Distribuzione di riferimento: Debian GNU/Linux 12 Bookworm.
Il file di configurazione è /etc/modsecurity/modsecurity.conf, come è indicato in /etc/apache2/mods-available/security2.conf. Nello stesso file viene incluso opzionalmente anche /usr/share/modsecurity-crs/*.load, quindi - se viene installato il pacchetto modsecurity-crs - tali regole vengono attivate automaticamente.
# -- Rule engine initialization --
SecRuleEngine DetectionOnly
#SecRuleEngine On
# -- Request body handling --
SecRequestBodyAccess On
# -- Response body handling --
SecResponseBodyAccess Off
# -- Audit log configuration --
SecAuditEngine RelevantOnly
SecAuditLog /var/log/modsec_audit.log
# Track requests to some php pages.
SecRule REQUEST_URI "@beginsWith /wp-login.php"
"id:1101,phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},setvar:ip.req_counter_login=+1"
SecRule REQUEST_URI "@beginsWith /xmlrpc.php"
"id:1102,phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},setvar:ip.req_counter_xmlrpc=+1"
# Threshold: one request every 3 seconds (60 req / 180 s).
SecRule IP:req_counter_login
"@gt 1000"
"id:1201,phase:1,log,deny,status:403,msg:'Blocking IP for hammering wp-login.php',setvar:ip.blocked=1,expirevar:ip.blocked=3600"
SecRule IP:req_counter_xmlrpc
"@gt 1000"
"id:1202,phase:1,log,deny,status:403,msg:'Blocking IP for hammering xmlrpc.php',setvar:ip.blocked=1,expirevar:ip.blocked=3600"
# Reset the counter using a rolling window.
SecAction "id:1301,phase:1,pass,nolog,expirevar:ip.req_counter_login=3600"
SecAction "id:1302,phase:1,pass,nolog,expirevar:ip.req_counter_xmlrpc=3600"
# Block any further requests if the IP is blocked
SecRule IP:BLOCKED "@eq 1" "id:1401,phase:1,log,deny,status:403,msg:'IP is temporarily blocked due to rate limiting'"