On Fri, Aug 16, 2013 at 5:33 AM, rewt rewt <rewt@linux-elite.org> wrote:
Hello All,

I am trying to implement a counter that will check number of 403 from IP address and if exceeded a fixed number/ per minutes redirect that IP to a custom page...

I thougt i could use the config to protect wordpress login, but no success.

Below is what i have tried  any comment will be appreciated.

Hi Rewt,

It's always a good idea when writing rules to be very specific, i.e. don't assume ModSecurity will make the right assumptions when executing your rules. In this case, try being specific with what phase the rules should run in. Move rules 5000502 and 5000503 to phase 3 and specify phase 2 (or 3) for rule 5000501.

 - Josh
I tried an attack that has generated 403 errors i tried it 15 times with ZAP but still not redirected/blocked.

I don't think that the part containing the 302 is required... Please let me know.

SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000500
    # Setup brute force detection.
    # React if block flag has been set.
    SecRule user:bf_block "@gt 0" "deny,redirect:https://OBFUSCATED/blocked.html,log,id:5000501,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'"
     SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000502"
    SecRule RESPONSE_STATUS "^403" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000503"
    SecRule ip:bf_counter "@gt 3" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"

Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
mod-security-users mailing list
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: