I am trying to figure out how to write a ModSecurity rule that would block the IP from the server for a period of time when that IP is generating a certain amount of 403 errors, and I am struggling with writing the rule. Does anyone have any ideas of what this rule would look like?
Asked
Active
Viewed 694 times
0
-
I recommend you take a look at the OWASP ModSecurity Core Rule Set (CRS) to get an idea for how rules are written. Combined with the ModSecurity documentation, you should be able to figure out how to create variables, how to increment the variable per 403 response, and how to block the IP once that variable hits your desired threshold. – slightly_toasted Jan 10 '23 at 23:50
1 Answers
0
Fail2Ban is the correct tool for this. It can read ModSecurity logs and ban IP addresses based on them. It comes with a filter for ModSecurity 2 that can be enabled in, e.g., /etc/fail2ban/jail.d/apache.conf:
[apache-modsecurity]
enabled = true
You might want to adjust the maxretry as it defaults to 2 which seems pretty aggressive.
Esa Jokinen
- 46,944
- 3
- 83
- 129