Hello, I don't use a specific rule to block IPs & instead use fail2ban to block all IPs that are found in the error logs.
mod_sec will prevent the action from occurring then log it, and fail2ban will pick up the IP and ban it. There should be no harm to Apache itself in that process, as opposed to letting mod_sec do the banning. In fact, I think it's better for performance to avoid banning from within Apache, just deny the action, log it & let another app do the banning & unbanning. Here's a description of an Apache section: http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal#Apache You can easily modify it for whatever rule you'd like to block, or all of them. On Wed, Nov 2, 2011 at 12:02 PM, Josh Amishav-Zlatin <[email protected]> wrote: > > On Wed, Nov 2, 2011 at 4:55 AM, dreamice <[email protected]> wrote: > > Dear all, > > I want to write a rule to block an IP address for a period of time, for > > example 5 minutes. > > How can I write this rule? > > Hi, > > The following example assumes you want to block IPs that send a > request that have the string blockme in an argument value: > > # Initialize the IP collection > SecAction "phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR} > > # Block IP for 300 seconds > SecRule ARGS blockme > "phase:2,block,setvar:ip.blocked=1,expirevar:ip.blocked=300" > > # Enforce blocking > SecRule IP:BLOCKED "@eq 1" "phase:1,deny,log" > > -- > - Josh > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > [email protected] > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set -- Majed B. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
