Hello, everyone
I use modsecurity 2.6 protect against dos attack for some specific
pages.
This is the rule. I test it in my box, it works. But when in some
product *environment(large
number of *concurrent connections in worker MPM)*, it failed.*
*In the early time I use expiredvar:dos_block every 1800 seconds, as the
modsecurity docs suggests. I found the var "dos_block" expired within 1-10
second(**I dump the resource db),n**ot 1800. So I changed it with
*deprecatevar. But
it does not works too.
Does it because of the concurrent problem?
Thanks.
----------------------------------------------------------------
SecRule REQUEST_URI "^/login.php" \
"phase:1,capture,t:lowercase,t:urlDecodeUni,pass,nolog,setvar:tx.dos_uri=%{TX.1},skip:1"
SecAction "phase:1,pass,nolog,skipAfter:Dos_Marker"
SecAction "phase:1,pass,nolog,t:none,setvar:tx.real_ip=%{REMOTE_ADDR}"
SecAction "phase:1,nolog,initcol:resource='%{tx.real_ip}/'"
SecRule RESOURCE:SHOULD_LOG "@eq 1"
"phase:1,pass,nolog,setvar:resource.should_log=0,skip:2"
#already blocked, nolog here
SecRule RESOURCE:DOS_BLOCKED "@eq 1" \
"phase:1,deny,nolog,severity:'2',status:403,deprecatevar:resource.dos_blocked=1/1800,skipAfter:Dos_Marker"
SecAction "phase:1,pass,nolog,skip:1"
#log version, logdata is real client ip
SecRule RESOURCE:DOS_BLOCKED "@eq 1" \
"phase:1,deny,log,auditlog,severity:'2',msg:'99010',id:'99010001',tag:'9901',status:403,deprecatevar:resource.dos_blocked=1/1800,logdata:%{tx.real_ip},skipAfter:Dos_Marker"
#counter++
SecAction
"phase:1,nolog,setvar:resource.dos_request_counter=+1,deprecatevar:resource.dos_request_counter=10/60"
# if counter == max then block
SecRule RESOURCE:DOS_REQUEST_COUNTER "@ge 10" \
"phase:5,nolog,setvar:resource.dos_request_counter=0,setvar:resource.dos_blocked=1,setvar:resource.should_log=1"
SecMarker Dos_Marker
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
