Maybe this is too redundant, but I am trying to figure out how to write a ModSecurity rule that would block the IP from the server for a period of time when that IP is generating a certain amount of 403 errors, and I am struggling with writing the rule. Does anyone have any ideas of what this rule would look like?
Hello 
You may want to review some existing rules from some of the rule lists out there to get a better idea of how to write a rule. You may find this thread helpful for finding a good rule set:
Atomicorp no longer provides a free delayed version of its ModSecurity Rule set
Thank you.
You may want to review some existing rules from some of the rule lists out there to get a better idea of how to write a rule. You may find this thread helpful for finding a good rule set:
Atomicorp no longer provides a free delayed version of its ModSecurity Rule set
Thank you.
I actually wouldn't use ModSecurity for this unless I had to. The rule would have to make use of collections similar to the WP brute force rule, which is a bit overly complex for a simple problem.
It would be much easier to just set the variable LF_APACHE_403 in CSF. It works like any other brute force detection does in CSF. If you set these for csf in /etc/csf/csf.conf, you would block any IP with 10 or more 403's in a short time for an hour:
LF_APACHE_403 = "10"
LF_APACHE_403_PERM = "3600"
Also if you're already using modsecurity, the LF_MODSEC setting will block IPs for repeat modsec hits anyway.
It would be much easier to just set the variable LF_APACHE_403 in CSF. It works like any other brute force detection does in CSF. If you set these for csf in /etc/csf/csf.conf, you would block any IP with 10 or more 403's in a short time for an hour:
LF_APACHE_403 = "10"
LF_APACHE_403_PERM = "3600"
Also if you're already using modsecurity, the LF_MODSEC setting will block IPs for repeat modsec hits anyway.
| Thread starter | Similar threads | Forum | Replies | Date |
|---|---|---|---|---|
|
SOLVED looking in /opt I see ai-bolit - but I cannot access that directory via root access of my server? | Security | 7 | |
| A | Looking for Suspicious Files Question | Security | 5 | |
| R | Looking for an exploited site | Security | 2 | |
| R | Looking for Security Hardening Service | Security | 3 | |
| T | looking to secure up my server | Security | 4 |