Re: [mod-security-users] How to limit access rate by header?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] How to limit access rate by header?
|
From: Luciano G. F. <luc...@gm...> - 2018-12-06 23:39:07
|
Thank you for your answer, Christian. Do you think it's possible for you to
just build the first part of the rule (in Modsec)? I'm trying but I'm not
understanding how variables work with the global scope. I was be able to
build some basic rules like:
# Banned Bots and Crawlers
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile blacklist-bots.data" \
"id:350001,phase:1,t:none,deny,log,msg:'BANNED BOT'"
# Specific IPs
SecRule REMOTE_ADDR "@pmFromFile blacklist-ip.data" \
"id:350002,phase:1,t:none,deny,log,msg:'BANNED IP'"
I'm trying to understand examples from stackoverflow and different places,
but they are all intended to limit by IP and for specific resources (the
scope of the rule). Eg.:
https://gist.github.com/josnidhin/91d1ea9cd71fde386c27a9228476834e
I'm not asking for the entire rule, just an example of how var counters
work in the global scope (directly in /etc/modsecurity/modsecurity.conf)
and how can I connect them to sum by header instead of IP.
Thank you!
El jue., 6 de dic. de 2018 a la(s) 10:30, Christian Folini (
chr...@ne...) escribió:
> Hello Luciano,
>
> You have a peculiar use case, but I see your thinking.
>
> There are examples in the ModSecurity books that are really close to your
> plan. They should be easy to adopt.
>
> Other than that, you may want to look into mod_qos. It has functionality
> that might be useful in your case.
>
> Best,
>
> Christian
>
>
> On Wed, Dec 05, 2018 at 06:26:03PM -0300, Luciano Guillermo Fantuzzi wrote:
> > Thank you for your answer, but maybe I'm not asking it the right way or
> > this is not the right place to ask(?).
> >
> > I need a Modsecurity rule (I'm using it through Apache) to be able to
> > control hits from clients with a specific header, like
> > "facebookexternalhit/1.1".
> > Ie. to stop some agressive bots hitting too often my webservers and
> taking
> > them down eventually. I don't want to block them at all because I need
> some
> > of them (like Facebook bot to parse shared content), but I need a way to
> > tell them "stop, retry in some seconds".
> >
> > Thanks.
> >
> > El mié., 5 de dic. de 2018 a la(s) 16:16, Reindl Harald (
> > h.r...@th...) escribió:
> >
> > >
> > >
> > > Am 05.12.18 um 16:57 schrieb Luciano Guillermo Fantuzzi:
> > > > First of all, I'm new here so I'm not sure this is the right place
> for
> > > > asking for help (free modsec version). If it's not, I'll really
> > > > appreciate it if you can tell me where should I go.
> > > >
> > > > I'm trying to limit hit rate by:
> > > >
> > > > 1. Request's header (like "facebookexternalhit").
> > > > 2. (All hits to non static resources)
> > > >
> > > > And then return a friendly "429 Too Many Requests" and "Retry-After:
> 3"
> > > > (seconds).
> > > > I know I can read a file of headers like:
> > > >
> > > > SecRule REQUEST_HEADERS:User-Agent "@pmFromFile ratelimit-bots.txt"
> > > >
> > > > But I'm getting trouble building the entire rule.
> > > >
> > > > Any help would be really appreciated. Thank you!
> > >
> > > this a non-iusse
> > >
> > > normally you have rate-limits per IP in place and they should not be
> > > within the application layer at all and in the best case not even on
> the
> > > same machine
> > >
> > > that below is from a firewall-vm on a complete /24 network before any
> > > packet reaches a server at all, and for the individual servers are
> > > simimlar rules with lower values per 2 seconds in place
> > >
> > > when the request reachs the webserver damage is long done and if no
> > > damage is done you are wasting expensive ressources with the rules
> > >
> > > Chain INBOUND (2 references)
> > > pkts bytes target prot opt in out source
> > > destination
> > > 1914 183K IPST_ALL all -- * * 0.0.0.0/0
> > > 0.0.0.0/0 recent: UPDATE seconds: 2 hit_count: 250
> TTL-Match
> > > name: limit_all_global side: source mask: 255.255.255.255
> > > 149K 15M DROP_ALL all -- * * 0.0.0.0/0
> > > 0.0.0.0/0 recent: UPDATE seconds: 2 reap hit_count: 150
> > > TTL-Match name: limit_all_global side: source mask: 255.255.255.255
> > >
> > >
> > > _______________________________________________
> > > mod-security-users mailing list
> > > mod...@li...
> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > > http://www.modsecurity.org/projects/commercial/rules/
> > > http://www.modsecurity.org/projects/commercial/support/
> > >
>
>
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > http://www.modsecurity.org/projects/commercial/rules/
> > http://www.modsecurity.org/projects/commercial/support/
>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
|
