#app-waf

##ä¸€ä¸ªç®€å•çš„wafæ¨¡å—ã€‚

ç”¨æ¥å®žæ—¶æŽ¢æµ‹web éžæ³•è®¿é—®ï¼Œç»Ÿè®¡éžæ³•è®¿é—®çš„ip ï¼ŒwebçŠ¶æ€ï¼Œè®¿é—®urlï¼Œæ¥æºweb urlã€‚ç»“åˆiptableså¯ä»¥å®žçŽ°å®žçŽ°å®žæ—¶å°ç¦ã€‚

## å®žä¾‹è¯´æ˜Ž è§exampleç›®å½•ï¼ˆåŒ…æ‹¬æ—¥å¿—ï¼‰

    use App::Waf;
    my $filename = "example.acess";#æ—¥å¿—æ–‡ä»¶
    my $numlines  = 50000; #è¦å¤„ç†çš„è¡Œæ•°,ä»ŽåŽè¯»ã€‚
    my $line=tail($filename,$$numlines);
    my ($log,$zcount,$zip,$zrequrl,$zstatus,$siteurl)=initCount($line);
    print "==============Attack Summary ==================\n";
    print "\nThe total attack count: $zcount \n";
    print "\nThe count from source IP:  \n\n";
    print "$_\=> $zip->{$_} \n" for(sort  keys %{$zip});
    print "The count From request Url:  \n\n";
    print "$_\=> $zrequrl->{$_} \n" for(sort keys %{$zrequrl});
    print "\n\nThe count From Http Status:  \n\n";
    print "$_\=> $zstatus->{$_} \n" for(sort keys %{$zstatus});
    print "\n\nThe count From Site Url:  \n\n";
    print "$_\=> $siteurl->{$_} \n" for(sort keys %{$siteurl});

## ç»“åˆnginx å’Œ iptables è¿›è¡Œå®žæ—¶banipçš„å®žä¾‹ï¼ˆexample/banip.plï¼‰
   
åŠ å…¥crontab æ¯5åˆ†é’Ÿæ‰§è¡Œä¸€æ¬¡ã€‚

    echo "*/5 * * * * perl $dir/example/ngixban.pl >> bianip.logs 2>&1 " >> /var/spool/cron/root
    echo "*/5 * * * * perl $dir/example/synban.pl >> bianip.logs 2>&1 " >> /var/spool/cron/root

## ç»“æžœå±•ç¤º

+++++++++++++++++++++++++ban for SYN attact+++++++++++++++++++++

    Fri Jul 14 15:46:02 2017 Ban The IP ï¼š173.173.199.246
    Fri Jul 14 15:46:02 2017 :band 173.173.199.246
    Fri Jul 14 15:46:02 2017 73.6.1.122 SYNæ”»å‡»æ¬¡æ•°: 6
    Fri Jul 14 15:46:02 2017 103.56.116.150 SYNæ”»å‡»æ¬¡æ•°: 2
    Fri Jul 14 15:47:01 2017 173.173.199.246 SYNæ”»å‡»æ¬¡æ•°: 19
    Fri Jul 14 15:47:01 2017 Ban The IP ï¼š173.173.199.246
    Fri Jul 14 15:47:01 2017 baned 173.173.199.246
    Fri Jul 14 15:47:01 2017 103.56.116.150 SYNæ”»å‡»æ¬¡æ•°: 1
    Fri Jul 14 15:48:01 2017 173.173.199.246 SYNæ”»å‡»æ¬¡æ•°: 19
    Fri Jul 14 15:48:01 2017 Ban The IP ï¼š173.173.199.246
    Fri Jul 14 15:48:01 2017 baned 173.173.199.246
    Fri Jul 14 15:48:01 2017 103.56.116.150 SYNæ”»å‡»æ¬¡æ•°: 1
    Fri Jul 14 15:49:01 2017 173.173.199.246 SYNæ”»å‡»æ¬¡æ•°: 17
    Fri Jul 14 15:49:01 2017 Ban The IP ï¼š173.173.199.246
    Fri Jul 14 15:49:01 2017 band alread!

==============Attack Summary ==================

    The total attack count: 131
    
    The count from source IP:
    
    103.248.223.116=> 19
    103.37.3.202=> 2
    106.39.200.46=> 3
    107.151.213.123=> 1
    115.148.98.127=> 2
    180.76.6.51=> 99
    59.42.147.17=> 4
    64.16.214.100=> 1

The count From request Url:

    /?cat=%0acat%20/etc/passwd%0a&paged=3=> 1
    /?cat=%22%26cat%20/etc/passwd%26%22&paged=3=> 1
    /?cat=%22;print(md5(acunetix_wvs_security_test));%24a%3d%22&paged=2=> 1
    /?cat=%22;print(md5(acunetix_wvs_security_test));%24a%3d%22&paged=3=> 1
    /?cat=%24%7b%40print(md5(acunetix_wvs_security_test))%7d%5c&paged=2=> 1
    /?cat=%24%7b%40print(md5(acunetix_wvs_security_test))%7d%5c&paged=3=> 1
    /?cat=%24%7b%40print(md5(acunetix_wvs_security_test))%7d&paged=2=> 1
    /?cat=%24%7b%40print(md5(acunetix_wvs_security_test))%7d&paged=3=> 1
    /?cat=%26cat%20/etc/passwd%26&paged=3=> 1
    /?cat=%60cat%20/etc/passwd%60&paged=3=> 1
    /?cat=%7ccat%20/etc/passwd%23&paged=3=> 1
    /?cat='%26cat%20/etc/passwd%26'&paged=3=> 1
    /?cat=';print(md5(acunetix_wvs_security_test));%24a%3d'&paged=2=> 1
    /?cat=';print(md5(acunetix_wvs_security_test));%24a%3d'&paged=3=> 1
    /?cat=(select(0)from(select(sleep(15)))v)/*'%2b(select(0)from(select(sleep(15)))v)%2b'%22%2b(select(0)from(select(sleep(15)))v)%2b%22*
    /&paged=3=> 4
    /?cat=.%5c%5c./.%5c%5c./.%5c%5c./.%5c%5c./.%5c%5c./.%5c%5c./etc/passwd&paged=3=> 1
    /?cat=..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afetc/passwd&paged=3=> 1