filtron: log suspiciously frequent queries (WIP)

Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
2020-01-13 18:37:05 +01:00 · 2020-01-13 18:37:05 +01:00 · b5449ec47c
parent 39feb141bc
commit b5449ec47c
1 changed files with 40 additions and 19 deletions
--- a/utils/templates/etc/filtron/rules.json
+++ b/utils/templates/etc/filtron/rules.json
@ -1,31 +1,52 @@
 [{
+  "name":"suspiciously frequent queries",
+  "filters":[
+    "Param:q",
+    "Path=^(/|/search)$"
+  ],
+  "interval":120,
+  "limit":9,
+  "actions":[
+    {"name":"log"}
+  ]
+ },
+ {
  "name":"search request",
  "filters":[
    "Param:q",
    "Path=^(/|/search)$"
  ],
-  "interval":60,
-  "limit":15,
+  "interval":120,
+  "limit":19,
+  "actions":[
+    {
+      "name":"block",
+      "params":{
+        "message":"common rate limit exceeded"
+      }
+    }
+  ],
  "subrules":[
    {
      "name":"roboagent limit",
      "interval":60,
-      "limit":15,
+      "limit":3,
      "filters":[
-        "Header:User-Agent=(curl|cURL|Wget|python-requests|Scrapy|FeedFetcher|Go-http-client)"
+        "Header:User-Agent=(curl|cURL|Wget|python-requests|Scrapy|FeedFetcher|Go-http-client|Ruby)"
      ],
      "actions":[
        {"name":"log"},
        {
          "name":"block",
          "params":{
-            "message":"Rate limit exceeded"
+            "message":"rate limit exceeded"
          }
        }
      ]
    },
    {
      "name":"botlimit",
+      "interval":60,
      "limit":0,
      "stop":true,
      "filters":[
@ -36,7 +57,7 @@
        {
          "name":"block",
          "params":{
-            "message":"Rate limit exceeded"
+            "message":"rate limit exceeded"
          }
        }
      ]
@ -44,7 +65,7 @@
    {
      "name":"IP limit",
      "interval":60,
-      "limit":15,
+      "limit":13,
      "stop":true,
      "aggregations":[
        "Header:X-Forwarded-For"
@ -54,7 +75,7 @@
        {
          "name":"block",
          "params":{
-            "message":"Rate limit exceeded"
+            "message":"rate limit exceeded"
          }
        }
      ]
@ -62,7 +83,7 @@
    {
      "name":"rss/json limit",
      "interval":60,
-      "limit":15,
+      "limit":13,
      "stop":true,
      "filters":[
        "Param:format=(csv|json|rss)"
@ -72,7 +93,7 @@
        {
          "name":"block",
          "params":{
-            "message":"Rate limit exceeded"
+            "message":"rate limit exceeded"
          }
        }
      ]
@ -80,7 +101,7 @@
    {
      "name":"useragent limit",
      "interval":60,
-      "limit":15,
+      "limit":13,
      "aggregations":[
        "Header:User-Agent"
      ],
@ -89,7 +110,7 @@
        {
          "name":"block",
          "params":{
-            "message":"Rate limit exceeded"
+            "message":"rate limit exceeded"
          }
        }
      ]