiteInfo(): tmp['log'] = True tmp['get'] = True tmp['post'] = True - tmp['open'] = False + tmp['open'] = True tmp['cc'] = config_contents['cc'] tmp['retry'] = config_contents['retry'] diff --git a/plugins/op_waf/t/cc.py b/plugins/op_waf/t/cc.py deleted file mode 100644 index 3ad1ef97d..000000000 --- a/plugins/op_waf/t/cc.py +++ /dev/null @@ -1,7 +0,0 @@ -# coding:utf-8 - -import sys -import io -import os -import time -import json diff --git a/plugins/op_waf/t/index.py b/plugins/op_waf/t/index.py index 59654236b..b2c43bb12 100644 --- a/plugins/op_waf/t/index.py +++ b/plugins/op_waf/t/index.py @@ -20,6 +20,7 @@ from random import Random TEST_URL = "http://t1.cn/" +# TEST_URL = "https://www.zzzvps.com/" def httpGet(url, timeout=10): @@ -131,11 +132,26 @@ def test_scan(): print("scan test end") +def test_CC(): + ''' + 目录保存 + ''' + url = TEST_URL + 'ok.txt' + print("CC test start") + + for x in range(122): + url_val = httpGet(url, 10) + print(url_val) + + print("CC test end") + + def test_start(): - test_Dir() - test_UA() - test_POST() - test_scan() + # test_Dir() + # test_UA() + # test_POST() + # test_scan() + test_CC() if __name__ == "__main__": diff --git a/plugins/op_waf/waf/config.json b/plugins/op_waf/waf/config.json index 92bbed594..c9835d484 100755 --- a/plugins/op_waf/waf/config.json +++ b/plugins/op_waf/waf/config.json @@ -1 +1 @@ -{"reqfile_path": "{$WAF_PATH}/html", "retry": {"retry_time": 180, "is_open_global": 0, "retry": 6, "retry_cycle": 60}, "log": true, "scan": {"status": 444, "ps": "\u8fc7\u6ee4\u5e38\u89c1\u626b\u63cf\u6d4b\u8bd5\u5de5\u5177\u7684\u6e17\u900f\u6d4b\u8bd5", "open": true, "reqfile": ""}, "cc": {"status": 444, "ps": "\u8fc7\u8651CC\u653b\u51fb", "limit": 120, "endtime": 300, "open": true, "reqfile": "", "cycle": 60}, "get": {"status": 403, "ps": "\u8fc7\u6ee4uri\u3001uri\u53c2\u6570\u4e2d\u5e38\u89c1sql\u6ce8\u5165\u3001xss\u7b49\u653b\u51fb", "open": true, "reqfile": "get.html"}, "log_save": 30, "user-agent": {"status": 403, "ps": "\u901a\u5e38\u7528\u4e8e\u8fc7\u6ee4\u6d4f\u89c8\u5668\u3001\u8718\u86db\u53ca\u4e00\u4e9b\u81ea\u52a8\u626b\u63cf\u5668", "open": true, "reqfile": "user_agent.html"}, "other": {"status": 403, "ps": "\u5176\u5b83\u975e\u901a\u7528\u8fc7\u6ee4", "reqfile": "other.html"}, "cookie": {"status": 403, "ps": "\u8fc7\u6ee4\u5229\u7528Cookie\u53d1\u8d77\u7684\u6e17\u900f\u653b\u51fb", "open": true, "reqfile": "cookie.html"}, "logs_path": "/www/wwwlogs/btwaf", "post": {"status": 403, "ps": "\u8fc7\u6ee4POST\u53c2\u6570\u4e2d\u5e38\u89c1sql\u6ce8\u5165\u3001xss\u7b49\u653b\u51fb", "open": true, "reqfile": "post.html"}, "open": true} \ No newline at end of file +{"reqfile_path": "{$WAF_PATH}/html", "retry": {"retry_time": 180, "is_open_global": 0, "retry": 6, "retry_cycle": 60}, "log": true, "scan": {"status": 444, "ps": "\u8fc7\u6ee4\u5e38\u89c1\u626b\u63cf\u6d4b\u8bd5\u5de5\u5177\u7684\u6e17\u900f\u6d4b\u8bd5", "open": true, "reqfile": ""}, "cc": {"status": 444, "ps": "\u8fc7\u8651CC\u653b\u51fb", "limit": 120, "endtime": 300, "open": true, "reqfile": "", "cycle": 60}, "get": {"status": 403, "ps": "\u8fc7\u6ee4uri\u3001uri\u53c2\u6570\u4e2d\u5e38\u89c1sql\u6ce8\u5165\u3001xss\u7b49\u653b\u51fb", "open": true, "reqfile": "get.html"}, "log_save": 