2 May 15:06
Re: Throttling
Christian Bockermann <chris <at> jwall.org>
2007-05-02 13:06:31 GMT
2007-05-02 13:06:31 GMT
You can do this using ModSecurity's collection-capabilities.
First you initalize a collection wrt the ip-address
SecAction initcol:ip=%{REMOTE_ADDR},nolog
Now you have a collection called "IP" that you can use to save
variables.
The following rule will check if there exists a variable "count"
within the
ip-collection. If not, it will initialize such a variable to 0 and tell
ModSecurity to expire it after 1 hour (3600 seconds).
SecRule &IP:COUNT "@eq 0" "setvar:ip.count=0,expirevar:ip.count=3600"
Then you can "count" the accesses using this collection
SecAction setvar:ip.count=+1
For example within a certain location (then you need to add a "phase:
2" to
the actions). This will increment the variable "count" within the
collection
IP (which is assiciated with the REMOTE_ADDR) by one.
You can then use this variable to block an IP:
SecRule IP:COUNT "@gt 2000" "deny,status:500"
Not the different cases when setting and querying collection-variables.
For a more bandwidth-oriented throttling you should probably have a look
at mod_throttle, which also supports IP-based throttling, IIRC.
Regards,
Chris
Am 02.05.2007 um 14:47 schrieb Russ Lavoie:
> Is there a way inside modsecurity that can throttle IP addresses.
> Meaning, IPs are only allowed 2,000 hits per day and then denied...
>
> I went through the reference manual and saw nothing there regarding
> this.
>
> Thanks
>
> ----------------------------------------------------------------------
> ---
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
RSS Feed