Re: [Owasp-modsecurity-core-rule-set] How to block one ip address for a period of time

Josh Amishav-Zlatin Wed, 02 Nov 2011 02:02:47 -0700

On Wed, Nov 2, 2011 at 4:55 AM, dreamice <[email protected]> wrote:
> Dear all,
> I want to write a rule to block an IP address for a period of time, for
> example 5 minutes.
> How can I write this rule?


Hi,

The following example assumes you want to block IPs that send a
request that have the string blockme in an argument value:

# Initialize the IP collection
SecAction "phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR}

# Block IP for 300 seconds
SecRule ARGS blockme
"phase:2,block,setvar:ip.blocked=1,expirevar:ip.blocked=300"

# Enforce blocking
SecRule IP:BLOCKED "@eq 1" "phase:1,deny,log"

--
 - Josh
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Re: [Owasp-modsecurity-core-rule-set] How to block one ip address for a period of time

Reply via email to