Ban with ModSecurity HTTP or HTTPS requests 404 Response code

This tutorial we want Ban with ModSecurity IP addresses for specific time with ModSecurity that causes multiple 404 errors on the web site.

Ban with ModSecurity

Depend you Apache/Nginx and PHP configuration, you may use phase:1 with rule 4000 & 4002. Also you need enable SecResponseBodyAccess On to ModSecurity configuration files.

SecAction "phase:2,initcol:ip=%{REMOTE_ADDR},id:'4000',pass,nolog"
SecRule RESPONSE_STATUS "@streq 404" "phase:5,pass,setvar:ip.block_script=+1,expirevar:ip.block_script=3600,id:'4001'"
SecRule ip:block_script "@ge 100" "phase:2,deny,status:406,id:'4002'"

This example block time is 3600s == 1 hour and if get more than 100 bad 404 response code.

Custom HTTP 406 error response

This example we used 406 HTTP return code, so we can custom HTTP response page with apache

You need add apache configuration file. In DEBIAN/UBUNTU you can put in VHOST configuration in /etc/apache/sites-enabled/*.conf or /etc/apache2/apache2.conf:

Example VHOST configuration

<virtualhost *:80>
 ErrorDocument 406 /406.shtml

Then you need create in html document root directory /var/www/html/406.shtml file with what you want.

Restarting Apache

apache2ctl configtest
service apache2 restart

And here, you can find more ModSecurity Rule Examples.

Protect your site with commercial rule set

Checkout Malware.Expert – Mod_Security rules if you want to protect web server against web attacks.