Re: [mod-security-users] How to limit access rate by header?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] How to limit access rate by header?
|
From: Manuel S. <spa...@gm...> - 2018-12-13 01:25:34
|
Try a modsec with ctl:setenv with pmf to the bot file for request_headers:user-agent. So if the header is in the file then set the nolog env.
Having two update point is painful on the long run.
Cheers!
Sent from my iPhone
> On 12 Dec 2018, at 20:05, Luciano Guillermo Fantuzzi <luc...@gm...> wrote:
>
> Yes, I had to do it that way. Just in case:
>
> ---
> # Local messages
> SetEnvIf Remote_Addr "127\.0\.0\.1" dontlog
> SetEnvIf Remote_Addr "::1" dontlog
> SetEnvIfNoCase User-Agent "internal dummy connection" dontlog
>
> # Not interesting
> SetEnvIfNoCase Request_URI "^/robots\.txt$" dontlog
>
> # Only relevant for modsec log (it will output to error log eventually)
> # Note: Keep this list updated with /etc/modsecurity/data/*.data
> SetEnvIfNoCase User-Agent (Googlebot|bingbot\
> |AhrefsBot|MJ12bot|trovitBot|AwarioRssBot|Semrush|DotBot|BLEXBot|YandexBot|YandexMobileBot|PaperLiBot|Baidu|ZoominfoBot\
> |facebookexternalhit) dontlog
>
> CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log vhost_combined env=!dontlog
> ---
>
> The only thing that I don't like of this approach is that I can't pass SetEnvIf a file to read, so I'll have to keep both (*.data and .conf files) in sync.
>
>
> El mié., 12 de dic. de 2018 a la(s) 21:39, Manuel Spartan (spa...@gm...) escribió:
>> Hi Luciano, you can achieve that with environment variables and a custom log format with an env condition in Apache.
>> Modsec writes error and audit log only, access log tricks can be useful to prevent IP/personal/financial leaks.
>>
>> Cheers!
>>
>> Sent from my iPhone
>>
>>> On 12 Dec 2018, at 18:16, Luciano Guillermo Fantuzzi <luc...@gm...> wrote:
>>>
>>> Something I couldn't find in the docs. Is it possible to avoid logging in the access log? With nolog action I can avoid logging it in error log (and audit log, but it's turned off), but I couldn't find a way to avoid displaying a message in the access log on every rule match. I find this important because my idea was to sepparate logs and keep the access log as clean as possible so I can analyze bots/crawlers not being catched in my rules.
>>>
>>> Thanks.
>>>
>>> El mié., 12 de dic. de 2018 a la(s) 18:32, Christian Folini (chr...@ne...) escribió:
>>>> On Wed, Dec 12, 2018 at 06:16:49PM -0300, Luciano Guillermo Fantuzzi wrote:
>>>> > Oh, I didn't realize we were not anymore in the main mailing thread. I'm
>>>> > re-joining it from here.
>>>>
>>>> Yes, I took it private after things turned sour following my comment.
>>>>
>>>> Glad it worked out for your in the end.
>>>>
>>>> Ahoj,
>>>>
>>>> Christian
>>>>
>>>> --
>>>> If liberty means anything at all, it means the right to tell people
>>>> what they do not want to hear.
>>>> -- George Orwell
>>>>
>>>>
>>>> _______________________________________________
>>>> mod-security-users mailing list
>>>> mod...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>>>> http://www.modsecurity.org/projects/commercial/rules/
>>>> http://www.modsecurity.org/projects/commercial/support/
>>> _______________________________________________
>>> mod-security-users mailing list
>>> mod...@li...
>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>>> http://www.modsecurity.org/projects/commercial/rules/
>>> http://www.modsecurity.org/projects/commercial/support/
>> _______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
|
