Hi again. 

After some researching time I found someone who made the same question about iptables, string option and hitlimit account: http://www.governmentsecurity.org/forum/topic/32728-iptables-throttle-by-string-matching/

iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --string '/csp/handshake?ct=application%2Fjavascript' --set
iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --string '/csp/handshake?ct=application%2Fjavascript' --update --seconds 5--hitcount 20 -j DROP

server:/home/user# iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --string '/csp/handshake?ct=application%2Fjavascript' --set
iptables v1.4.2: Unknown arg `(null)'
Try `iptables -h' or 'iptables --help' for more information.

As you see he had problems when he tried to apply those rules, so I kept looking for some similar rules and I find it when I saw a prevention amplification dns attack article here: http://blog.rootshell.ir/

Straight to iptables snippet code from that link I see these lines:
iptables -A  INPUT -p udp -m udp --dport 53  -m string --hex-string "|0000ff0001|"  --algo bm --from 48 --to 65535   -m recent --set --name dnsanyquery  --rsource
iptables -A INPUT -p udp -m udp --dport 53   -m string --hex-string  "|0000ff0001|" --algo bm --from 48 --to 65535   -m recent --rcheck  --seconds 60 --hitcount 5 --name dnsanyquery --rsource   -j DROP

So finally from that rules I guess some one could modify it in order to block brute-force attacks not only with mod_security rules :) :

iptables -A  INPUT -p udp -m udp --dport 80 -m string --string "wp-admin.php"  -m recent --set --name blockwordpress  --rsource
iptables -A INPUT -p udp -m udp --dport 80 -m string --string  "wp-admin.php"  -m recent --rcheck  --seconds 60 --hitcount 5 --name blockwordpress --rsource  -j DROP

I haven´t tested it but if someone in a development environment could try and use it I would thankful to hear that works!!

Kind regards,

2013/9/18 Jose Pablo Valcárcel Lázaro <pablo.valcarcel1980@gmail.com>

Thanks Reindl :).

Kind Regards

El 18/09/2013 19:44, "Reindl Harald" <h.reindl@thelounge.net> escribió:
Am 18.09.2013 19:07, schrieb Jose Pablo Valcárcel Lázaro:
> First of all, sorry to post here, but I believe that mod_security with iptables makes harder for hackers to gain
> resources access.
> I was wondering if someone could tell me if he/she has be able to use iptables strings modules with hitcount
> modules. Why? Easy to answer. You could be able to limit access to php forms using string (but for performance Deep
> Packet Inspection is not the best approach) and using hitting count.
> You could block more than 5 chances to gain access to example_form.php.
> Is it a bad idea? Mod security has brute-force rules?
> I know that you can develop new rules to approach this solution or use some other alternatives as captchas or
> honeypots fields.

generally whatever can be done in the earliest possible layer should be done there
security is always a layered thing (network, firewall, application firewall, application)

things like rate-control and limit concurrent connectios from a source-ip
should be done in iptables or if possible even a device before the server

it *can* be done with modsec, but where ever you can catch attacks a layer before do so

LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
mod-security-users mailing list
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: