Re: [mod-security-users] mod_security

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi Jessy,

let's see what we have here... Some comments on Ryan's rules from the  
post referred to by Brian:

     #
     # we initialize the IP collection, i.e. we create associate the  
IP collection with
     # the client's IP, i.e. we now have a collection associated with  
the remote address.
     #
     SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR}, \
                   setvar:request_count=+1,  
expirevar:request_count=86400

     #
     # we make sure that the client can access the  
"limit_exceeded_page.html" by
     # any means, even if he is blocked
     #
     SecRule REQUEST_URI "/limit_exceeded_page\.html"  
"log,allow,ctl:ruleEngine=off"

     #
     # we check if the REQUEST_COUNT variable in the IP collection is  
above the threshold
     # of 2000 requests per IP address and take further actions, by  
setting the "blocked"
     # variable
     #
     SecRule IP:REQUEST_COUNT "@ge 2000" "phase: 
1,pass,nolog,setvar:ip.blocked=1,expirevar:ip.blocked=3600"

     #
     # we need to add another check for the existence of the "blocked"  
variable in the
     # current context (i.e. in the IP collection)
     #
     SecRule IP:BLOCKED "@eq 1" "phase:1,deny,log,redirect:http://www.site.com/limit_exceeded_page.html 
"

All these rules check for a request count variable being available in  
the IP collection. At
each request, the collection is filled with values (from memory/disk),  
depending on the remote_address
value it is associated with.
(You can think of collections as a hash-of-hashes in perl. Using  
initcol:ip=... you select a specific
hash to be associated with the IP reference, i.e. after that action,  
the IP contains values previously
put into exactly the collection referenced by "REMOTE_ADDRESS").

In your case, you need to initialize the collection with the value of  
the "x-forwarded-for"
value, more exactly, with the ip address contained within that header.  
So the first thing to
do is to extract the ip address from that header.
(The following rules are not tested due to missing time, but they  
somehow show the principle.
  Rule IDs below are for clarity only.)

     #
     # this rule looks for an IPv4 address in the x-forwarded-for  
header and saves it
     # into the TX:1 variable (due to the "capture" action)
     # we also do set the "fwd_ip_found" variable for this transaction  
to indicate to the
     # following rule that the "TX:1" variable is the one to choose  
for loading the IP collection
     #
     SecRule REQUEST_HEADERS:x-forwarded-for "(\d{1,3}\.\d{1,3}\. 
\d{1,3}\.\d{1,3})" \
                  "phase: 
1,t:none,capture,setvar:tx.fwd_header_found=1,id:'1'"

     #
     # Now we need to initialize the IP collection depending on the
     #
     SecRule TX:FWD_IP_FOUND "@eq 1" "phase:1,initcol:ip=%{TX: 
1},nolog,id:'2'"

     #
     # if now FWD is found, we use the REMOTE_ADDRESS as client ip
     #
     SecAction &TX:FWD_IP_FOUND "@eq 0" "phase:1,initcol:ip=% 
{REMOTE_ADDRESS},id:'3'"

This setup includes a "fail-safe" solution, as it will use the x- 
forwarded-for header
if one exists AND contains an IPv4 address (rule (2)) and otherwise  
uses the remote client
address for request-counting (rule (3)).

The above 3 rules are intended to replace the very first "SecAction"  
line of Ryan's original
post, you need to include the other rules from that post after rules  
(1),(2),(3).
As said before this is not tested.

Best regards,
       Chris

Am 01.04.2009 um 17:29 schrieb <jm...@up...> <jm...@up...>:

> Thank you for your guidance Brian, Could you please let me know how  
> to incorporate the X-forwarded field in the Rule and use the "if"  
> condition.
>
> Thanks again...
> Regards,
> Jessy
>
> -----Original Message-----
> From: Brian Rectanus [mailto:Bri...@br...]
> Sent: Tuesday, March 31, 2009 6:50 PM
> To: Mathew Jessy (HCC1MJM)
> Cc: mod...@li...
> Subject: Re: [mod-security-users] mod_security
>
>
>
> Jessy Mathew wrote:
>> Hello,
>>
>> Could you please let me know if there is way in mod_security to
>> throttle requests based on IP with in a defined period of time.
>> eg.  if the no. of requests from a particular ip address exceeds 90
>> requests in a 5 minute interval, flag the ip address and blocks it  
>> for
>> 60 minutes. By default, the requests should be throttled based on
>> X-forwarded field Ip addresses. If x-forwarded field is not present,
>> throttle requests based on real client IP.
>>
>> Thanks in advance,
>> Jessy
>
> The archives are a good place to look for things like this...
>
> http://article.gmane.org/gmane.comp.apache.mod-security.user/3027
>
> Watch out on the x-forwarded-for.  Anyone can put any IP in there  
> and could cause an arbitrary IP to be throttled.
>
> -B
>
> --
> Brian Rectanus
> Breach Security
>
> ------------------------------------------------------------------------------
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Appliances, Rule Sets and Support:
> http://www.modsecurity.org/breach/index.html