在閱讀本文前，先簡(jiǎn)單了解下什么是ModSecurity，ModSecurity是一個(gè)入侵探測(cè)與阻止的引擎。它主要是用于Web應(yīng)用程序所以也可以叫做Web應(yīng)用程序防火墻，相信不少商業(yè)WAF的簽名開(kāi)發(fā)同學(xué)也參考了ModSecurity的規(guī)則吧。

背景：

上周Wordpress網(wǎng)站遭受了大規(guī)模的暴力破解攻擊，攻擊者首先掃描互聯(lián)網(wǎng)上的Wordpress網(wǎng)站，然后利用Web服務(wù)器組建的僵尸網(wǎng)絡(luò)不斷嘗試用戶名和密碼試圖登錄管理界面。攻擊者使用了超過(guò)9萬(wàn)臺(tái)Web服務(wù)器來(lái)進(jìn)行暴力破解。

本文借用此例，來(lái)介紹下如何利用ModSecurity防御Wordpress的暴力破解。常規(guī)的緩解暴力破解方法如下：

1：更改admin默認(rèn)賬戶名稱，或直接刪除admin，添加一個(gè)新的管理員帳戶。

2：使用雙因素認(rèn)證

3：使用插件限制登錄

4：使用.htpasswd對(duì)訪問(wèn)特定頁(yè)面實(shí)現(xiàn)用戶名和密碼驗(yàn)證。

這些都有現(xiàn)成的方法去實(shí)現(xiàn)了，這里就介紹一下用ModSecurity V2.7.3來(lái)保護(hù)Wordpress，防止暴力破解。

1：Wordpress的登錄過(guò)程分析

下圖為Wordpress的登錄頁(yè)面：

用戶登錄之后，發(fā)送請(qǐng)求到WP-loing.php頁(yè)面，HTTP請(qǐng)求包內(nèi)容如下：

POST /wordpress/wp-login.php HTTP/1.1 
Host: mywordpress.com 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20100101 Firefox/12.0 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*; q=0.8 
Accept-Language: en-us,en;q=0.5 
DNT: 1 
Referer: http://freebuf.com/wordpress/wp-login.php 
Content-Type: application/x-www-form-urlencoded
Via: 1.1 owaspbwa.localdomain 
Connection: Keep-Alive 
Content-Length: 73
log=administrator&pwd=freebuf&submit=Login+%C2%BB&redirect_to=wp-admin%2F

payload部分包含了用戶名和密碼，以及登錄成功后轉(zhuǎn)向的頁(yè)面。OK，了解數(shù)據(jù)包結(jié)構(gòu)之后，我們可以創(chuàng)建規(guī)則，防止未經(jīng)授權(quán)的訪問(wèn)。#p#

2：檢查Rerfer

正常的用戶登錄Wordpress，在數(shù)據(jù)包頭部會(huì)包含一個(gè)Referer字段，但是通過(guò)人工編寫(xiě)的程序，很多不會(huì)包含Referer字段，直接發(fā)送登錄請(qǐng)求到wp-login.php頁(yè)面，所以，我們可以根據(jù)此創(chuàng)建一個(gè)ModSecurity規(guī)則來(lái)檢查Rerfer字段信息：

SecRule REQUEST_METHOD "@streq POST" "chain,id:'1',phase:2,t:none,block,log,msg:'Warning: Direct Login Missing Referer.'"
SecRule REQUEST_FILENAME "@pm /wp-login.php /wp-admin/" "chain"
ecRule &REQUEST_HEADERS:Referer "@eq 0"

當(dāng)然通過(guò)腳本，很容易實(shí)現(xiàn)Rerfer偽造，所以還需要接下來(lái)的規(guī)則一起配合。

3：限制訪問(wèn)的IP

如果你不想修改默認(rèn)管理員帳號(hào)，可以添加一個(gè)規(guī)則只允許特定的IP訪問(wèn)管理頁(yè)面，如下：

SecRule REQUEST_METHOD "@streq POST" "chain,id:'1',phase:2,t:none,block,log,msg:'Warning: Direct Login Missing Referer.'"
SecRule REQUEST_FILENAME "@pm /wp-login.php /wp-admin/" "chain"
SecRule ARGS:log "@streq freebuf" "chain"
SecRule REMOTE_ADDR !@ipMatch 72.192.214.223

在這個(gè)例子里，只允許名稱為freebuf的管理員帳戶通過(guò)72.192.214.223的IP地址來(lái)訪問(wèn)。#p#

4：跟蹤管理員帳戶的登錄嘗試

我們可以通過(guò)ModSecurity的規(guī)則來(lái)block掉惡意IP，以下為登錄失敗的返回包：

HTTP/1.1 200 OK 
Date: Fri, 11 May 2012 03:24:53 GMT 
Server: Apache 
Expires: Wed, 11 Jan 1984 05:00:00 GMT 
Last-Modified: Fri, 11 May 2012 03:24:54 GMT 
Cache-Control: no-cache, must-revalidate, max-age=0 
Pragma: no-cache 
Vary: Accept-Encoding 
Content-Length: 1697 
Connection: close 
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"> <head><title>WordPress &rsaquo; Login</title><meta http-equiv="Content-Type" content="text/html; c harset=UTF-8" /><link rel="stylesheet" href="http://192.168.1.113/wordpress/wp-admin
/wp-admin.css" type="text/css" />
 <script type="text/javascript"> 
function focusit() 
{
document.getElementById('log').focus();} window.onload = focusit; </script></head> <body><div id="login"> <h1><a href="http://wordpress.org/">WordPress</a></h1> <div id='login_error'><strong>Error</strong>: Incorrect password. </div> 
... 
</body> 
</html>

可以看到狀態(tài)碼為200，而且返回的數(shù)據(jù)包中包含了Incorrect password，據(jù)此可以創(chuàng)建以下規(guī)則：

SecRule REQUEST_FILENAME "@streq /wordpress/wp-login.php" 
"chain, phase:4,id:999323,t:none,block,msg:'Authentication Failure Violation .',
logdata:'Number of Authentication Failures: %{ip.failed_auth_ attempt}'"
SecRule REQUEST_METHOD "@streq POST" "chain" 
SecRule ARGS:log "@streq admin" "chain"
SecRule RESPONSE_STATUS "200" "chain" 
SecRule RESPONSE_BODY "@contains <strong>Error</strong>:Incorrect password." 
"chain,setvar:ip.failed_auth_attempt=+1,expirevar:ip.failed_auth_attempt=60"
SecRule IP:FAILED_AUTH_ATTEMPT "@gt 5"

#p#

5：設(shè)置驗(yàn)證請(qǐng)求的次數(shù)

ModSecurity可以在指定的時(shí)間內(nèi)跟蹤請(qǐng)求的數(shù)量，設(shè)置閥值來(lái)進(jìn)行阻斷攻擊，在它的規(guī)則集里已經(jīng)個(gè)包含了該規(guī)則，modsecurity_crs_10_setup.conf

如下：

#
# -- [[ Brute Force Protection ]] ---------------------------------------------------------
#
# If you are using the Brute Force Protection rule set, then uncomment the following
# lines and set the following variables:
# - Protected URLs: resources to protect (e.g. login pages) - set to your login page
# - Burst Time Slice Interval: time interval window to monitor for bursts
# - Request Threshold: request # threshold to trigger a burst
# - Block Period: temporary block timeout
#
SecAction \
  "id:'900014', \
  phase:1, \
  t:none, \
  setvar:'tx.brute_force_protected_urls=/wp-login.php', \
  setvar:'tx.brute_force_burst_time_slice=60', \
  setvar:'tx.brute_force_counter_threshold=10', \
  setvar:'tx.brute_force_block_timeout=300', \
  nolog, \
  pass"

