Skip to main content

Looking for a Modsecurity Rule that Would Block the IP After a Certain Amount of 403 Errors

Comments

2 comments

  • cPanelMichael
    Hello :) You may want to review some existing rules from some of the rule lists out there to get a better idea of how to write a rule. You may find this thread helpful for finding a good rule set: Atomicorp no longer provides a free delayed version of its ModSecurity Rule set Thank you.
    0
  • quizknows
    I actually wouldn't use ModSecurity for this unless I had to. The rule would have to make use of collections similar to the WP brute force rule, which is a bit overly complex for a simple problem. It would be much easier to just set the variable LF_APACHE_403 in CSF. It works like any other brute force detection does in CSF. If you set these for csf in /etc/csf/csf.conf, you would block any IP with 10 or more 403's in a short time for an hour: LF_APACHE_403 = "10" LF_APACHE_403_PERM = "3600" Also if you're already using modsecurity, the LF_MODSEC setting will block IPs for repeat modsec hits anyway.
    0

Please sign in to leave a comment.