Re: [mod-security-users] Throttling
Brought to you by:
victorhora,
zimmerletw
From: Ryan B. <Ryan.Barnett@Breach.com> - 2007-05-02 13:12:45
|
Looks like Chris beat me again :) =20 Just to show you, however, that there are many ways to implement this collections here is another version. The following ruleset will use initcol to create a persistent collection based on the client's IP address. It will then start incrementing the "request_count" variable on each request and will expire this same variable 24 hrs after the last request. It will then evaluate the request_count variable to see if it is greater than or equal to 2000. If it is, it sets a new variable - ip.blocked. The last rule will only check for the existence of ip.blocked. If it is set, it will deny the connection and then send a redirect to the client to send them to a "friendly" page telling them why they are blocked. The 2nd rule in this ruleset is to allow clients with ip.blocked set to get to this friendly page. SecAction phase:1,nolog,pass,initcol:ip=3D%{REMOTE_ADDR}, \ setvar:request_count=3D+1,expirevar:request_count=3D86400 SecRule REQUEST_URI "^/request_limit_exceeded\.html$" \ "log,allow,ctl:ruleEngine=3Doff" SecRule IP:REQUEST_COUNT "@ge 2000" \ "phase:1,pass,nolog,setvar:ip.blocked=3D1, \ expirevar:ip.blocked=3D3600" SecRule IP:BLOCKED "@eq 1" "phase:1,deny,log, \ redirect:http://www.site.com/request_limist_exceeded.html" --=20 Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Application Security Training Web Application Security Consortium (WASC) Member Author: Preventing Web Attacks with Apache =20 -------------- Web Security Threat Report Webinar on May 9, 2007 (12 pm EST) Learn More About the Breach Webinar Series: http://www.breach.com/webinars.asp -------------- =20 > -----Original Message----- > From: mod...@li... [mailto:mod- > sec...@li...] On Behalf Of Christian > Bockermann > Sent: Wednesday, May 02, 2007 9:07 AM > To: Russ Lavoie > Cc: Mod Security > Subject: Re: [mod-security-users] Throttling >=20 > You can do this using ModSecurity's collection-capabilities. > First you initalize a collection wrt the ip-address >=20 > SecAction initcol:ip=3D%{REMOTE_ADDR},nolog >=20 > Now you have a collection called "IP" that you can use to save > variables. > The following rule will check if there exists a variable "count" > within the > ip-collection. If not, it will initialize such a variable to 0 and tell > ModSecurity to expire it after 1 hour (3600 seconds). >=20 > SecRule &IP:COUNT "@eq 0" > "setvar:ip.count=3D0,expirevar:ip.count=3D3600" >=20 > Then you can "count" the accesses using this collection >=20 > SecAction setvar:ip.count=3D+1 >=20 > For example within a certain location (then you need to add a "phase: > 2" to > the actions). This will increment the variable "count" within the > collection > IP (which is assiciated with the REMOTE_ADDR) by one. >=20 > You can then use this variable to block an IP: >=20 > SecRule IP:COUNT "@gt 2000" "deny,status:500" >=20 > Not the different cases when setting and querying collection-variables. >=20 >=20 > For a more bandwidth-oriented throttling you should probably have a look > at mod_throttle, which also supports IP-based throttling, IIRC. >=20 > Regards, > Chris >=20 >=20 > Am 02.05.2007 um 14:47 schrieb Russ Lavoie: >=20 > > Is there a way inside modsecurity that can throttle IP addresses. > > Meaning, IPs are only allowed 2,000 hits per day and then denied... > > > > I went through the reference manual and saw nothing there regarding > > this. > > > > Thanks > > > > ---------------------------------------------------------------------- > > --- > > This SF.net email is sponsored by DB2 Express > > Download DB2 Express C - the FREE version of DB2 express and take > > control of your XML. No limits. Just data. Click to get it now. > > http://sourceforge.net/powerbar/db2/ > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >=20 >=20 > ------------------------------------------------------------------------ - > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users |