[Owasp-modsecurity-core-rule-set] How to block one ip address for a period of time
Josh Amishav-Zlatin
jamuse at gmail.com
Wed Nov 2 05:02:14 EDT 2011
On Wed, Nov 2, 2011 at 4:55 AM, dreamice <dreamice.jiang at gmail.com> wrote:
> Dear all,
> I want to write a rule to block an IP address for a period of time, for
> example 5 minutes.
> How can I write this rule?
Hi,
The following example assumes you want to block IPs that send a
request that have the string blockme in an argument value:
# Initialize the IP collection
SecAction "phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR}
# Block IP for 300 seconds
SecRule ARGS blockme
"phase:2,block,setvar:ip.blocked=1,expirevar:ip.blocked=300"
# Enforce blocking
SecRule IP:BLOCKED "@eq 1" "phase:1,deny,log"
--
- Josh
More information about the Owasp-modsecurity-core-rule-set
mailing list