Re: [mod-security-users] Throttling
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Throttling
|
From: Ryan B. <Ryan.Barnett@Breach.com> - 2007-05-02 13:12:45
|
Looks like Chris beat me again :) =20
Just to show you, however, that there are many ways to implement this
collections here is another version. The following ruleset will use
initcol to create a persistent collection based on the client's IP
address. It will then start incrementing the "request_count" variable
on each request and will expire this same variable 24 hrs after the last
request. It will then evaluate the request_count variable to see if it
is greater than or equal to 2000. If it is, it sets a new variable -
ip.blocked. The last rule will only check for the existence of
ip.blocked. If it is set, it will deny the connection and then send a
redirect to the client to send them to a "friendly" page telling them
why they are blocked. The 2nd rule in this ruleset is to allow clients
with ip.blocked set to get to this friendly page.
SecAction phase:1,nolog,pass,initcol:ip=3D%{REMOTE_ADDR}, \
setvar:request_count=3D+1,expirevar:request_count=3D86400
SecRule REQUEST_URI "^/request_limit_exceeded\.html$" \
"log,allow,ctl:ruleEngine=3Doff"
SecRule IP:REQUEST_COUNT "@ge 2000" \
"phase:1,pass,nolog,setvar:ip.blocked=3D1, \
expirevar:ip.blocked=3D3600"
SecRule IP:BLOCKED "@eq 1" "phase:1,deny,log, \
redirect:http://www.site.com/request_limist_exceeded.html"
--=20
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
Author: Preventing Web Attacks with Apache
=20
--------------
Web Security Threat Report Webinar on May 9, 2007 (12 pm EST)
Learn More About the Breach Webinar Series:
http://www.breach.com/webinars.asp
--------------
=20
> -----Original Message-----
> From: mod...@li... [mailto:mod-
> sec...@li...] On Behalf Of Christian
> Bockermann
> Sent: Wednesday, May 02, 2007 9:07 AM
> To: Russ Lavoie
> Cc: Mod Security
> Subject: Re: [mod-security-users] Throttling
>=20
> You can do this using ModSecurity's collection-capabilities.
> First you initalize a collection wrt the ip-address
>=20
> SecAction initcol:ip=3D%{REMOTE_ADDR},nolog
>=20
> Now you have a collection called "IP" that you can use to save
> variables.
> The following rule will check if there exists a variable "count"
> within the
> ip-collection. If not, it will initialize such a variable to 0 and
tell
> ModSecurity to expire it after 1 hour (3600 seconds).
>=20
> SecRule &IP:COUNT "@eq 0"
> "setvar:ip.count=3D0,expirevar:ip.count=3D3600"
>=20
> Then you can "count" the accesses using this collection
>=20
> SecAction setvar:ip.count=3D+1
>=20
> For example within a certain location (then you need to add a "phase:
> 2" to
> the actions). This will increment the variable "count" within the
> collection
> IP (which is assiciated with the REMOTE_ADDR) by one.
>=20
> You can then use this variable to block an IP:
>=20
> SecRule IP:COUNT "@gt 2000" "deny,status:500"
>=20
> Not the different cases when setting and querying
collection-variables.
>=20
>=20
> For a more bandwidth-oriented throttling you should probably have a
look
> at mod_throttle, which also supports IP-based throttling, IIRC.
>=20
> Regards,
> Chris
>=20
>=20
> Am 02.05.2007 um 14:47 schrieb Russ Lavoie:
>=20
> > Is there a way inside modsecurity that can throttle IP addresses.
> > Meaning, IPs are only allowed 2,000 hits per day and then denied...
> >
> > I went through the reference manual and saw nothing there regarding
> > this.
> >
> > Thanks
> >
> >
----------------------------------------------------------------------
> > ---
> > This SF.net email is sponsored by DB2 Express
> > Download DB2 Express C - the FREE version of DB2 express and take
> > control of your XML. No limits. Just data. Click to get it now.
> > http://sourceforge.net/powerbar/db2/
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
>=20
>=20
>
------------------------------------------------------------------------
-
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
|