Hi everyone.
I was wondering about setting up a brute force protection against a single
client (browser).
It happens I manage a busy site, and a I've got a bunch of customers
coming to me through large proxies.
This means I can't simply ban an IP
(as dictated by current brute force rule in 2.1.1),
but I'd like to stop a single client
(likely a script mimicking a real browser).
I thought about setting up a global collection
populated by hashing a cookie (different value for each customer).
Something like:
SecRule REQUEST_COOKIES_NAMES:JSESSIONID "^(.*)$"
"phase:1,t:none,pass,nolog,t:sha1,t:hexEncode,setvar: `
tx.cookie_hash=%{matched_var}"
SecAction
"phase:1,t:none,pass,nolog,initcol:global=global,initcol: \
ip=%{tx.cookie_hash}"
I could then try to modify the rules present in
modsecurity_crs_11_brute_force.conf to evaluate that variable.
Any suggestion?
Regards, Luca
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
