4

We're using mod_security and we have currently issues with some bots.

I would like to block IP Address that visited 404 pages more than 10 times in a minute.

How can this be done? How can I poll the 404 return codes?

How can I count the error 404 return codes in phase 3?

RESPONSE_STATUS may not work as expected in embedded mode, as Apache sometimes handles certain requests differently, and without invoking ModSecurity (all other modules).

How can I get the RESPONSE_STATUS every time for sure? phase 5?

masegaloeh
  • 18,236
  • 10
  • 57
  • 106
JMW
  • 1,463
  • 4
  • 19
  • 27

2 Answers2

2

Mod_security should already come with some scripts, provided by the OWASP project, which block robots. Have you checked them out? You will have to enable modsecurity_crs_35_bad_robots.conf. You can download the file from the OWASP project site:

https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

Instructions can be found there as well.

From README:

== base_rules/modsecurity_crs_35_bad_robots.conf ==  Detection of Malicious Robots
    - Unique request attributes: User-Agent header, URL, Headers
    - RBL Check of IP addresses
    - Detection of security scanners
    - Blocking can confuse security testing software (WAFW00f)
Jason Huntley
  • 1,253
  • 3
  • 10
  • 22
  • thank you, we're already using crs. the problem is, that the bots are visiting from different IPs at 10 req/sec and cause a lot of error 404. how can i count the error 404 return codes in phase 3? – JMW Mar 30 '12 at 07:07
  • thanks for answering. your answer didn't solve my problem, but since you were the only one that answered, i'll accept it. :-) – JMW May 11 '12 at 08:55
0

The hint to the core rule set is good, but the actual rule you should use is 

modsecurity_crs_11_brute_force.conf

This rule is especially for your case: protect certain url from being brute forced and block the IP that initiates this brute force attack. You can configure this rule in the setup file

modsecurity_crs_10_setup.conf

In this setup file modify the variable tx.brute_force_protected_urls in rule 900014 with the urls you want to protect:

SecAction \
  "id:'900014', \
  phase:1, \
  t:none, \
  setvar:'tx.brute_force_protected_urls=#/error/404.html#, #/error/403.html#', \
  setvar:'tx.brute_force_burst_time_slice=60', \
  setvar:'tx.brute_force_counter_threshold=2', \
  setvar:'tx.brute_force_block_timeout=300', \
  nolog, \
  pass"

The variable tx.brute_force_burst_time_slice specifies the amount of time in seconds within this a certain threshold has to be exceeded. As I understand your question right, use 60. The variable tx.brute_force_block_timeout defines the time the IP of the brute forcer is blocked. The variable tx.brute_force_counter_threshold is a bit tricky. It defines how often you can access an url before you get blocked. It is not the exact number, but with the value 2 or 3 you should get a quite good result for your block-after-10-request-rule.

Lukas
  • 113
  • 5