Re: [mod-security-users] Throttling
Brought to you by:
victorhora,
zimmerletw
From: Christian B. <ch...@jw...> - 2007-05-02 13:06:41
|
You can do this using ModSecurity's collection-capabilities. First you initalize a collection wrt the ip-address SecAction initcol:ip=%{REMOTE_ADDR},nolog Now you have a collection called "IP" that you can use to save variables. The following rule will check if there exists a variable "count" within the ip-collection. If not, it will initialize such a variable to 0 and tell ModSecurity to expire it after 1 hour (3600 seconds). SecRule &IP:COUNT "@eq 0" "setvar:ip.count=0,expirevar:ip.count=3600" Then you can "count" the accesses using this collection SecAction setvar:ip.count=+1 For example within a certain location (then you need to add a "phase: 2" to the actions). This will increment the variable "count" within the collection IP (which is assiciated with the REMOTE_ADDR) by one. You can then use this variable to block an IP: SecRule IP:COUNT "@gt 2000" "deny,status:500" Not the different cases when setting and querying collection-variables. For a more bandwidth-oriented throttling you should probably have a look at mod_throttle, which also supports IP-based throttling, IIRC. Regards, Chris Am 02.05.2007 um 14:47 schrieb Russ Lavoie: > Is there a way inside modsecurity that can throttle IP addresses. > Meaning, IPs are only allowed 2,000 hits per day and then denied... > > I went through the reference manual and saw nothing there regarding > this. > > Thanks > > ---------------------------------------------------------------------- > --- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users |