(1)Compile apache to enable mod_security
(2)Make sure SecDataDir is present.
(3)If you do not have a SecDataDir anywhere then add it and also create the directory, for example:
mkdir /usr/local/apache/logs/modsec
chown root:nobody /usr/local/apache/logs/modsec
----------------------------------------------------------------------
root@server [/usr/local/apache/conf]# cat /usr/local/apache/conf/modsec2.conf | grep SecDataDir
SecDataDir /usr/local/apache/logs/modsec
root@server [/usr/local/apache/conf]#
-------------------------------------------------------------------
(4)Add the rule in a seperate file as follows.
-------------------------------------------------------------------
root@server [/usr/local/apache/conf]# cat modsec2.wplogin.conf
<LocationMatch "/wp-login.php">
SecAction initcol:ip=%{REMOTE_ADDR},pass,nolog,id:313371
SecAction "phase:5,deprecatevar:ip.counter=3/30,pass,nolog,id:313372"
SecRule IP:COUNTER "@gt 1" "phase:2,pause:3000,deny,status:406,setenv:RATELIMITED,skip:1,log,id:313373"
SecAction "phase:2,pass,setvar:ip.counter=+1,nolog,id:313374"
</LocationMatch>
root@server [/usr/local/apache/conf]#
-------------------------------------------------------------------
(5) Add the Include file accordingly as follows.
----------------------------------------------------------------
[root@server/usr/local/apache/conf]# cat modsec2.conf | grep Include
Include "/usr/local/apache/conf/modsec2.user.conf"
Include "/usr/local/apache/conf/modsec2.wplogin.conf"
[root@server/usr/local/apache/conf]#
---------------------------------------------------------------
(6)Make sure that following ErrorDocument is existing
[root@mserver]# cat /usr/local/apache/conf/includes/errordocument.conf | grep 406
# 406 - Not Acceptable
ErrorDocument 406 /406.shtml
[root@server/usr/local/apache/conf]#
--------------------------------------------------------------
exclude few IPs from the rule
---------------------------------
root@server [/usr/local/apache/conf]# cat modsec2.wplogin.conf
<LocationMatch "/wp-login.php">
SecAction initcol:ip=%{REMOTE_ADDR},pass,nolog,id:313371
SecRule REMOTE_ADDR "@pmFromFile /usr/local/apache/conf/whitlist.txt" "nolog,allow,id:313372"
SecAction "phase:5,deprecatevar:ip.counter=3/30,pass,nolog,id:313372"
SecRule IP:COUNTER "@gt 1" "phase:2,pause:3000,deny,status:406,setenv:RATELIMITED,skip:1,log,id:313373"
SecAction "phase:2,pass,setvar:ip.counter=+1,nolog,id:313374"
</LocationMatch>
root@server [/usr/local/apache/conf]#
-----------------------------------
