Modsecurity Rule that Would Block the IP After a Certain Amount of 403 Errors

Hojat Sajadinia

1/10/24, 10:06 PM

I am trying to figure out how to write a ModSecurity rule that would block the IP from the server for a period of time when that IP is generating a certain amount of 403 errors, and I am struggling with writing the rule. Does anyone have any ideas of what this rule would look like?

694

1 + 1

mod-security

ip-blocking

apache2

slightly_toasted

1/10/24, 11:50 PM

I recommend you take a look at the OWASP ModSecurity Core Rule Set (CRS) to get an idea for how rules are written. Combined with the ModSecurity documentation, you should be able to figure out how to create variables, how to increment the variable per 403 response, and how to block the IP once that variable hits your desired threshold.

Score:0

Server

Esa Jokinen

1/11/24, 5:19 AM

Fail2Ban is the correct tool for this. It can read ModSecurity logs and ban IP addresses based on them. It comes with a filter for ModSecurity 2 that can be enabled in, e.g., /etc/fail2ban/jail.d/apache.conf:

[apache-modsecurity]
enabled = true

You might want to adjust the maxretry as it defaults to 2 which seems pretty aggressive.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Modsecurity Rule that Would Block the IP After a Certain Amount of 403 Errors

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.