Re: [mod-security-users] How to restrict hits per uri per unit of time

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Sébastian,

The counter is part of the URI collection in your example. But there is
no URI collection in ModSecurity. There are only the documented and
pre-defined collections. In your case, the RESOURCE or GLOBAL collection 
would probably the one to chose. 

But whatever you do, I think mod_qos is better suited to tasks as this
then ModSecurity. But I second that you can make this work in ModSec,
it's just a bit of an act while it's quite straight forward with
mod_qos.

Cheers,

Christian

On Sun, Jun 11, 2017 at 12:18:48PM +0200, Piller Sébastien wrote:
> 
> 'm trying to configure modsecurity for Apache to limit the number of hits a given resource can be accessed per unit of time (let's say, 10 hits per minute per resource, no matter which ip address does the request). The resources have an url pattern in the form of "[https://myhost/my-resource/my-resource-id](https://myhost/my-resource/my-resource-id)"   
> Hi everybody  
> I'm trying to configure modsecurity for Apache to limit the number of hits a given resource can be accessed per unit of time (let's say, 10 hits per minute per resource, no matter which ip address does the request). The resources have an url pattern in the form of "[https://myhost/my-resource/my-resource-id](https://myhost/my-resource/my-resource-id)"Â   
>   
> I have the following configuration in my vhost configuration (adapted from a blog found on the web):  
> # Limit the requests count by unit of time.  
> SecRuleEngine On  
>   
>   
> Â  # SecAction initcol:ip=%{REMOTE_ADDR},pass,nolog,id:132  
> Â  SecAction initcol:uri=%{REQUEST_URI},pass,nolog,id:232  
> Â  SecAction "phase:5,deprecatevar:uri.counter=10/60,pass,nolog,id:332"  
> Â  SecRule URI:COUNTER "@ge 10" "phase:2,pause:10,deny,status:429,setenv:RATELIMITED,skip:1,nolog,id:432"  
> Â  SecAction "phase:2,pass,setvar:uri.counter=+1,nolog,id:532"  
> Â  Header always set Retry-After "60" env=RATELIMITED  
>   
>   
> ErrorDocument 429 "Too Many Requests"  
>   
> As I understand this snippet, it tells modsecurity "create a variable named uri for each request_uri and associate a counter for each, then decrement it of 10 each 60 seconds. If the current's uri counter reach the value of 10, fail with an error code 429, else increment it" which is what I need.  
>   
> This configuration leads to "uri variable not found" error, which I don't understand why.  
>   
> If I uncomment the 1st SecAction and change the remaining configuration to reference it, it works (returns a 429 after 10 quick calls), but obviously does not take the uri into account (it fails for any resource, eg. /my-resource/123 and /my-resource/456)  
>   
> Could anybody give some help with this? All my attempts fails miserably and I'm not very familiar with Apache's config in general, so I guess I'm missing some important notion here.  
>   
> PS: Apache is v2.4, mod-security is v2.9  
>   
> Thank you!  
> Thanks!  
> 

> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot

> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

-- 
https://www.feistyduck.com/training/modsecurity-training-course
mailto:chr...@ne...
twitter: @ChrFolini