> -----Original Message-----
> From: mod-security-users-bounces@... [mailto:mod-
> security-users-bounces@...] On Behalf Of howard chen
> Sent: Thursday, February 14, 2008 11:04 AM
> To: mod-security-users@...
> Subject: [mod-security-users] Newbie questions
> Hello, I am researching mod_security to see if it fit our needs,
> features such as bot detections/prevent SQL injections are all nice
> features for modern web apps.
> But I still have a few questions.
> 1. Is it possible to limit the request to a particular URL by rule?
> E.g. Prevent a client from unique IP to access register.php at a rate
> exceed 1 request per second.
[Ryan Barnett] Yes. ModSecurity 2 introduced custom variables and
persistent collections which allow rule writers to correlate multiple
requests together. This means that you could put a threshold on the
number of request/time.
Take a look at Ivan Ristic's SecurityFocus interview where he talks
about these features - http://www.securityfocus.com/columnists/418/2
Also, if you want some examples, you can look at the "Cool Rules"
archived webcast that I gave on BSN -
https://bsn.breach.com/account/login.php. You will need to setup an
account (it is free).
> 2. Is it possible to develop a anti-bot system like Google based on
> mod_security, e.g. If a suspected bot request for a page, a Captcha
> page will be loaded for asking question, if success, access rights
> will be granted.
[Ryan Barnett] Yeah, there aren't much technical details about Google's
anti-bot implementation (I mean the actual secret sauce ;) but you could
do something similar with Mod. Once your rules that identify a bot
fires, you could use the redirect action to send them to a custom
CAPTCHA page. The CAPTCHA page would then need to redirect them back to
the original requested page if they passed the check.