Looking for a Modsecurity Rule that Would Block the IP After a Certain Amount of 403 Errors
Maybe this is too redundant, but I am trying to figure out how to write a ModSecurity rule that would block the IP from the server for a period of time when that IP is generating a certain amount of 403 errors, and I am struggling with writing the rule. Does anyone have any ideas of what this rule would look like?
-
Hello :) You may want to review some existing rules from some of the rule lists out there to get a better idea of how to write a rule. You may find this thread helpful for finding a good rule set: Atomicorp no longer provides a free delayed version of its ModSecurity Rule set Thank you. 0 -
I actually wouldn't use ModSecurity for this unless I had to. The rule would have to make use of collections similar to the WP brute force rule, which is a bit overly complex for a simple problem. It would be much easier to just set the variable LF_APACHE_403 in CSF. It works like any other brute force detection does in CSF. If you set these for csf in /etc/csf/csf.conf, you would block any IP with 10 or more 403's in a short time for an hour: LF_APACHE_403 = "10" LF_APACHE_403_PERM = "3600" Also if you're already using modsecurity, the LF_MODSEC setting will block IPs for repeat modsec hits anyway. 0
Please sign in to leave a comment.
Comments
2 comments