|
From: <az...@po...> - 2022-03-07 09:55:18
|
Hi Patrick, there are multiple methods how you can run external command using Modsecurity: - https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#inspectFile (read the docs about security warning!) - https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#SecRuleScript Anyway, i would not allow my web server to run external commands only because of alerting. There are other, maybe better and definitely much safer ways - for example, replace action 'nolog' with action 'log' in your rule with ID 102. Then process web server logs using, for example, fail2ban. azurit Citát Patrick Rynhart <P.R...@ma...>: > Hi all, > > I’ve got the following snippet from our Apache configuration which > successfully provides rate limiting protection against a PHP resource. > How can I run a shell command when this rule kicks in so that we are > alerted that rate limiting protection has been activated (preferably > without it being run hundreds of times) ? > > Scenario is that I would like to know when this rule kicks in – > we’ve got a busy production environment and would refer a script to > be run (rather than trying to process the HTTPD logs after the fact). > > <LocationMatch "^/course/view.php.*"> > SecRule REQUEST_HEADERS:X-Forwarded-For "@unconditionalMatch" > "phase:2,initcol:ip=%{MATCHED_VAR},pass,nolog,id:100" > SecRule IP:ACCESS_COUNT "@gt 1" > "phase:2,pause:300,deny,status:429,setenv:RATELIMITED,skip:1,nolog,id:102" > SecAction "phase:2,setvar:ip.access_count=+1,pass,nolog,id:103" > SecAction > "phase:5,ctl:auditEngine=On,deprecatevar:ip.access_count=1/1,pass,nolog,id:104" > Header always set Retry-After "10" env=RATELIMITED > </LocationMatch> > ErrorDocument 429 "Rate Limited" > > With Thanks, > > Patrick Rynhart |
