Hi,
Thanks Willy and in part Baptiste (original author of the blog entry too?)
On 3.9.2013 8:42, Willy Tarreau wrote:
You could also decide that you use the same table for everything,
so that a source address sending many POST requests to different
sites will be detected as well
To benefit ppl that might stumble into same thing here are the relevant
config parts to make this puzzle work.
So it matches POST requests with path_beg /wp-login.php and tracks their
rate:
defaults
option httpclose
backend per-ip
stick-table type ip size 50k expire 120m store gpc0,http_req_rate(120s)
frontend http-in
bind *:80
tcp-request connection track-sc1 src table per-ip
acl wp_login path_beg -i /wp-login.php
acl flagged_as_abuser sc1_get_gpc0 gt 0
use_backend bk_login_abusers if METH_POST wp_login flagged_as_abuser
default_backend web29
backend web29
acl wp_login path_beg -i /wp-login.php
tcp-request content track-sc2 src table per-ip if METH_POST wp_login
acl bruteforce_detection sc2_http_req_rate gt 5
acl block sc1_inc_gpc0 gt 0
http-request deny if bruteforce_detection block
server web29 x.x.x.x:80 check
backend bk_login_abusers
mode http
timeout tarpit 1s
http-request tarpit
errorfile 500 /etc/haproxy/pages/wp_fake_login.http
errorfile 503 /etc/haproxy/pages/wp_fake_login.http
Best Regards,
Toni
