Re: [mod-security-users] How to limit access rate by header?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] How to limit access rate by header?
|
From: Luciano G. F. <luc...@gm...> - 2018-12-07 02:51:27
|
I've very frustrated... I can't make it work, even for IP control. What am
I doing wrong here? It always returns:
Could not set variable "IP.access_count" as the collection does not exist.
105 <LocationMatch "^/.*">
109 SecRule REQUEST_HEADERS:CF-Connecting-IP "@unconditionalMatch"
"phase:2,initcol:IP=%{MATCHED_VAR},pass,nolog,id:35003"
112 SecRule IP:ACCESS_COUNT "@gt 1"
"phase:2,pause:300,deny,status:503,setenv:RATELIMITED,skip:1,nolog,id:35004"
116 SecAction "phase:2,setvar:IP.access_count=+1,pass,nolog,id:35005"
119 SecAction
"phase:5,deprecatevar:IP.access_count=1/10,pass,nolog,id:35006"
122 Header always set Retry-After "10" env=RATELIMITED
123 </LocationMatch>
124
125 ErrorDocument 503 "Service Unavailable"
El jue., 6 de dic. de 2018 a la(s) 20:38, Luciano Guillermo Fantuzzi (
luc...@gm...) escribió:
> Thank you for your answer, Christian. Do you think it's possible for you
> to just build the first part of the rule (in Modsec)? I'm trying but I'm
> not understanding how variables work with the global scope. I was be able
> to build some basic rules like:
>
> # Banned Bots and Crawlers
> SecRule REQUEST_HEADERS:User-Agent "@pmFromFile blacklist-bots.data" \
> "id:350001,phase:1,t:none,deny,log,msg:'BANNED BOT'"
>
> # Specific IPs
> SecRule REMOTE_ADDR "@pmFromFile blacklist-ip.data" \
> "id:350002,phase:1,t:none,deny,log,msg:'BANNED IP'"
>
> I'm trying to understand examples from stackoverflow and different places,
> but they are all intended to limit by IP and for specific resources (the
> scope of the rule). Eg.:
> https://gist.github.com/josnidhin/91d1ea9cd71fde386c27a9228476834e
>
> I'm not asking for the entire rule, just an example of how var counters
> work in the global scope (directly in /etc/modsecurity/modsecurity.conf)
> and how can I connect them to sum by header instead of IP.
>
> Thank you!
>
> El jue., 6 de dic. de 2018 a la(s) 10:30, Christian Folini (
> chr...@ne...) escribió:
>
>> Hello Luciano,
>>
>> You have a peculiar use case, but I see your thinking.
>>
>> There are examples in the ModSecurity books that are really close to your
>> plan. They should be easy to adopt.
>>
>> Other than that, you may want to look into mod_qos. It has functionality
>> that might be useful in your case.
>>
>> Best,
>>
>> Christian
>>
>>
>> On Wed, Dec 05, 2018 at 06:26:03PM -0300, Luciano Guillermo Fantuzzi
>> wrote:
>> > Thank you for your answer, but maybe I'm not asking it the right way or
>> > this is not the right place to ask(?).
>> >
>> > I need a Modsecurity rule (I'm using it through Apache) to be able to
>> > control hits from clients with a specific header, like
>> > "facebookexternalhit/1.1".
>> > Ie. to stop some agressive bots hitting too often my webservers and
>> taking
>> > them down eventually. I don't want to block them at all because I need
>> some
>> > of them (like Facebook bot to parse shared content), but I need a way to
>> > tell them "stop, retry in some seconds".
>> >
>> > Thanks.
>> >
>> > El mié., 5 de dic. de 2018 a la(s) 16:16, Reindl Harald (
>> > h.r...@th...) escribió:
>> >
>> > >
>> > >
>> > > Am 05.12.18 um 16:57 schrieb Luciano Guillermo Fantuzzi:
>> > > > First of all, I'm new here so I'm not sure this is the right place
>> for
>> > > > asking for help (free modsec version). If it's not, I'll really
>> > > > appreciate it if you can tell me where should I go.
>> > > >
>> > > > I'm trying to limit hit rate by:
>> > > >
>> > > > 1. Request's header (like "facebookexternalhit").
>> > > > 2. (All hits to non static resources)
>> > > >
>> > > > And then return a friendly "429 Too Many Requests" and
>> "Retry-After: 3"
>> > > > (seconds).
>> > > > I know I can read a file of headers like:
>> > > >
>> > > > SecRule REQUEST_HEADERS:User-Agent "@pmFromFile ratelimit-bots.txt"
>> > > >
>> > > > But I'm getting trouble building the entire rule.
>> > > >
>> > > > Any help would be really appreciated. Thank you!
>> > >
>> > > this a non-iusse
>> > >
>> > > normally you have rate-limits per IP in place and they should not be
>> > > within the application layer at all and in the best case not even on
>> the
>> > > same machine
>> > >
>> > > that below is from a firewall-vm on a complete /24 network before any
>> > > packet reaches a server at all, and for the individual servers are
>> > > simimlar rules with lower values per 2 seconds in place
>> > >
>> > > when the request reachs the webserver damage is long done and if no
>> > > damage is done you are wasting expensive ressources with the rules
>> > >
>> > > Chain INBOUND (2 references)
>> > > pkts bytes target prot opt in out source
>> > > destination
>> > > 1914 183K IPST_ALL all -- * * 0.0.0.0/0
>> > > 0.0.0.0/0 recent: UPDATE seconds: 2 hit_count: 250
>> TTL-Match
>> > > name: limit_all_global side: source mask: 255.255.255.255
>> > > 149K 15M DROP_ALL all -- * * 0.0.0.0/0
>> > > 0.0.0.0/0 recent: UPDATE seconds: 2 reap hit_count: 150
>> > > TTL-Match name: limit_all_global side: source mask: 255.255.255.255
>> > >
>> > >
>> > > _______________________________________________
>> > > mod-security-users mailing list
>> > > mod...@li...
>> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> > > http://www.modsecurity.org/projects/commercial/rules/
>> > > http://www.modsecurity.org/projects/commercial/support/
>> > >
>>
>>
>> > _______________________________________________
>> > mod-security-users mailing list
>> > mod...@li...
>> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> > http://www.modsecurity.org/projects/commercial/rules/
>> > http://www.modsecurity.org/projects/commercial/support/
>>
>>
>>
>> _______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/
>>
>
|
