Re: [mod-security-users] mod_security
Brought to you by:
victorhora,
zimmerletw
From: Christian B. <ch...@jw...> - 2009-04-01 19:59:26
|
Hi Jessy, let's see what we have here... Some comments on Ryan's rules from the post referred to by Brian: # # we initialize the IP collection, i.e. we create associate the IP collection with # the client's IP, i.e. we now have a collection associated with the remote address. # SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR}, \ setvar:request_count=+1, expirevar:request_count=86400 # # we make sure that the client can access the "limit_exceeded_page.html" by # any means, even if he is blocked # SecRule REQUEST_URI "/limit_exceeded_page\.html" "log,allow,ctl:ruleEngine=off" # # we check if the REQUEST_COUNT variable in the IP collection is above the threshold # of 2000 requests per IP address and take further actions, by setting the "blocked" # variable # SecRule IP:REQUEST_COUNT "@ge 2000" "phase: 1,pass,nolog,setvar:ip.blocked=1,expirevar:ip.blocked=3600" # # we need to add another check for the existence of the "blocked" variable in the # current context (i.e. in the IP collection) # SecRule IP:BLOCKED "@eq 1" "phase:1,deny,log,redirect:http://www.site.com/limit_exceeded_page.html " All these rules check for a request count variable being available in the IP collection. At each request, the collection is filled with values (from memory/disk), depending on the remote_address value it is associated with. (You can think of collections as a hash-of-hashes in perl. Using initcol:ip=... you select a specific hash to be associated with the IP reference, i.e. after that action, the IP contains values previously put into exactly the collection referenced by "REMOTE_ADDRESS"). In your case, you need to initialize the collection with the value of the "x-forwarded-for" value, more exactly, with the ip address contained within that header. So the first thing to do is to extract the ip address from that header. (The following rules are not tested due to missing time, but they somehow show the principle. Rule IDs below are for clarity only.) # # this rule looks for an IPv4 address in the x-forwarded-for header and saves it # into the TX:1 variable (due to the "capture" action) # we also do set the "fwd_ip_found" variable for this transaction to indicate to the # following rule that the "TX:1" variable is the one to choose for loading the IP collection # SecRule REQUEST_HEADERS:x-forwarded-for "(\d{1,3}\.\d{1,3}\. \d{1,3}\.\d{1,3})" \ "phase: 1,t:none,capture,setvar:tx.fwd_header_found=1,id:'1'" # # Now we need to initialize the IP collection depending on the # SecRule TX:FWD_IP_FOUND "@eq 1" "phase:1,initcol:ip=%{TX: 1},nolog,id:'2'" # # if now FWD is found, we use the REMOTE_ADDRESS as client ip # SecAction &TX:FWD_IP_FOUND "@eq 0" "phase:1,initcol:ip=% {REMOTE_ADDRESS},id:'3'" This setup includes a "fail-safe" solution, as it will use the x- forwarded-for header if one exists AND contains an IPv4 address (rule (2)) and otherwise uses the remote client address for request-counting (rule (3)). The above 3 rules are intended to replace the very first "SecAction" line of Ryan's original post, you need to include the other rules from that post after rules (1),(2),(3). As said before this is not tested. Best regards, Chris Am 01.04.2009 um 17:29 schrieb <jm...@up...> <jm...@up...>: > Thank you for your guidance Brian, Could you please let me know how > to incorporate the X-forwarded field in the Rule and use the "if" > condition. > > Thanks again... > Regards, > Jessy > > -----Original Message----- > From: Brian Rectanus [mailto:Bri...@br...] > Sent: Tuesday, March 31, 2009 6:50 PM > To: Mathew Jessy (HCC1MJM) > Cc: mod...@li... > Subject: Re: [mod-security-users] mod_security > > > > Jessy Mathew wrote: >> Hello, >> >> Could you please let me know if there is way in mod_security to >> throttle requests based on IP with in a defined period of time. >> eg. if the no. of requests from a particular ip address exceeds 90 >> requests in a 5 minute interval, flag the ip address and blocks it >> for >> 60 minutes. By default, the requests should be throttled based on >> X-forwarded field Ip addresses. If x-forwarded field is not present, >> throttle requests based on real client IP. >> >> Thanks in advance, >> Jessy > > The archives are a good place to look for things like this... > > http://article.gmane.org/gmane.comp.apache.mod-security.user/3027 > > Watch out on the x-forwarded-for. Anyone can put any IP in there > and could cause an arbitrary IP to be throttled. > > -B > > -- > Brian Rectanus > Breach Security > > ------------------------------------------------------------------------------ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Appliances, Rule Sets and Support: > http://www.modsecurity.org/breach/index.html |