The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Looking for a Modsecurity Rule that Would Block the IP After a Certain Amount of 403 Errors

Discussion in 'Security' started by rodeoman, Dec 11, 2014.

  1. rodeoman

    rodeoman Registered

    Joined:
    Dec 10, 2014
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    United States
    cPanel Access Level:
    Root Administrator
    Maybe this is too redundant, but I am trying to figure out how to write a ModSecurity rule that would block the IP from the server for a period of time when that IP is generating a certain amount of 403 errors, and I am struggling with writing the rule. Does anyone have any ideas of what this rule would look like?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    I actually wouldn't use ModSecurity for this unless I had to. The rule would have to make use of collections similar to the WP brute force rule, which is a bit overly complex for a simple problem.

    It would be much easier to just set the variable LF_APACHE_403 in CSF. It works like any other brute force detection does in CSF. If you set these for csf in /etc/csf/csf.conf, you would block any IP with 10 or more 403's in a short time for an hour:

    LF_APACHE_403 = "10"
    LF_APACHE_403_PERM = "3600"

    Also if you're already using modsecurity, the LF_MODSEC setting will block IPs for repeat modsec hits anyway.
     
Loading...

Share This Page