How to implement rate limit using Mod Security Rule
118 views
Skip to first unread message
Rahul Thakkar
Apr 18, 2024, 2:36:05 AMApr 18
to ModSecurity Core Rule Set project
Hello Guys,
I am looking for setting up Rate limit using Mod security rule.
Can anyone please help me to write such rule set
Can anyone please help me to write such rule set
for example, I tried with.
# Rule 1: Initialize website-specific counter
SecAction "phase:1,id:900,pass,initcol:ip=%{REMOTE_ADDR}/%{SERVER_NAME}/count/60"
# Rule 2: Increment website-specific counter and log full variable
SecRule REQUEST_HEADERS:Host "@rx ^([^:]+)" \ "id:901,log,pass,setvar:ip.%{REMOTE_ADDR}/%{SERVER_NAME}/count/60+=1"
# Rule 3: Block if request count exceeds 100 per 60 seconds
SecRule IP:%{REMOTE_ADDR}/%{SERVER_NAME}/count/60 "@gt 1" \ "id:902,phase:1,deny,status:429,\ log,msg:'Client exceeded request limit for %{SERVER_NAME} from IP %{REMOTE_ADDR}, please try again later.'"
but not working .
I want to configure like per IP, per minute , n requests.
Using apache 2.4.52 on ubuntu 22.04, with mod security version 2.9.5
Thanks
# Rule 1: Initialize website-specific counter
SecAction "phase:1,id:900,pass,initcol:ip=%{REMOTE_ADDR}/%{SERVER_NAME}/count/60"
# Rule 2: Increment website-specific counter and log full variable
SecRule REQUEST_HEADERS:Host "@rx ^([^:]+)" \ "id:901,log,pass,setvar:ip.%{REMOTE_ADDR}/%{SERVER_NAME}/count/60+=1"
# Rule 3: Block if request count exceeds 100 per 60 seconds
SecRule IP:%{REMOTE_ADDR}/%{SERVER_NAME}/count/60 "@gt 1" \ "id:902,phase:1,deny,status:429,\ log,msg:'Client exceeded request limit for %{SERVER_NAME} from IP %{REMOTE_ADDR}, please try again later.'"
but not working .
I want to configure like per IP, per minute , n requests.
Using apache 2.4.52 on ubuntu 22.04, with mod security version 2.9.5
Thanks
Christian Folini
Apr 19, 2024, 3:55:21 AMApr 19
to Rahul Thakkar, ModSecurity Core Rule Set project
Hey Rahul,
Getting this up and running is very hard with ModSecurity and it takes a lot
of experience - and hours of debugging. Also for me.
There is a working recipe in the ModSecurity Handbook from Feisty Duck.
However, if you want to do rate limiting on Apache, then mod_qos is usually
the better option. It's also a pain in the a**, but a bit less than
ModSecurity in this regard.
Best,
Christian
> --
> You received this message because you are subscribed to the Google Groups "ModSecurity Core Rule Set project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to modsecurity-core-rule-...@owasp.org.
> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/modsecurity-core-rule-set-project/90f8477a-5ecb-40c1-acd0-9cd433a68e97n%40owasp.org.
Getting this up and running is very hard with ModSecurity and it takes a lot
of experience - and hours of debugging. Also for me.
There is a working recipe in the ModSecurity Handbook from Feisty Duck.
However, if you want to do rate limiting on Apache, then mod_qos is usually
the better option. It's also a pain in the a**, but a bit less than
ModSecurity in this regard.
Best,
Christian
> You received this message because you are subscribed to the Google Groups "ModSecurity Core Rule Set project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to modsecurity-core-rule-...@owasp.org.
> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/modsecurity-core-rule-set-project/90f8477a-5ecb-40c1-acd0-9cd433a68e97n%40owasp.org.
Reply all
Reply to author
Forward
0 new messages