add attack

2016-08-13 09:41:41 +03:00 · 2016-08-13 09:41:41 +03:00 · 1a6d8ce18a
parent d7158f57a2
commit 1a6d8ce18a
4 changed files with 47 additions and 0 deletions
--- a/1
+++ b/1
@ -16,6 +16,7 @@ gem 'pundit'
 gem 'simple_form'
 gem 'animate-scss' , :github => "ejholmes/animate.scss"
 gem "best_in_place"
+gem 'rack-attack'

 #asynchronous sending
 gem 'sucker_punch'
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -241,6 +241,8 @@ GEM
    quiet_assets (1.1.0)
      railties (>= 3.1, < 5.0)
    rack (1.6.4)
+    rack-attack (4.4.1)
+      rack
    rack-test (0.6.3)
      rack (>= 1.0)
    rails (4.2.6)
@ -404,6 +406,7 @@ DEPENDENCIES
  puma
  pundit
  quiet_assets
+  rack-attack
  rails (= 4.2.6)
  rails_layout
  rb-fchange
--- a/config/application.rb
+++ b/config/application.rb
@ -20,6 +20,8 @@ module WebDevSite
      g.fixture_replacement :factory_girl, dir: "spec/factories"
    end

+    config.middleware.use Rack::Attack
+
    # Settings in config/environments/* take precedence over those specified here.
    # Application configuration should go into files in config/initializers
    # -- all .rb files in that directory are automatically loaded.
--- a/config/initializers/attack.rb
+++ b/config/initializers/attack.rb
@ -0,0 +1,41 @@
+# Block requests for php or cgi, jps and what else the people throw at us
+Rack::Attack.blacklist('block admin probes') do |req|
+  # Request are blocked if the return value is truthy
+  reject = false
+  ["php" , "jsp" , "cgi", "asp", "cfm," "proxy.txt", "soapCaller", "Win32" , "HNAP1" , "w00tw00t",
+    "pma" , "mysql" ,"msd" , "MySQL" , "jmx-console" , "ervlet" , "xml" ,"install",
+    "webdav"].each do |no|
+    if req.path.include?(no)
+      reject = true
+      break
+    end
+  end
+  reject
+end
+
+# Block requests from people clearly out to break servers
+Rack::Attack.blacklist('block admin ips') do |req|
+  [ "79.143.82.69" , "85.76.99.50" ].include? req.ip
+end
+
+# Throttle requests to 5 requests per second per ip
+Rack::Attack.throttle('req/ip', :limit => 5, :period => 1.second) do |req|
+  # If the return value is truthy, the cache key for the return value
+  # is incremented and compared with the limit. In this case:
+  #   "rack::attack:#{Time.now.to_i/1.second}:req/ip:#{req.ip}"
+  #
+  # If falsy, the cache key is neither incremented nor checked.
+
+  req.ip
+end
+
+# Always allow requests from shop
+# (blacklist & throttles are skipped)
+Rack::Attack.whitelist('allow from known or dev') do |req|
+  # Requests are allowed if the return value is truthy
+  if Rails.env.production?
+    [ "85.76.112.161" , "85.76.99.50"].include? req.ip
+  else
+    true
+  end
+end