Looking for a Modsecurity Rule that Would Block the IP After a Certain Amount of 403 Errors

rodeoman

Registered
Dec 10, 2014
1
0
1
United States
cPanel Access Level
Root Administrator
Maybe this is too redundant, but I am trying to figure out how to write a ModSecurity rule that would block the IP from the server for a period of time when that IP is generating a certain amount of 403 errors, and I am struggling with writing the rule. Does anyone have any ideas of what this rule would look like?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,227
463

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
I actually wouldn't use ModSecurity for this unless I had to. The rule would have to make use of collections similar to the WP brute force rule, which is a bit overly complex for a simple problem.

It would be much easier to just set the variable LF_APACHE_403 in CSF. It works like any other brute force detection does in CSF. If you set these for csf in /etc/csf/csf.conf, you would block any IP with 10 or more 403's in a short time for an hour:

LF_APACHE_403 = "10"
LF_APACHE_403_PERM = "3600"

Also if you're already using modsecurity, the LF_MODSEC setting will block IPs for repeat modsec hits anyway.