注意修改 setvar:’tx.brute_force_protected_urls=/wp-login.php‘,

設(shè)置完畢后，激活modsecurity_crs_11_brute_force.conf

#
# Anti-Automation Rule for specific Pages (Brute Force Protection)
# This is a rate-limiting rule set and does not directly correlate whether the
# authentication attempt was successful or not.
#
#
# Enforce an existing IP address block and log only 1-time/minute
# We don't want to get flooded by alerts during an attack or scan so
# we are only triggering an alert once/minute.  You can adjust how often
# you want to receive status alerts by changing the expirevar setting below.
#
SecRule IP:BRUTE_FORCE_BLOCK "@eq 1" "chain,phase:1,id:'981036',block,msg:
'Brute Force Attack Identified from %{tx.real_ip}
 (%{tx.brute_force_block_counter} hits since last alert)',
setvar:ip.brute_force_block_counter=+1"
SecRule &IP:BRUTE_FORCE_BLOCK_FLAG "@eq 0" "setvar:ip.brute_force_block_flag=1,
expirevar:ip.brute_force_block_flag=60,
setvar:tx.brute_force_block_counter=%{ip.brute_force_block_counter},
setvar:ip.brute_force_block_counter=0"
#
# Block and track # of requests but don't log
SecRule IP:BRUTE_FORCE_BLOCK "@eq 1" "phase:1,id:'981037',block,nolog,
setvar:ip.brute_force_block_counter=+1"
#
# skipAfter Checks
# There are different scenarios where we don't want to do checks -
# 1. If the user has not defined any URLs for Brute Force Protection in the 10 config file
# 2. If the current URL is not listed as a protected URL
# 3. If the current IP address has already been blocked due to high requests
# In these cases, we skip doing the request counts.
#
SecRule &TX:BRUTE_FORCE_PROTECTED_URLS "@eq 0" "phase:5,id:'981038',
t:none,nolog,pass,skipAfter:END_BRUTE_FORCE_PROTECTION_CHECKS"
SecRule REQUEST_FILENAME "!@within %{tx.brute_force_protected_urls}" 
"phase:5,id:'981039',t:none,nolog,pass,skipAfter:END_BRUTE_FORCE_PROTECTION_CHECKS"
SecRule IP:BRUTE_FORCE_BLOCK "@eq 1" "phase:5,id:'981040',
t:none,nolog,pass,skipAfter:END_BRUTE_FORCE_PROTECTION_CHECKS"
#
# Brute Force Counter
# Count the number of requests to these resoures
# 
SecAction "phase:5,id:'981041',t:none,nolog,pass,setvar:ip.brute_force_counter=+1"
#
# Check Brute Force Counter
# If the request count is greater than or equal to 50 within 5 mins,
# we then set the burst counter
# 
SecRule IP:BRUTE_FORCE_COUNTER "@gt %{tx.brute_force_counter_threshold}"
 "phase:5,id:'981042',t:none,nolog,pass,t:none,setvar:ip.brute_force_burst_counter=+1,
expirevar:ip.brute_force_burst_counter=%{tx.brute_force_burst_time_slice},
setvar:!ip.brute_force_counter"
#
# Check Brute Force Burst Counter and set Block
# Check the burst counter - if greater than or equal to 2, then we set the IP
# block variable for 5 mins and issue an alert.
#
SecRule IP:BRUTE_FORCE_BURST_COUNTER "@ge 2" "phase:5,id:'981043',
t:none,log,pass,msg:'Potential Brute Force Attack from %{tx.real_ip}
 - # of Request Bursts: %{ip.brute_force_burst_counter}',
setvar:ip.brute_force_block=1,expirevar:ip.brute_force_block=%{tx.brute_force_block_timeout}"
SecMarker END_BRUTE_FORCE_PROTECTION_CHECKS

#p#

6：使用SecGuardianLog

從 1.9版本后，ModSecurity 支持一個(gè)新的指令，SecGuardianLog，設(shè)計(jì)此指令用于把所有允許數(shù)據(jù)通過(guò)管理日志功能發(fā)送到另一個(gè)程序。自從 apache部署成典型的多進(jìn)程方式，信息共享變得困難了，這一想法就是部署一個(gè)獨(dú)立的外部進(jìn)程使用狀態(tài)機(jī)的方式去觀察所有的請(qǐng)求，提供額外的保護(hù)。使用方法如下：

語(yǔ)法: SecGuardianLog |/path/to/httpd-guardian

示例: SecGuardianLog |/usr/local/apache/bin/httpd-guardian

范圍: Main

版本: 2.0.0

而且SecGuardianLog也可以和 SnortSam協(xié)同工作（http://www.snortsam.net）。如果已經(jīng)配置過(guò) httpd-guardian(具體介紹請(qǐng)查看源代碼)你只需要在 apache配置中添加一行就可以部署它：

SecGuardianLog |/path/to/httpd-guardian

規(guī)則如下：

# If defined, execute this command when a threshold is reached
# block the IP address for one hour.
# $PROTECT_EXEC = "/sbin/blacklist block %s 3600";
# $PROTECT_EXEC = "/sbin/samtool -block -ip %s -dur 3600 www.freebuf.com";
my $PROTECT_EXEC;
# For testing only:
# $PROTECT_EXEC = "/sbin/blacklist-webclient %s 3600";
# Max. speed allowed, in requests per
# second, measured over an 1-minute period
my $THRESHOLD_1MIN = 2; # 120 requests in a minute

跟蹤httpd守護(hù)進(jìn)程數(shù)量，如果超過(guò)了限制，可以執(zhí)行一些操作，如封鎖IP一小時(shí)。

原文地址：http://blog.spiderlabs.com/2013/04/defending-wordpress-logins-from-brute-force-attacks.html