0

I've enabled modsecurity in my nginx k8s ingress using this guide, then I've added the following custom rules to block potential brute force attack

# Block by ip

# Retrieve the username
SecAction "phase:2,log,pass,initcol:ip=%{REMOTE_ADDR}"

# Enforce an existing username block
SecRule ip:bf_block_flag "@gt 0" "id:900120,phase:2,msg:'Username [%{ARGS:json.username}] blocked because of suspected brute-force attack',block"

# Check that this is a POST
SecRule REQUEST_METHOD "^POST$" "id:900130,phase:5,chain,t:none,auditlog,log,pass"
# On a successful login, a 200 code is returned.
SecRule RESPONSE_STATUS "^200" "id:900131,t:none,setvar:ip.bf_counter=0"

# Check that this is a POST
SecRule REQUEST_METHOD "^POST$" "id:900140,phase:5,chain,t:none,auditlog,log,pass"
SecRule RESPONSE_STATUS "^401" "id:900141,chain,t:none,setvar:ip.bf_counter=+1,expirevar:ip.bf_counter=10,log,auditlog,msg:'Increment'"
SecRule ip:bf_counter "@gt 3" "id:900142,t:none,setvar:ip.bf_block_flag=1,expirevar:ip.bf_block_flag=10,setvar:ip.bf_counter=0,log,auditlog,msg:'Blocked'"

But I can't get the expirevar work as I expected, I want that a block for an ip expires in 10 seconds but it takes several minutes to unblock that ip.

What am I doing wrong?

Gigitsu
  • 103
  • 1
  • 3

1 Answers1

0

You didn't wrote, but I assume you're using libModSecurity3 with Nginx.

Which type of collection are you using, in-memory or LMDB?

In case of LMDB, there is an open issue and that's a "know bug".

But IMHO the expirevar doesn't work in any types of collection... :(

(Note, that I've added some fixes to libmodsecurity3, and have some knowledge about the code inside.)

airween
  • 195
  • 1
  • 1
  • 8
  • Yes, I'm using libModSecurity (v3) and you have right, `expirevar` is not yet implemented in libModSecurity (https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#expirevar) – Gigitsu Apr 30 '19 at 10:11