This tutorial we want Ban with ModSecurity IP addresses for specific time with ModSecurity that causes multiple 404 errors on the web site.
Ban with ModSecurity
Depend you Apache/Nginx and PHP configuration, you may use phase:1 with rule 4000 & 4002. Also you need enable SecResponseBodyAccess On to ModSecurity configuration files.
SecAction "phase:2,initcol:ip=%{REMOTE_ADDR},id:'4000',pass,nolog"
SecRule RESPONSE_STATUS "@streq 404" "phase:5,pass,setvar:ip.block_script=+1,expirevar:ip.block_script=3600,id:'4001'"
SecRule ip:block_script "@ge 100" "phase:2,deny,status:406,id:'4002'"
This example block time is 3600s == 1 hour and if get more than 100 bad 404 response code.
Custom HTTP 406 error response
This example we used 406 HTTP return code, so we can custom HTTP response page with apache
You need add apache configuration file. In DEBIAN/UBUNTU you can put in VHOST configuration in /etc/apache/sites-enabled/*.conf or /etc/apache2/apache2.conf:
Example VHOST configuration
<virtualhost *:80> . ErrorDocument 406 /406.shtml . </virtualhost>
Then you need create in html document root directory /var/www/html/406.shtml file with what you want.
Restarting Apache
apache2ctl configtest service apache2 restart
And here, you can find more ModSecurity Rule Examples.
Protect your site with commercial rule set
Checkout Malware.Expert – Mod_Security rules if you want to protect web server against web attacks.