內容簡介
這個模組為 WordPress 提供針對 (HTTP) 洪水攻擊和暴力攻擊的安全增強功能。
大量的掃描工具(例如弱點掃描器)、HTTP 洪水攻擊工具可以透過這個模組被封鎖或偵測到。
這個模組可以透過「banlist」檔案的整合運用於 htaccess、任何防火牆、iptables 等等。
想要快速瀏覽測試頁面嗎?請參閱:http://www.iosec.org/test.php。
觀看概念證明的影片:http://youtu.be/LzLY_SKLq9w。
注意:請在啟用外掛程式之前更改預設配置值。
配置說明
優點
您可以透過標頭資訊封鎖代理。
您可以偵測洪水攻擊的 IP 位址。
您可以限制自動化工具(例如 HTTP DoS 工具、洪水攻擊工具、暴力攻擊工具、弱點掃描器等)的存取速度或存取權限。
在遭到攻擊時,您可以保護您的伺服器資源(資料庫、CPU、RAM 等)。
您可以在「banlist」檔案中永久或臨時限制特定 IP 位址的存取權限。
當攻擊發生時,您可以透過電子郵件警示收到通知。
缺點
您必須調整配置檔案,並且甚至必須調整腳本本身來避免偽警報。
您必須限制有世界寫入權限的檔案的存取權限,並對文件屬性運用最小特權權限。
檔案功能:
/wp-content/iosec_admin/
banlist(偵測到的 IP 位址在此列出。您可以從 iptables、具備 Bash 腳本的 htaccess 中使用此檔案。)
banlisttemp(只是系統檔案。其中在 IP 和時間之間的關聯會列出)
ips(只是系統檔案。每個要求都會被列在其中。)
whitelist(透過換行符號分隔的允許存取的 IP 清單)
excluded(透過換行符號分隔的排除的檔案清單。例如,若要為 http://YOUR_SITE/wordpress/index.php 檔案新增排除檔案,請在「excluded」檔案中加入此行:/wordpress/index.php)
您應該透過編輯 iosec.php 檔案來設置這個外掛程式。
連線間隔:這是以秒為基礎的間隔,用於接受另一個連線。
例如,若您選擇數值為 1 秒,那麼在 1 秒內的另一個請求會被模組暫停。您可以輸入如 0.1、0.001 等數值。
最大連線數:這是以間隔為基礎的最大連線數限制,用於接受另一個連線。
例如,若您選擇數值為 10,而您的連線間隔為 1 秒,這意味著在 1 秒內只允許 10 個連線。
已暫停的處理逾時:當連線間隔規則發現一個連線未被禁止時,將啟用此逾時值。
例如,若連線間隔為 1,而此數值為 30,那麼在 1 秒中的第二個連線將會被暫停 30 秒。
頁面重新導向:在逾時頁面消失後,您可以重新導向偵測到的使用者到另一個頁面。
寄送電子郵件給我:模組可以在偵測到 IP 位址時向您寄送電子郵件。
封鎖代理:透過標頭可以識別並封鎖代理。
顯示偵錯資訊:當啟用此選項時,暫停頁面將顯示時間和 IP 資訊。
使用累進性封鎖:若仍然發生攻擊,那麼這個選項將會增加暫停時間。
例如,若 CI 為 1,而在 1 秒中發生第二個連線,則在啟用此選項時,它將被暫停 30 秒(以上舉例)。
如果在 10 秒中只有一個連線,當啟用此選項時,它將增加暫停時間。
外掛標籤
開發者團隊
② 後台搜尋「IOSEC HTTP Anti Flood/DoS Security Gateway Module」→ 直接安裝(推薦)
原文外掛簡介
This module provides security enhancements against (HTTP) Flood & Brute Force Attacks for WordPress.
Massive scanning tools (like vulnerability scanners), HTTP Flood tools can be blocked or detected by this module.
