3

I want to ban IP addresses that causes mupltiple 404 errors on my web site. I've Googled a lot and found a few scripts that gave me ideas to start. And I combined them. Here is my script:

# Determining temp data dir    
SecDataDir "C:\logs\datastore"
#
# Loading previous data for the IP request
SecAction "phase:1,initcol:ip=%{REMOTE_ADDR},id:'1006'"
#
# Incrementing block_script counter if client caused status #404
SecRule RESPONSE_STATUS "@streq 404" "phase:2,pass,setvar:ip.block_script=+1,expirevar:ip.block_script=30,id:'1007'"
#
# Denying the request if the block_script counter is greater than 3
SecRule IP:BLOCK_SCRIPT "@gt 3" "phase:2,deny,status:403,id:'1008'"

For some reason, it doesn't work. I believe there is some error. I am very sorry, I am not coding guru or even programmer. I am just playin with my homebrewed project when I have a time. I hope that somebody will help me and my mistake is easy to find and fix.

Thanks in advance!

'datastore' dir is created, accessible and I there I can see 2 files of 0 bytes size.

Thanks!

EIKA
  • 61
  • 1
  • 5
  • Could this be due to limitation of parsing 404 error? "Note that some response status codes (such as 404) are handled earlier in the request cycle by Apache and my not be able to be triggered as expected." "**SecAuditEngine** ModSecurity is currently able to log most, but not all transactions. Transactions involving errors (e.g., 400 and 404 transactions) use a different execution path, which ModSecurity does not support." – EIKA Sep 18 '16 at 18:48

2 Answers2

3

Looks like final and precisely working version is:

SecAction "phase:1,initcol:ip=%{REMOTE_ADDR},id:'1006'"
SecRule RESPONSE_STATUS "@streq 404" "phase:3,pass,setvar:ip.block_script=+1,expirevar:ip.block_script=600,id:'1007'"
SecRule IP:BLOCK_SCRIPT "@ge 3" "phase:2,deny,status:403,id:'1008'"

You have to change ip.block_script var (ban time) and 3 after ge (errors counter) to required values. E.g. 3600 and 5 accordingly.

EIKA
  • 61
  • 1
  • 5
2

You are trying to read the response status in a phase 2 rule. This won't be set until phase 3 so change rule 1007 to phase 3.

Not sure this is a great idea though for a number of reasons:

  • First up persistent collections in ModSecurity are notoriously unstable under any sort of load and you are tracking every IP address that hits your server, each time it hits. That's a lot of tracking and a lot of accessing of that collection. Personally until ModSecurity brings in an in-memory storage system instead of a disk based one I don't recommend using them and instead strongly advise ModSecurity is only used with same-transaction rules which don't require persisted storage.

  • Next, you are blocking after three 404s in the same 30 second window. One badly configured web page with a few missing images you are blocking legitimate traffic. Also if you happen to have 3 missing pages in a search engine then you block search engine crawlers (e.g. GoogleBot) which could cause your site considerably harm.

  • Lastly what's the point? You're probably not saving any load on your webserver as the overheads in running this ModSecurity rule and returning a 403 will likely far outweigh the overhead in just returning a plain old 404. The 30 second timeout seems arbitrary, is easily circumvented (either intentionally or not), and will result in weirdness that will just confuse later ("hey weird bug, some responses work, some return 403 - seemingly at random. I can't figure it out") and analysing real 404s or web traffic will become difficult as classification changes.

Not sure if you wanted that advice rather than just the answer but thought I'd warn you in case you hadn't considered any of this!

Barry Pollard
  • 40,655
  • 7
  • 76
  • 92
  • Thanks for your response. Now, with changed phase, it begin working! But it requires 4 of 404 hits before first act. But not 3. Do you know why? I want to fix it. About your concerns. Please don't worry about it at all! This is test values, I will use another. And it's for some special project with verly low traffic and very high hackers activity. Here is just 20-50 visitors per day as maximum. And finally, I will adjust ban for a week and increase 404 counter to 5 or something. FYI: this is Windows-based Apache, and solutions like Fail2Ban will not work. – EIKA Sep 18 '16 at 20:33
  • Did phase 3 work after all based on your answer below? – Barry Pollard Sep 18 '16 at 23:32
  • @BarryPollard, regarding your question "what's the point?", I think the intent here is to block traffic from malicious clients that are purposely poking at your system for known vulnerabilities. This will commonly cause a string of 404 errors in short succession. Blocking them for a period of time after a few pokes will significantly slow them down. I observe this happening on my Joomla site frequently, which is how I came to find this SO post. You raise some excellent points though, so I'll be looking to alternate means for tackling this one. – John Rix Oct 03 '22 at 08:44