|
From: Boris K. <bor...@gm...> - 2019-04-15 11:46:02
|
Hi, thanks all for answer. i found something similer. https://www.nginx.com/blog/dynamic-ip-blacklisting-with-nginx-plus-and-fail2ban/ need to think how to cluster fail2ban or iptables if there is 2 or more nginx. Thanks. On Mon, Apr 15, 2019 at 1:42 PM Ervin Hegedüs <ai...@gm...> wrote: > Hi Boris, > > On Sun, Apr 14, 2019 at 09:36:15PM +0200, Boris Kočar wrote: > > Hello, > > > > I'm digging through internet to find out about how to parse JSON response > > and create the rule. > > > > To be more specific here is a layout: > > 1. Layer 1 Nginx with Modsecurity > > 2. Layer 2 Application server > > 3. Layer 3 .... > > > > Scenario: > > when user try to do some illegal things which is known only to > application > > server where is all the business. Let say for example spray password > > attack. > > > > What I like to establish on Modsecurity: > > Application server will send back json response with code 401 and json > {IP: > > a.t.t.a.c.k.e.r i.p}, Modsecurity would catch response, see code (e.g. > > 401), parse json body and put that IP on black list for xy minutes. > > I think you can't do that. If ModSecurity could parse the > "external" JSON source for rules, then it would still be the > problem, that you have to restart the Layer 1 components to > activate the rule after every update. > > I think that you're looking for something, which closer eg. to > fail2ban, or any IDS (Intrusion Detection System). > > > Hope this helps, > > > a. > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
