When I use collection 'IP', the variable in collection never expire even if I restart nginx.
The variable in collecion expired unless I remove the files:modsec-shared-collections modsec-shared-collections-lock in disk,
@sobigboy how do you get the values of modsec-shared-collections modsec-shared-collections-lock in disk, i tried it in dos-attack and dos run well , but i can't get the attack-ip values or timestrap;
Hello, any update on this? I have been testing and the collection file under /modsec-shared-collections is not being expired according to expirevar nor SecCollectionTimeout.
I'm using --with-lmdb because the standard method would destroy each collection on reload.
Not yet - but I'll see that soon.
Meanwhile here's a workaround for everyone who needs DOS protection to work. The hack uses dedicated variables in conjunction with the TIME_EPOCH variable to explicitly expire the DOS variables.
The document you provided really works. But if I change the browser I'll have normal access the web server So I think this disabling policy is only for the combination of the browser and the IP address and not for the IP address alone I feel the authorities should fix this problem or adopt your document @theseion
Good to hear that, thanks.
As for switching browsers: that shouldn't make a difference. AFAICT, only the IP is considered for the blocking logic. Are you sure that you don't have a proxy configured in one of those browsers?
The solution posted by @theseion above didn't help in my case. Added it to my already existing file, restart the server. Tested on a browser that was available before (which is weird in the first place, one browser got blocked while the other was available), now none of my browsers are available now unless restarting server
Supposed to block remote ips based on getting 404 more than 3 times, for 60secs
SecAction "phase:1,initcol:ip=%{REMOTE_ADDR},id:'123456'"
SecRule RESPONSE_STATUS "@streq 404" "phase:3,pass,setvar:ip.block_script=+1,expirevar:ip.block_script=60,id:'1234567'"
SecRule IP:BLOCK_SCRIPT "@ge 3" "phase:2,deny,status:403,id:'12345678'"
@pixelicous Sorry, this is very late.
You're using expirevar, which does not work (at least it didn't when I wrote the workaround). Make sure to do everything as it's done in the workaround because there are a couple of things that matter (e.g. casing, phase order).
Most helpful comment
Meanwhile here's a workaround for everyone who needs DOS protection to work. The hack uses dedicated variables in conjunction with the
TIME_EPOCHvariable to explicitly expire the DOS variables.REQUEST-912-DOS-PROTECTION.conf.txt