-1

我正在尝试为 ModSecurity 建立一系列规则来阻止坏机器人。

SecRule REQUEST_HEADERS:User-Agent "@pmFromFile /etc/apache2/conf.d/badbots.txt" "id:'444444',phase:2,t:none,deny,status:406,log,msg:'BAD BOT - Detected and Blocked. '"

但是这种方法并不好,因为 ModSecurity 使用 withcontains而不是 begin。

360Spider
80legs
AIBOT
Aboundex
....

我认为最好的方法是为每个组使用规则

^(black.?hole|blackwidow|blowfish|botalot|buddy|builtbottough|bullseye)
^(cheesebot|cherrypicker|chinaclaw|collector|copier|copyrightcheck)
^(cosmos|crescent|curl|custo|da|diibot|disco|dittospyder|dragonfly)
^(drip|easydl|ebingbong|ecatch|eirgrabber|emailcollector|emailsiphon)
^(emailwolf|erocrawler|exabot|eyenetie|filehound|flashget|flunky)
^(frontpage|getright|getweb|go.?zilla|go-ahead-got-it|gotit|grabnet)
^(grafula|harvest|hloader|hmview|httplib|httrack|humanlinks|ilsebot)
^(infonavirobot|infotekies|intelliseek|interget|iria|jennybot|jetcar)
^(joc|justview|jyxobot|kenjin|keyword|larbin|leechftp|lexibot|lftp|libweb)
^(likse|linkscan|linkwalker|lnspiderguy|lwp|magnet|mag-net|markwatch)
^(mata.?hari|memo|microsoft.?url|midown.?tool|miixpc|mirror|missigua)
^(mister.?pix|moget|mozilla.?newt|nameprotect|navroad|backdoorbot|nearsite)
^(net.?vampire|netants|netcraft|netmechanic|netspider|nextgensearchbot)
^(attach|nicerspro|nimblecrawler|npbot|octopus|offline.?explorer)
^(offline.?navigator|openfind|outfoxbot|pagegrabber|papa|pavuk)
^(pcbrowser|php.?version.?tracker|pockey|propowerbot|prowebwalker)
^(psbot|pump|queryn|recorder|realdownload|reaper|reget|true_robot)
^(repomonkey|rma|internetseer|sitesnagger|siphon|slysearch|smartdownload)
^(snake|snapbot|snoopy|sogou|spacebison|spankbot|spanner|sqworm|superbot)
^(superhttp|surfbot|asterias|suzuran|szukacz|takeout|teleport)
^(telesoft|the.?intraformant|thenomad|tighttwatbot|titan|urldispatcher)
^(turingos|turnitinbot|urly.?warning|vacuum|vci|voideye|whacker)
^(libwww-perl|widow|wisenutbot|wwwoffle|xaldon|xenu|zeus|zyborg|anonymouse)
^web(zip|emaile|enhancer|fetch|go.?is|auto|bandit|clip|copier|master|reaper|sauger|site.?quester|whack)
^.*(craftbot|download|extract|stripper|sucker|ninja|clshttp|webspider|leacher|collector|grabber|webpictures).*$

尝试

SecRule REQUEST_HEADERS:User-Agent "@beginswith (black.?hole|blackwidow|blowfish|botalot|buddy|builtbottough|bullseye)" "id:'444440',phase:2,t:none,deny,status:406,log,msg:'BAD BOT - Detected and Blocked. '"
SecRule REQUEST_HEADERS:User-Agent "@beginswith (cheesebot|cherrypicker|chinaclaw|collector|copier|copyrightcheck)" "id:'444441',phase:2,t:none,deny,status:406,log,msg:'BAD BOT - Detected and Blocked. '"
SecRule REQUEST_HEADERS:User-Agent "@beginswith (cosmos|crescent|curl|custo|da|diibot|disco|dittospyder|dragonfly)" "id:'444442',phase:2,t:none,deny,status:406,log,msg:'BAD BOT - Detected and Blocked. '"
SecRule REQUEST_HEADERS:User-Agent "@beginswith (drip|easydl|ebingbong|ecatch|eirgrabber|emailcollector|emailsiphon)" "id:'444443',phase:2,t:none,deny,status:406,log,msg:'BAD BOT - Detected and Blocked. '"
SecRule REQUEST_HEADERS:User-Agent "@beginswith (emailwolf|erocrawler|exabot|eyenetie|filehound|flashget|flunky)" "id:'444444',phase:2,t:none,deny,status:406,log,msg:'BAD BOT - Detected and Blocked. '"
SecRule REQUEST_HEADERS:User-Agent "@beginswith (frontpage|getright|getweb|go.?zilla|go-ahead-got-it|gotit|grabnet)" "id:'444444',phase:2,t:none,deny,status:406,log,msg:'BAD BOT - Detected and Blocked. '"
SecRule REQUEST_HEADERS:User-Agent "@beginswith (grafula|harvest|hloader|hmview|httplib|httrack|humanlinks|ilsebot)" "id:'444445',phase:2,t:none,deny,status:406,log,msg:'BAD BOT - Detected and Blocked. '"
SecRule REQUEST_HEADERS:User-Agent "@beginswith (infonavirobot|infotekies|intelliseek|interget|iria|jennybot|jetcar)" "id:'444446',phase:2,t:none,deny,status:406,log,msg:'BAD BOT - Detected and Blocked. '"
SecRule REQUEST_HEADERS:User-Agent "@beginswith (joc|justview|jyxobot|kenjin|keyword|larbin|leechftp|lexibot|lftp|libweb)" "id:'444447',phase:2,t:none,deny,status:406,log,msg:'BAD BOT - Detected and Blocked. '"

但这是行不通的。

4

1 回答 1

1

让我们从下往上开始。该运算符@beginsWith不允许使用正则表达式。为此,您需要执行默认的正则表达式匹配并从开始的正则表达式语法 (^) 开始:

SecRule REQUEST_HEADERS:User-Agent "^(black.?hole|blackwidow|blowfish|botalot|buddy|builtbottough|bullseye)" "id:'444440',phase:2,t:none,deny,status:406,log,msg:'BAD BOT - Detected and Blocked. '"
SecRule REQUEST_HEADERS:User-Agent "^(cheesebot|cherrypicker|chinaclaw|collector|copier|copyrightcheck)" "id:'444441',phase:2,t:none,deny,status:406,log,msg:'BAD BOT - Detected and Blocked. '"
...etc.

但是,与其创建像这样的大量规则,您应该只使用@pmFromFile. 你是对的,你不能使用正则表达式,@pmFromFile但你可以通过使用 if 变量来添加边界匹配,参考手册中给出了一个例子,所以对你来说它看起来像这样:

# Prepare custom UA variable 
SecAction "phase:1,id:444444,nolog,pass,setvar:tx.UA=/% REQUEST_HEADERS:User-Agent"

# Check if UA is blacklisted 
SecRule TX:UA "@pmFromFile etc/apache2/conf.d/badbots.txt" "id:'444445',phase:1,t:none,deny,status:406,log,msg:'BAD BOT - Detected and Blocked. '"

然后只需编辑您的 badbots.txt 文件以使每一行都以 / 开头,如下所示:

 /360Spider
 /80legs
 /AIBOT
 /Aboundex
 /...etc.
于 2018-01-27T13:52:12.997 回答