Block IP address if/when modsecurity detects hacking attempts?

Is there a way to block an ip address for maybe 10 minutes or so every time modsecurity detects a hack attempt?

I have someone attempting to hack a couple sites… and it would be nice to at least slow them down so they only get one or two tries and then have to wait another 10 minutes.

Thanks,
Todd

Hi toader,

Easiest way is to just block their IP using Mod_Rewrite in your htaccess file.

There are various Methods of Blocking

Get the bad actor’s IP address from you server access files. Replace the x’s with that IP address. Be sure to escape the dots with the backwards slash as shown. Then add it to your base level htaccess file:

RewiteEngine on
RewriteCond %{REMOTE_ADDR} ^xx\.xx\.xx\.xxx
RewriteRule .* - [F]

That will block, but what I’d like to do is use some logic in blocking… I wish I could use php somehow - that it could be triggered by a modsecurity event somehow…

Modifying HT access must be done manually every time (This hacker usually only tries for 10 minutes at a time, so I wouldn’t even know they had tried until I see error logs later). Also, HTaccess edit would be a permanent block rather than temporary… it’s possible eventually this IP address is will be used by legitimate users… if the hacker continues to try (they change IP addresses each time) and I am blocking every address, eventually many addresses will be blocked.

I have heard that custom rules that can be added to modsecurity… how can we do this?

First you’ll need to determine what version of mod_security is loaded on your server since some rules have changed from version to version.

You may get some insight at this page: https://www.codeproject.com/Articles/574935/BlockplusIPplususingplusModSecurity

I contacted Dreamhost - they told me access to this is limited to dedicated server or dreamcompute configurations. We’re currently on VPS. Hmm… well, will think it over…

Thanks for the info guys!
-Todd

Sorry… since you were specific to using mod_security, I assumed you knew you had that option.

Falling back to my earlier suggestion of using mod_rewrite, that is a simple implementation. You can easily delete the rule later if no longer needed. I actually update my htaccess files at least once a day, often much more.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.