How to permanently block an IP if violate a rule?

[zep]

Hi everyone,

I am using mod_qos for my website and I have understood its basic use. However, I still cannot accomplish some complicated demands. There is a task: allow a IP to access a webpages or a ajax handler no more than 20 times per second, if that IP violates this rule three time (within a hour?), permanently block that IP, or block that IP for one day.

Step1: allow a IP to access a webpages or an ajax handler no more than 20 times per second
I have successfully set up this rule:

SetEnvIf Request_URI ^(.)$ LimitAccess
SetEnvIf Request_URI ..(jpg)|(jpeg)|(gif)|(png)|(js)|(css)$ !LimitAccess
QS_ClientEventLimitCount 20 60 LimitAccess

Step2: if that IP violates this rule three time (within a hour?)
I cannot set up this rule for now.

Step3: permanently block that IP, or block that IP for one day.
I cannot set up this rule for now.

I have checked the mod_qos docs but still cannot solve this problem. So I have to seek for help. Any comments would greatly appreciated.

Thanks,
Zepe

[Pascal Buchbinder]

You can configure multiple QS_ClientEventLimitCount rules which might be triggered by the values of their counters. An example is shown here.

[zep]

Hi Pascal,

Thank you so much for your reply. I have known how to configure directives to meet above demand. I did not notice that there is another doc (http://mod-qos.sourceforge.net/dos.html) in addition to the index page of mod_qos (http://mod-qos.sourceforge.net/index.html).

May I ask three more questions regarding QS_Block, QS_Srv* directives and logs?

Question 1:

There is an example in the page your provide

//block clients violating some basic rules frequently (don't allows more than 20
//violations within 5 minutes):
QS_ClientEventBlockCount 20 300
QS_SetEnvIfStatus 400 QS_Block
QS_SetEnvIfStatus 405 QS_Block
QS_SetEnvIfStatus 406 QS_Block
QS_SetEnvIfStatus 408 QS_Block
QS_SetEnvIfStatus 413 QS_Block
QS_SetEnvIfStatus 414 QS_Block
QS_SetEnvIfStatus 500 QS_Block
QS_SetEnvIfStatus QS_SrvMinDataRate QS_Block
QS_SetEnvIfStatus QS_SrvMaxConnPerIP QS_Block
QS_SetEnvIfStatus BrokenConnection QS_Block

As far as I know, if an IP generate 20 QS_Block events at the end of a minute (right at 60th second), that IP will violate above rule and will be blocked for 5-1=4 minutes. The question is, how to block that IP for more longer time?
I try to set following rules (set a counter "block" for unusual status, if "block" counter reach 5 in one minute, set QS_Block=1 then block for one day)

QS_ClientEventBlockCount 1 86400
QS_SetEnvIfStatus 400 block
QS_SetEnvIfStatus 401 block
QS_SetEnvIfStatus 403 block
QS_SetEnvIfStatus 404 block
QS_SetEnvIfStatus 405 block
QS_SetEnvIfStatus 406 block
QS_SetEnvIfStatus 408 block
QS_SetEnvIfStatus 411 block
QS_SetEnvIfStatus 413 block
QS_SetEnvIfStatus 414 block
QS_SetEnvIfStatus 417 block
QS_SetEnvIfStatus 500 block
QS_SetEnvIfStatus 503 block
QS_SetEnvIfStatus 505 block

QS_ClientEventLimitCount 5 60 block
QS_SetEnvIf block_Counter=5 QS_Block=1

However, above directives do not generate expected result. Could you help to check if there are any mistakes in above directives?

Question 2:
I read a message in the discussion section of the mod-qos project website. It is as follows:
mod_qos 10.5 compiles with Apache 2.4 BUT:
1) be careful when using QS_Srv* directives (they probably do not work as expected because connection records are cleared after a quite long time)
2) QS_SrvMinDataRate is not available (use http://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html instead)

I am wondering does all the QS_Srv directives in the latest version of mod_qos available in Apache2.4. now?

Question 3:

Does default set up automatically write logs to the apache access_log file or error_log file? I checked access_log file and error_log file, but cannot find any mod_qos tag logs. Do I need to manually set up logs for mod_qos?

I am sorry there are so many questions, and thank you so much for providing this powerful tool.

Thanks,
Zepe