Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Looking for a Modsecurity Rule that Would Block the IP After a Certain Amount of 403 Errors

Discussion in 'Security' started by rodeoman, Dec 11, 2014.

  1. rodeoman

    rodeoman Registered

    Joined:
    Dec 10, 2014
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    United States
    cPanel Access Level:
    Root Administrator
    Maybe this is too redundant, but I am trying to figure out how to write a ModSecurity rule that would block the IP from the server for a period of time when that IP is generating a certain amount of 403 errors, and I am struggling with writing the rule. Does anyone have any ideas of what this rule would look like?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,367
    Likes Received:
    1,855
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,010
    Likes Received:
    87
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    I actually wouldn't use ModSecurity for this unless I had to. The rule would have to make use of collections similar to the WP brute force rule, which is a bit overly complex for a simple problem.

    It would be much easier to just set the variable LF_APACHE_403 in CSF. It works like any other brute force detection does in CSF. If you set these for csf in /etc/csf/csf.conf, you would block any IP with 10 or more 403's in a short time for an hour:

    LF_APACHE_403 = "10"
    LF_APACHE_403_PERM = "3600"

    Also if you're already using modsecurity, the LF_MODSEC setting will block IPs for repeat modsec hits anyway.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice