Re: [mod-security-users] How to limit access rate by header?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] How to limit access rate by header?
|
From: Luciano G. F. <luc...@gm...> - 2018-12-07 15:39:01
|
@Eero Thank you for the advice. I understand you recommend this mod to be able to load the value of CF-Connecting-IP into REMOTE_ADDR and use that. Sadly, even using SecAction with REMOTE_ADDR, the var is not being set and the error I receive is: "Could not set variable "ip.access_count" as the collection does not exist." I tried with other collections and loading different values, but I always end up receiving the same error. Can I use the "global" collection to set some custom value? Maybe I'm not understanding how collections work. Let's say: SecAction id:'2000000',phase:1,nolog,pass,initcol:global='some' In the docs for modsec v2 they say collections must be initialized only once per transaction. I'm not using all the rules from modsec (I didn't even downloaded repo), I'm just using some basic rules I created in /etc/modsecurity/modsecurity.conf That's all I need for now. Can modsec work like that or is there some other initialization required? The othe rules I created work good. Thanks! El vie., 7 de dic. de 2018 a la(s) 09:34, Eero Volotinen ( eer...@ik...) escribió: > maybe you need to use this module > > https://github.com/gnif/mod_rpaf > > Eero > > Luciano Guillermo Fantuzzi <luc...@gm...> kirjoitti pe 7. > jouluk. 2018 klo 14.29: > >> Apache 2.4.x >> >> El vie., 7 dic. 2018 09:25, Eero Volotinen <eer...@ik...> >> escribió: >> >>> are you using nginx or apache? >>> >>> Luciano Guillermo Fantuzzi <luc...@gm...> kirjoitti pe 7. >>> jouluk. 2018 klo 14.19: >>> >>>> Already tried that, but still the same message in debug log. Anyway, >>>> I'm behind Cloudflare so I need to access that var (that contains the real >>>> IP) from header. Moreover, I tried with global collection and same luck. Am >>>> I missing some initialization step in modsec? >>>> >>>> Thanks. >>>> >>>> El vie., 7 dic. 2018 00:56, Scheblein, Adam < >>>> ada...@ma...> escribió: >>>> >>>>> I had a similar problem. You need to initialize the collection with >>>>> something like this: >>>>> >>>>> >>>>> >>>>> SecAction >>>>> id:'2000000',phase:1,nolog,pass,initcol:IP=%{REMOTE_ADDR} >>>>> >>>>> >>>>> >>>>> *From: *Luciano Guillermo Fantuzzi <luc...@gm...> >>>>> *Reply-To: *"mod...@li..." < >>>>> mod...@li...> >>>>> *Date: *Thursday, December 6, 2018 at 8:51 PM >>>>> *To: *"mod...@li..." < >>>>> mod...@li...> >>>>> *Subject: *Re: [mod-security-users] How to limit access rate by >>>>> header? >>>>> >>>>> >>>>> >>>>> I've very frustrated... I can't make it work, even for IP control. >>>>> What am I doing wrong here? It always returns: >>>>> >>>>> Could not set variable "IP.access_count" as the collection does not >>>>> exist. >>>>> >>>>> >>>>> >>>>> 105 <LocationMatch "^/.*"> >>>>> >>>>> 109 SecRule REQUEST_HEADERS:CF-Connecting-IP "@unconditionalMatch" >>>>> "phase:2,initcol:IP=%{MATCHED_VAR},pass,nolog,id:35003" >>>>> >>>>> 112 SecRule IP:ACCESS_COUNT "@gt 1" >>>>> "phase:2,pause:300,deny,status:503,setenv:RATELIMITED,skip:1,nolog,id:35004" >>>>> >>>>> 116 SecAction >>>>> "phase:2,setvar:IP.access_count=+1,pass,nolog,id:35005" >>>>> >>>>> >>>>> >>>>> 119 SecAction >>>>> "phase:5,deprecatevar:IP.access_count=1/10,pass,nolog,id:35006" >>>>> >>>>> 122 Header always set Retry-After "10" env=RATELIMITED >>>>> >>>>> 123 </LocationMatch> >>>>> >>>>> 124 >>>>> >>>>> 125 ErrorDocument 503 "Service Unavailable" >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> El jue., 6 de dic. de 2018 a la(s) 20:38, Luciano Guillermo Fantuzzi ( >>>>> luc...@gm...) escribió: >>>>> >>>>> Thank you for your answer, Christian. Do you think it's possible for >>>>> you to just build the first part of the rule (in Modsec)? I'm trying but >>>>> I'm not understanding how variables work with the global scope. I was be >>>>> able to build some basic rules like: >>>>> >>>>> >>>>> >>>>> # Banned Bots and Crawlers >>>>> >>>>> SecRule REQUEST_HEADERS:User-Agent "@pmFromFile blacklist-bots.data" \ >>>>> >>>>> "id:350001,phase:1,t:none,deny,log,msg:'BANNED BOT'" >>>>> >>>>> >>>>> >>>>> # Specific IPs >>>>> >>>>> SecRule REMOTE_ADDR "@pmFromFile blacklist-ip.data" \ >>>>> >>>>> "id:350002,phase:1,t:none,deny,log,msg:'BANNED IP'" >>>>> >>>>> >>>>> >>>>> I'm trying to understand examples from stackoverflow and different >>>>> places, but they are all intended to limit by IP and for specific resources >>>>> (the scope of the rule). Eg.: >>>>> >>>>> https://gist.github.com/josnidhin/91d1ea9cd71fde386c27a9228476834e >>>>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__gist.github.com_josnidhin_91d1ea9cd71fde386c27a9228476834e&d=DwMFaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=0DeHAXm5x7u_63IG4vvHEiJ7cWQqPlE3mjexyj6AoOY&s=L7iKlxwUA3exA-ByaKl7gyvQkoOevQwuEjv4ZKC6hOY&e=> >>>>> >>>>> >>>>> >>>>> I'm not asking for the entire rule, just an example of how var >>>>> counters work in the global scope (directly >>>>> in /etc/modsecurity/modsecurity.conf) and how can I connect them to sum by >>>>> header instead of IP. >>>>> >>>>> >>>>> >>>>> Thank you! >>>>> >>>>> >>>>> >>>>> El jue., 6 de dic. de 2018 a la(s) 10:30, Christian Folini ( >>>>> chr...@ne...) escribió: >>>>> >>>>> Hello Luciano, >>>>> >>>>> You have a peculiar use case, but I see your thinking. >>>>> >>>>> There are examples in the ModSecurity books that are really close to >>>>> your >>>>> plan. They should be easy to adopt. >>>>> >>>>> Other than that, you may want to look into mod_qos. It has >>>>> functionality >>>>> that might be useful in your case. >>>>> >>>>> Best, >>>>> >>>>> Christian >>>>> >>>>> >>>>> On Wed, Dec 05, 2018 at 06:26:03PM -0300, Luciano Guillermo Fantuzzi >>>>> wrote: >>>>> > Thank you for your answer, but maybe I'm not asking it the right way >>>>> or >>>>> > this is not the right place to ask(?). >>>>> > >>>>> > I need a Modsecurity rule (I'm using it through Apache) to be able to >>>>> > control hits from clients with a specific header, like >>>>> > "facebookexternalhit/1.1". >>>>> > Ie. to stop some agressive bots hitting too often my webservers and >>>>> taking >>>>> > them down eventually. I don't want to block them at all because I >>>>> need some >>>>> > of them (like Facebook bot to parse shared content), but I need a >>>>> way to >>>>> > tell them "stop, retry in some seconds". >>>>> > >>>>> > Thanks. >>>>> > >>>>> > El mié., 5 de dic. de 2018 a la(s) 16:16, Reindl Harald ( >>>>> > h.r...@th...) escribió: >>>>> > >>>>> > > >>>>> > > >>>>> > > Am 05.12.18 um 16:57 schrieb Luciano Guillermo Fantuzzi: >>>>> > > > First of all, I'm new here so I'm not sure this is the right >>>>> place for >>>>> > > > asking for help (free modsec version). If it's not, I'll really >>>>> > > > appreciate it if you can tell me where should I go. >>>>> > > > >>>>> > > > I'm trying to limit hit rate by: >>>>> > > > >>>>> > > > 1. Request's header (like "facebookexternalhit"). >>>>> > > > 2. (All hits to non static resources) >>>>> > > > >>>>> > > > And then return a friendly "429 Too Many Requests" and >>>>> "Retry-After: 3" >>>>> > > > (seconds). >>>>> > > > I know I can read a file of headers like: >>>>> > > > >>>>> > > > SecRule REQUEST_HEADERS:User-Agent "@pmFromFile >>>>> ratelimit-bots.txt" >>>>> > > > >>>>> > > > But I'm getting trouble building the entire rule. >>>>> > > > >>>>> > > > Any help would be really appreciated. Thank you! >>>>> > > >>>>> > > this a non-iusse >>>>> > > >>>>> > > normally you have rate-limits per IP in place and they should not >>>>> be >>>>> > > within the application layer at all and in the best case not even >>>>> on the >>>>> > > same machine >>>>> > > >>>>> > > that below is from a firewall-vm on a complete /24 network before >>>>> any >>>>> > > packet reaches a server at all, and for the individual servers are >>>>> > > simimlar rules with lower values per 2 seconds in place >>>>> > > >>>>> > > when the request reachs the webserver damage is long done and if no >>>>> > > damage is done you are wasting expensive ressources with the rules >>>>> > > >>>>> > > Chain INBOUND (2 references) >>>>> > > pkts bytes target prot opt in out source >>>>> > > destination >>>>> > > 1914 183K IPST_ALL all -- * * 0.0.0.0/0 >>>>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__0.0.0.0_0&d=DwMFaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=0DeHAXm5x7u_63IG4vvHEiJ7cWQqPlE3mjexyj6AoOY&s=S69x5cd6GIukj5xdZEQNNUnYwCrOIQklblT0zUw7IVM&e=> >>>>> > > 0.0.0.0/0 >>>>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__0.0.0.0_0&d=DwMFaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=0DeHAXm5x7u_63IG4vvHEiJ7cWQqPlE3mjexyj6AoOY&s=S69x5cd6GIukj5xdZEQNNUnYwCrOIQklblT0zUw7IVM&e=> >>>>> recent: UPDATE seconds: 2 hit_count: 250 TTL-Match >>>>> > > name: limit_all_global side: source mask: 255.255.255.255 >>>>> > > 149K 15M DROP_ALL all -- * * 0.0.0.0/0 >>>>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__0.0.0.0_0&d=DwMFaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=0DeHAXm5x7u_63IG4vvHEiJ7cWQqPlE3mjexyj6AoOY&s=S69x5cd6GIukj5xdZEQNNUnYwCrOIQklblT0zUw7IVM&e=> >>>>> > > 0.0.0.0/0 >>>>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__0.0.0.0_0&d=DwMFaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=0DeHAXm5x7u_63IG4vvHEiJ7cWQqPlE3mjexyj6AoOY&s=S69x5cd6GIukj5xdZEQNNUnYwCrOIQklblT0zUw7IVM&e=> >>>>> recent: UPDATE seconds: 2 reap hit_count: 150 >>>>> > > TTL-Match name: limit_all_global side: source mask: 255.255.255.255 >>>>> > > >>>>> > > >>>>> > > _______________________________________________ >>>>> > > mod-security-users mailing list >>>>> > > mod...@li... >>>>> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_mod-2Dsecurity-2Dusers&d=DwMFaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=0DeHAXm5x7u_63IG4vvHEiJ7cWQqPlE3mjexyj6AoOY&s=RUDsPA0iq5WVkW20NWQOl8suSJ4RvNfYZ6TM3FXNtdM&e=> >>>>> > > Commercial ModSecurity Rules and Support from Trustwave's >>>>> SpiderLabs: >>>>> > > http://www.modsecurity.org/projects/commercial/rules/ >>>>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_rules_&d=DwMFaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=0DeHAXm5x7u_63IG4vvHEiJ7cWQqPlE3mjexyj6AoOY&s=rQF299h7fZhdJbhudnhzjEcP4e3Aa8qCG0KvKi4CKiM&e=> >>>>> > > http://www.modsecurity.org/projects/commercial/support/ >>>>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_support_&d=DwMFaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=0DeHAXm5x7u_63IG4vvHEiJ7cWQqPlE3mjexyj6AoOY&s=ofF4OfFPsr3nKEMOH7j-CQmBqLgK_51fvOnQTavYK3c&e=> >>>>> > > >>>>> >>>>> >>>>> > _______________________________________________ >>>>> > mod-security-users mailing list >>>>> > mod...@li... >>>>> > https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_mod-2Dsecurity-2Dusers&d=DwMFaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=0DeHAXm5x7u_63IG4vvHEiJ7cWQqPlE3mjexyj6AoOY&s=RUDsPA0iq5WVkW20NWQOl8suSJ4RvNfYZ6TM3FXNtdM&e=> >>>>> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>>> > http://www.modsecurity.org/projects/commercial/rules/ >>>>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_rules_&d=DwMFaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=0DeHAXm5x7u_63IG4vvHEiJ7cWQqPlE3mjexyj6AoOY&s=rQF299h7fZhdJbhudnhzjEcP4e3Aa8qCG0KvKi4CKiM&e=> >>>>> > http://www.modsecurity.org/projects/commercial/support/ >>>>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_support_&d=DwMFaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=0DeHAXm5x7u_63IG4vvHEiJ7cWQqPlE3mjexyj6AoOY&s=ofF4OfFPsr3nKEMOH7j-CQmBqLgK_51fvOnQTavYK3c&e=> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> mod-security-users mailing list >>>>> mod...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_mod-2Dsecurity-2Dusers&d=DwMFaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=0DeHAXm5x7u_63IG4vvHEiJ7cWQqPlE3mjexyj6AoOY&s=RUDsPA0iq5WVkW20NWQOl8suSJ4RvNfYZ6TM3FXNtdM&e=> >>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_rules_&d=DwMFaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=0DeHAXm5x7u_63IG4vvHEiJ7cWQqPlE3mjexyj6AoOY&s=rQF299h7fZhdJbhudnhzjEcP4e3Aa8qCG0KvKi4CKiM&e=> >>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_support_&d=DwMFaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=0DeHAXm5x7u_63IG4vvHEiJ7cWQqPlE3mjexyj6AoOY&s=ofF4OfFPsr3nKEMOH7j-CQmBqLgK_51fvOnQTavYK3c&e=> >>>>> >>>>> _______________________________________________ >>>>> mod-security-users mailing list >>>>> mod...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>> >>>> _______________________________________________ >>>> mod-security-users mailing list >>>> mod...@li... >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>> http://www.modsecurity.org/projects/commercial/rules/ >>>> http://www.modsecurity.org/projects/commercial/support/ >>>> >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >>> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