This module can be integrated with htaccess, any firewall, iptables or etc. via “banlist” file.
To see a quick test page follow this link: http://www.iosec.org/test.php for proof of concept.
Watch the proof of concept video: http://youtu.be/LzLY_SKLq9w
Note: Change the default configuration values before activating the plugin.
CONFIGURATION DESCRIPTIONS
BENEFITS
You can block proxies (via header information)
You can detect flooding IP addresses.
You can slow down or restrict access for automated tools (HTTP DoS tools & Flood tools, Brute force tools, Vulnerability scanners, etc.)
You can save your server resources (database, cpu, ram, etc.) under an attack.
You can restrict access permanently or temporarily for listed IP addresses in “banlist” file.
You can notify yourself via email alerts when attacks begin.
CONS
You have to tweak configuration file and even script’s itself to avoid false positives.
You have to restrict access for world writeable files and apply least privilige permissions to file properties.
Functions of files:
/wp-content/iosec_admin/
banlist (Detected IP addresses listed here. You can use this file with iptables, htaccess with bash scripts.)
banlisttemp (Just a system file. IP and Time correlations listed in it.)
ips (Just a system file. Every request is listed in it.)
whitelist (Excluded IP List seperated by new lines.)
excluded (Excluded File List seperated by new lines. E.g. for http://YOUR_SITE/wordpress/index.php file add this line to excluded file: /wordpress/index.php)
You should configure plugin by editing iosec.php file.
Connection Interval: This is second based interval for accepting another connection.
If you choose value 1 (1 second), another request in 1 second will be suspended by module. You can enter values like 0.1, 0.001, etc.
Max. Connection Count: This is the interval based maximum connection limit count for accepting another connection.
If you choose value 10 and your connection interval is 1 second. This means only 10 connections permitted in 1 second.
Suspended Process Timeout: When a connection interval rule finds a connection is not prohibited, this timeout value will be activated.
For example, if connection interval is 1 and this value is 30 then, second connection in 1 second will be suspended for 30 seconds.
Page Redirection: You redirect your detected users to another page after timeout page disappears.
Send Me Mail: Module can send you a mail when an IP address detected.
Block Proxies: You can identify and block proxies via http header.
Show Debug Info: Time and IP information will be displayed on suspension page when this option is activated.
Use Incremental Blocking: This option will increase time of suspension if attack is still happening.
For example, if C.I. is 1 and a second connection happens in 1 second this will be suspended for 30 seconds (above ex.).
If one connection in 10 seconds happens, this will increase suspension time when this option is activated.
Implicit Deny Timeout: If you want to block every request as default for a timeout period (seconds), set this value to greater than “0”. This is an emergency option for DDoS attacks etc.
Cached Requests: Monitoring data window size for last requests (for “ips” file size) (default is “150”).
Implicit Deny for banlist Timeout: If you want to block every recorded IP that is listed in the banlist as default and let the human users to view page for a timeout period (seconds), set this value to greater than “0” (default is “0”).
CHANGES v.1.8.1 – v.1.8.2
Improved Implicit Deny for Banned IP Addresses (Deny without detection)
Minor Performance Tweaks
CHANGES v.1.5 – v.1.8
Added Implicit Deny for the Banned IP Addresses
Added Request Cache Size Option
Added Excluded Files Support
Added/Improved Implicit Deny Mode (with detection)
CHANGES v.1.3 – v.1.4
Added Connection Limit Support
CHANGES v.1.2
Added Whitelist Support
CHANGES v.1.1
Added Reverse Proxy Support
Added reCAPTCHA Support
Now Blocks Brute Force More Efficiently
Minor Security Fixes
Gökhan Muharremoğlu
Information Security Specialist
You can reach me @
Twitter: https://twitter.com/iosec_org
[email protected]
[email protected]
https://sourceforge.net/projects/iosec/
http://www.iosec.org
http://www.linkedin.com/in/gokhanmuharremoglu
