Re: [mod-security-users] issue with IP rate-limiting
Brought to you by:
victorhora,
zimmerletw
From: Christian F. <chr...@ne...> - 2016-08-05 11:27:56
|
Hello, On Fri, Aug 05, 2016 at 03:58:50PM +0530, Gaurav Agarwal wrote: > So how do I make sure that counter is expired in 60 seconds after the first > request (not after the last request) ? That's a different functionality, which you can construct by moving the expirevar to a separate rule, which you apply under the condition, that it's a new entry in the IP collection via the IS_NEW flag. See https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Persistent_Storage Please submit the final rule snippet if you get it working that way. Ahoj, Christian > > Thanks, > Gaurav > > On Fri, Aug 5, 2016 at 3:54 PM, Christian Folini < > chr...@ne...> wrote: > > > Hey Gaurav, > > > > On Fri, Aug 05, 2016 at 03:40:26PM +0530, Gaurav Agarwal wrote: > > > SecAction > > > "initcol:IP=%{REMOTE_ADDR},setvar:IP.pagecount=+1, > > expirevar:IP.pagecount=60,chain" > > > > You are telling ModSec to _reset_ the counter to 60 seconds. So > > if you keep sending a request every 60 seconds, it is likely you slip > > in right before the reset. > > > > Set expirevar to 65 and you should be fine. > > > > Not tested, though. Maybe I overlooked something else as well. > > > > Ahoj, > > > > Christian > > > > > > > SecRule IP:PAGECOUNT "@gt 5" > > > > > > I thought that this rule will block the client when it sends more than 5 > > > requests *over the period of 60 seconds.* > > > > > > However, it seems that every-time a request is received, the variable > > > *__expire_pagecount* is being incremented by 60 seconds. So even if I am > > > sending 1 request every minute, mod-security is blocking the client in > > *6th > > > minute.* > > > > > > I know I am missing something fundamental ? > > > > > > Thanks, > > > Gaurav > > > > > ------------------------------------------------------------ > > ------------------ > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > -- > > https://www.feistyduck.com/training/modsecurity-training-course > > mailto:chr...@ne... > > twitter: @ChrFolini > > > > ------------------------------------------------------------ > > ------------------ > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > ------------------------------------------------------------------------------ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ -- https://www.feistyduck.com/training/modsecurity-training-course mailto:chr...@ne... twitter: @ChrFolini |