Do you know where i could find modsecurity rule that could do the following:
- Collect 403 forbidden
- Count them
- If the count is over a predefined value, then blacklist the attacker for
a while + run exec (for sending an email for example)
I thougt about something like that: (it is a part of rules i found to block
wordpress login attemp i tried to implement without sucess)
# React if block flag has been set.
SecRule user:bf_block "@gt 0" "deny,redirect:
https://mydomain.com/blocked.html,log,id:5000135,msg:'ip address blocked
for 5 minutes (more than 10 forbidden request).'"
SecRule RESPONSE_STATUS "^403"
SecRule ip:bf_counter "@gt 5"
Are the previous rules correct in your opinion ?
should i had exec: to the rule 5000135 ?
I would like also to log all request and content GET/POST i discovered
after watching my logs for a hacker that all POST are not logged...
i don t understand why some are logged some not :(
i have this in my config file...
Thank you for your help