Home / server / Questions / 374880
Accepted
JMW
Asked: 2012-03-30 07:09:02 +0800 CST

modsecurity: block IP address that visited 404 pages more than 10 times in a minute

  • 772

We're using mod_security and we have currently issues with some bots.

I would like to block IP Address that visited 404 pages more than 10 times in a minute.

How can this be done? How can I poll the 404 return codes?

How can I count the error 404 return codes in phase 3?

RESPONSE_STATUS may not work as expected in embedded mode, as Apache sometimes handles certain requests differently, and without invoking ModSecurity (all other modules).

How can I get the RESPONSE_STATUS every time for sure? phase 5?

apache-2.2 mod-security

2 Answers

  1. Best Answer

    Mod_security should already come with some scripts, provided by the OWASP project, which block robots. Have you checked them out? You will have to enable modsecurity_crs_35_bad_robots.conf. You can download the file from the OWASP project site:

    https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

    Instructions can be found there as well.

    From README:

    == base_rules/modsecurity_crs_35_bad_robots.conf ==  Detection of Malicious Robots
    - Unique request attributes: User-Agent header, URL, Headers
    - RBL Check of IP addresses
    - Detection of security scanners
    - Blocking can confuse security testing software (WAFW00f)
    • 2

  2. The hint to the core rule set is good, but the actual rule you should use is 

    modsecurity_crs_11_brute_force.conf

    This rule is especially for your case: protect certain url from being brute forced and block the IP that initiates this brute force attack. You can configure this rule in the setup file

    modsecurity_crs_10_setup.conf

    In this setup file modify the variable tx.brute_force_protected_urls in rule 900014 with the urls you want to protect:

    SecAction \
  "id:'900014', \
  phase:1, \
  t:none, \
  setvar:'tx.brute_force_protected_urls=#/error/404.html#, #/error/403.html#', \
  setvar:'tx.brute_force_burst_time_slice=60', \
  setvar:'tx.brute_force_counter_threshold=2', \
  setvar:'tx.brute_force_block_timeout=300', \
  nolog, \
  pass"

    The variable tx.brute_force_burst_time_slice specifies the amount of time in seconds within this a certain threshold has to be exceeded. As I understand your question right, use 60. The variable tx.brute_force_block_timeout defines the time the IP of the brute forcer is blocked. The variable tx.brute_force_counter_threshold is a bit tricky. It defines how often you can access an url before you get blocked. It is not the exact number, but with the value 2 or 3 you should get a quite good result for your block-after-10-request-rule.

    • 0