Directive : Eg. SecRule for rules duh…
Scanfiler : REQUEST_URI or USERAGENT etc. full list here.
Scantarget : For example this can be googlebot when checking for useragent.
Action : What to do if filter fount a hit, Eg. Deny, Pass, Allow, log. It also has to contain a unique ID. full list here.
Some actions and scanfilters have prerequisites to work, and they are mostly documented in reference manual.
To start with you can add the following modsecurity rules in modsec config before including custom rules.
With this set you can forexample store connection ip adresses for up to 8 hours (28800 sec.) and to make a comparison you can say this is a form of session, which you can store session data upon.
With ModSecurity you can have a rule which store a variable on top of a ip, with this you can for example store how many times in the last 10 minutes someone has visited a page on you webpage.
Lets make an example like that.
First we need to start storing a “Session” for every visiting ip address.
This you can do with ACTION initcol like so.
We can then use this information to block googlebot requests if over 10 requests in last 8 hours.
SecRule ip:counter "@gt 10" "phase:1,log,msg:'googlebot has been blocked due to over 10 requests.',deny,id:1372"
You can also use AND in rules, in modsec this is done by using chains. Chained rules do not require ID.
Let say we will only block googlebot when it has over 10 requests and is visiting a specific file.
SecRule ip:counter "@gt 10" "phase:1,log,msg:'googlebot has been blocked due to over 10 requests.',deny,id:1372,chain"
SecRule REQUEST_URI "somefile.php" "t:none"
With this you should have grasped how modsecurity rules are written, and with the reference manual you can start doing magic 🙂