How to use RegEx for mod_security

apache-2.2brute-force-attacksmod-securityregexurl

I have a directory/site set-up like this on my Apache/2.2.19 (Win32) Server using mod_security + core ruleset/2.2.1

/website1/login.php
/website2/login.php
/website3/login.php
/websiteN/login.php

In my modsecurity_crs_10_config.conf I have

setvar:'tx.brute_force_protected_urls=login.php'

The problem is that it won't work unless I type in the full path for each of the login.php pages, like so:

setvar:'tx.brute_force_protected_urls=/website1/login.php /website2/login.php andSoOn'

I have tried other ways with RegEx to work around it (e.g. /(.*)/login.php) but I can't seem to get it.

So, question is basically; how do you enforce BFP on all pages called login.php on the server?

Thanks.

Best Answer

Try this:

setvar:'tx.brute_force_protected_urls=/login.php'

If it doesn't work, I suggest you enabling debug to see what the logs say.

Related Solutions

Enable Mod_Security for only one website

Well I suppose it is possible if you enable the configuration for mod security ~~either in .htaccess or~~ in the virtual host apache configuration for that particular domain using something like this :

<IfModule mod_security2.c>
    SecRuleEngine On
    ...... (any other directives you might want to override from the defaul conf)
</IfModule>

Also in /etc/httpd/conf.d/mod_security.conf, or wherever the defaul config is stored, set SecRuleEngine Off but leave the other directives in place.

Mod_security – Syntax error

I would say that an action unique ID is mandatory.

Try :

SecRule IP:bf_block "@eq 1" "phase:2,deny,id:'1234',msg:'IP address blocked because of suspected brute-forceattack'"

For id use any number you want, just ensure to not use the same twice (or more).

Related Topic