|
From: Chip <jef...@gm...> - 2018-03-27 03:18:32
|
Great! Just what I was looking for. Any idea if the suggestions on this page are up-to-date? No timestamp on the technical details just an interesting how-to. By the way, where does one actually PUT those stanzas of code? Or does mod_security already have a brute force module that needs to be likewise uncommented? Thank you. https://snippets.aktagon.com/snippets/563-brute-force-authentication-protection-with-modsecurity On 03/26/2018 11:03 PM, Osama Elnaggar wrote: > Check out the Anti-Automation / DoS Protection option in > crs-setup.conf. By default it is not enabled but you can enable the > rule which will in turn trigger the rules in > REQUEST-912-DOS-PROTECTION.conf > > -- > Osama Elnaggar > > On March 27, 2018 at 11:33:11 AM, Chip (jef...@gm... > <mailto:jef...@gm...>) wrote: > >> Thank you for that. >> >> I ask because I read this post: >> >> https://security.stackexchange.com/questions/31556/securing-a-simple-webservice-against-brute-force-with-mod-security >> >> in which the author states a rate-limiting rule exsists in the >> ruleset but I can't find it. So I'm confused. If V3 has it where >> is it, how to I activate a brute force mitigation rule? >> >> Here is a snippet from that discussion: >> >> There are rate-limiting rule set in ModSecurity CRS that does not >> directly correlate whether the authentication attempt was successful >> or not. Following is one of the Rule >> >> |SecRule IP:BRUTE_FORCE_COUNTER "@gt >> %{tx.brute_force_counter_threshold}" >> "phase:5,id:'981042',t:none,nolog,pass,t:none, >> setvar:ip.brute_force_burst_counter=+1, >> expirevar:ip.brute_force_burst_counter=%{tx.brute_force_burst_time_slice}, >> setvar:!ip.brute_force_counter" | >> >> >> >> On 03/26/2018 08:23 PM, Osama Elnaggar wrote: >>> v3 contains everything you need. I’d suggest removing the older >>> ruleset if possible so you don’t accidentally enable it >>> >>> -- >>> Osama Elnaggar >>> >>> On March 27, 2018 at 11:10:48 AM, Chip (jef...@gm... >>> <mailto:jef...@gm...>) wrote: >>> >>>> WHM/Cpanel server running on CENTOS 6.9 with OWASP ModSecurity Core >>>> Rule Set and OWASP ModSecurity Core Rule Set V 3.0 available. >>>> >>>> Only ModSecurity Core Rule Set V 3.0 has been activated. >>>> >>>> I can see from information that V 3.0 is an enhancement to OWASP >>>> ModSecurity Core Rule Set but I am at a loss in the following way: >>>> must BOTH rule sets be activated for total coverage or does the V >>>> 3.0 contain everything in the >>>> OWASP ModSecurity Core Rule Set but with enhancements? >>>> >>>> This is not clear at least to me, anyway. >>>> >>>> Thanks. >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, Slashdot.org! >>>> http://sdm.link/slashdot_______________________________________________ >>>> mod-security-users mailing list >>>> mod...@li... >>>> <mailto:mod...@li...> >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>> http://www.modsecurity.org/projects/commercial/rules/ >>>> http://www.modsecurity.org/projects/commercial/support/ >> |
