filtron: log suspiciously frequent queries (WIP)

Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
This commit is contained in:
Markus Heiser 2020-01-13 18:37:05 +01:00
parent 39feb141bc
commit b5449ec47c

View file

@ -1,42 +1,63 @@
[{ [{
"name":"suspiciously frequent queries",
"filters":[
"Param:q",
"Path=^(/|/search)$"
],
"interval":120,
"limit":9,
"actions":[
{"name":"log"}
]
},
{
"name":"search request", "name":"search request",
"filters":[ "filters":[
"Param:q", "Param:q",
"Path=^(/|/search)$" "Path=^(/|/search)$"
], ],
"interval":60, "interval":120,
"limit":15, "limit":19,
"actions":[
{
"name":"block",
"params":{
"message":"common rate limit exceeded"
}
}
],
"subrules":[ "subrules":[
{ {
"name":"roboagent limit", "name":"roboagent limit",
"interval":60, "interval":60,
"limit":15, "limit":3,
"filters":[ "filters":[
"Header:User-Agent=(curl|cURL|Wget|python-requests|Scrapy|FeedFetcher|Go-http-client)" "Header:User-Agent=(curl|cURL|Wget|python-requests|Scrapy|FeedFetcher|Go-http-client|Ruby)"
], ],
"actions":[ "actions":[
{"name": "log"}, {"name":"log"},
{ {
"name":"block", "name":"block",
"params":{ "params":{
"message":"Rate limit exceeded" "message":"rate limit exceeded"
} }
} }
] ]
}, },
{ {
"name":"botlimit", "name":"botlimit",
"interval":60,
"limit":0, "limit":0,
"stop":true, "stop":true,
"filters":[ "filters":[
"Header:User-Agent=(Googlebot|bingbot|Baiduspider|yacybot|YandexMobileBot|YandexBot|Yahoo! Slurp|MJ12bot|AhrefsBot|archive.org_bot|msnbot|MJ12bot|SeznamBot|linkdexbot|Netvibes|SMTBot|zgrab|James BOT)" "Header:User-Agent=(Googlebot|bingbot|Baiduspider|yacybot|YandexMobileBot|YandexBot|Yahoo! Slurp|MJ12bot|AhrefsBot|archive.org_bot|msnbot|MJ12bot|SeznamBot|linkdexbot|Netvibes|SMTBot|zgrab|James BOT)"
], ],
"actions":[ "actions":[
{"name": "log"}, {"name":"log"},
{ {
"name":"block", "name":"block",
"params":{ "params":{
"message":"Rate limit exceeded" "message":"rate limit exceeded"
} }
} }
] ]
@ -44,17 +65,17 @@
{ {
"name":"IP limit", "name":"IP limit",
"interval":60, "interval":60,
"limit":15, "limit":13,
"stop":true, "stop":true,
"aggregations":[ "aggregations":[
"Header:X-Forwarded-For" "Header:X-Forwarded-For"
], ],
"actions":[ "actions":[
{"name": "log"}, {"name":"log"},
{ {
"name":"block", "name":"block",
"params":{ "params":{
"message":"Rate limit exceeded" "message":"rate limit exceeded"
} }
} }
] ]
@ -62,17 +83,17 @@
{ {
"name":"rss/json limit", "name":"rss/json limit",
"interval":60, "interval":60,
"limit":15, "limit":13,
"stop":true, "stop":true,
"filters":[ "filters":[
"Param:format=(csv|json|rss)" "Param:format=(csv|json|rss)"
], ],
"actions":[ "actions":[
{"name": "log"}, {"name":"log"},
{ {
"name":"block", "name":"block",
"params":{ "params":{
"message":"Rate limit exceeded" "message":"rate limit exceeded"
} }
} }
] ]
@ -80,16 +101,16 @@
{ {
"name":"useragent limit", "name":"useragent limit",
"interval":60, "interval":60,
"limit":15, "limit":13,
"aggregations":[ "aggregations":[
"Header:User-Agent" "Header:User-Agent"
], ],
"actions":[ "actions":[
{"name": "log"}, {"name":"log"},
{ {
"name":"block", "name":"block",
"params":{ "params":{
"message":"Rate limit exceeded" "message":"rate limit exceeded"
} }
} }
] ]