30, "user-agent": {"status": 403, "ps": "\u901a\u5e38\u7528\u4e8e\u8fc7\u6ee4\u6d4f\u89c8\u5668\u3001\u8718\u86db\u53ca\u4e00\u4e9b\u81ea\u52a8\u626b\u63cf\u5668", "open": true, "reqfile": "user_agent.html"}, "other": {"status": 403, "ps": "\u5176\u5b83\u975e\u901a\u7528\u8fc7\u6ee4", "reqfile": "other.html"}, "cookie": {"status": 403, "ps": "\u8fc7\u6ee4\u5229\u7528Cookie\u53d1\u8d77\u7684\u6e17\u900f\u653b\u51fb", "open": true, "reqfile": "cookie.html"}, "logs_path": "/www/wwwlogs/waf", "post": {"status": 403, "ps": "\u8fc7\u6ee4POST\u53c2\u6570\u4e2d\u5e38\u89c1sql\u6ce8\u5165\u3001xss\u7b49\u653b\u51fb", "open": true, "reqfile": "post.html"}, "open": true} \ No newline at end of file diff --git a/plugins/op_waf/waf/lua/common.lua b/plugins/op_waf/waf/lua/common.lua index 22c6838ef..ac091aa5f 100644 --- a/plugins/op_waf/waf/lua/common.lua +++ b/plugins/op_waf/waf/lua/common.lua @@ -208,7 +208,8 @@ end function _M.write_drop_ip(self, is_drop, drop_time) - local filename = self.cpath .. 'drop_ip.log' + local filename = self.logdir .. 'drop_ip.log' + local fp = io.open(filename,'ab') local server_name = self.params["server_name"] local ip = self.params["server_name"] @@ -378,6 +379,7 @@ end function _M.ngx_match_string(self, rules, content,sign) + local t = self:is_ngx_match_orgin(rules, content, sign) if t then return true diff --git a/plugins/op_waf/waf/lua/init.lua b/plugins/op_waf/waf/lua/init.lua index f9784891a..2ebdc8bf7 100644 --- a/plugins/op_waf/waf/lua/init.lua +++ b/plugins/op_waf/waf/lua/init.lua @@ -191,17 +191,31 @@ function waf_user_agent() return false end -function cc() +function waf_cc() local ip = params['ip'] local request_uri = params['request_uri'] local endtime = config['cc']['endtime'] - if not config['cc']['open'] or not site_cc then return false end + if not config['cc']['open'] or not C:is_site_config('cc') then return false end + + local ip_lock = ngx.shared.drop_ip:get(ip) + if ip_lock then + if ip_lock > 0 then + ngx.exit(config['cc']['status']) + return true + end + end + local token = ngx.md5(ip .. '_' .. request_uri) - local count,_ = ngx.shared.limit:get(token) + local count = ngx.shared.limit:get(token) + + local limit = config['cc']['limit'] + local cycle = config['cc']['cycle'] + if count then - if count > limit then - local safe_count,_ = ngx.shared.drop_sum:get(ip) + if count > limit then + + local safe_count, _ = ngx.shared.drop_sum:get(ip) if not safe_count then ngx.shared.drop_sum:set(ip,1,86400) safe_count = 1 @@ -210,22 +224,19 @@ function cc() end local lock_time = (endtime * safe_count) if lock_time > 86400 then lock_time = 86400 end - ngx.shared.drop_ip:set(ip,retry+1,lock_time) + + ngx.shared.drop_ip:set(ip,1,lock_time) + C:write_log('cc',cycle..'秒内累计超过'..limit..'次请求,封锁' .. lock_time .. '秒') C:write_drop_ip('cc',lock_time) - if not server_name then - insert_ip_list(ip,lock_time,os.time(),'1111') - else - insert_ip_list(ip,lock_time,os.time(),server_name) - end - + ngx.exit(config['cc']['status']) return true else ngx.shared.limit:incr(token,1) end else - ngx.shared.limit:set(token,1,cycle) + ngx.shared.limit:set(token, 1, cycle) end end @@ -575,6 +586,9 @@ function waf() -- black ip waf_ip_black() + -- cc setting + waf_cc() + waf_drop() waf_user_agent()