This repository has been archived by the owner on Jul 12, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathconfig.php.example
112 lines (99 loc) · 4.47 KB
/
config.php.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
<?php
/**
* Blocklister configuration. Used by both update_list.php and get_list.php
*
* @package blocklister
*
* @copyright Copyright © 2014, Middlebury College
* @license http://www.gnu.org/copyleft/gpl.html GNU General Public License (GPL)
*/
/*********************************************************
* Blocklist database
*********************************************************/
$blocklist->setBlocklistDatabase(new PDO('sqlite:'.dirname(__FILE__).'/data/blocklist.sq3'));
# $blocklist->setBlocklistDatabase(new PDO('mysql:host=127.0.0.1;dbname=afranco_blocklist', 'testuser', 'testpassword'));
/*********************************************************
* Add a regular expressions that will match IP ranges
* that we should never add to the blocklist.
* This will prevent accidentally blocklisting certain
* clients that are trusted.
*********************************************************/
$blocklist->addWhitelistPattern('/^140\.233\./');
$blocklist->addWhitelistPattern('/^172\.16\./');
// Automatic IPs for Jetpack.
$blocklist->addWhitelistCidr('76.74.255.0/25');
$blocklist->addWhitelistCidr('76.74.248.128/25');
$blocklist->addWhitelistCidr('198.181.116.0/22');
$blocklist->addWhitelistCidr('192.0.64.0/18');
$blocklist->addWhitelistCidr('64.34.206.0/24');
$blocklist->addWhitelistCidr('66.155.105.128/26');
$blocklist->addWhitelistCidr('69.90.253.0/24');
/*********************************************************
* Add a static list of IP addresses that will be included
* in every list. This is useful to prevent the IPS/firewall
* from thinking the list is empty.
*********************************************************/
$static_list_members = array(
"192.0.2.0/24",
);
/*********************************************************
* Configure the Elasticsearch data source that will be
* shared by the following signatures.
*********************************************************/
$web_es = new ElasticsearchDataSource('http://logs.example.com:9200/', 'logstash');
/*********************************************************
* Configure a threshold and list of emails to alert on.
*
* If this number of IPs are matched in a single execution,
* an email alert will be sent to administrators (listed)
* to notify them.
*
* $blocklist->setAlertThreshold(20);
* $blocklist->addAlertEmailAddress('[email protected]');
*
* You can also set the From address if you need to have it
* properly match a valid address. By default it uses the
* username executing the script at the current hostname.
*
* $blocklist->setAlertFromEmailAddress('[email protected]');
*
*********************************************************/
#$blocklist->setAlertThreshold(20);
#$blocklist->addAlertEmailAddress('[email protected]');
#$blocklist->addAlertEmailAddress('[email protected]');
/*********************************************************
* Signatures to match
*********************************************************/
// Match POST requests that result in 403 responses.
//
// Real people can get these if they leave a form open
// overnight and their session expires. Let them refresh
// the page a few times before logging in. If they get
// more than a few of these, they are *very* likely malicious.
$signature = new ElasticsearchSignature($web_es);
$signature->setQuery("cluster:drupal AND type:varnishncsa AND verb:post AND response:403");
$signature->setWindow('5m');
$signature->setThreshold(15);
$signature->setIPField('orig_clientip');
$blocklist->addSignature('POST with 403', $signature, '12h');
// Match form submissions that include a honeypot field.
//
// These are almost never submitted by real people and are
// a very good indication of malicious behavior.
$signature = new ElasticsearchSignature($web_es);
$signature->setQuery("cluster:drupal AND type:drupal_watchdog AND drupal_action:uncaptchalous_hp");
$signature->setWindow('5m');
$signature->setThreshold(2);
$signature->setIPField('orig_clientip');
$blocklist->addSignature('form honeypot', $signature, '6h');
// Match form submissions that do not have javascript enabled.
//
// This is more common for valid clients, so allow clients
// to try a few submissions before getting around to turning
// on Javascript.
$signature = new ElasticsearchSignature($web_es);
$signature->setQuery("cluster:drupal AND type:drupal_watchdog AND drupal_action:uncaptchalous_js_val");
$signature->setWindow('5m');
$signature->setThreshold(10);
$signature->setIPField('orig_clientip');
$blocklist->addSignature('form missing js', $signature, '1h');