I need to block the ip addresses which access to more than 3 domains at the same time using ModSecurity
For example if some ip accessed:
domain1.com/someuri234
domain2.com/someuri2342
domain3.com/someuri534535
domain1.com/someuri234234
domain5.com/someuri234234
Then we block it
So we need to count the number of domains and check for it
appreciate for any help
I could implement this scenario using exec:/script.sh and send request information through setenv and then collect request data and analys them on the script and block ip addresses using firewall
SecAction "id:1233456,phase:1,nolog,pass,\
setenv:RQ_REMOTE_HOST=%{REMOTE_HOST},\
setenv:RQ_REMOTE_ADDR=%{REMOTE_ADDR},\
setenv:RQ_SERVER_NAME=%{SERVER_NAME},\
setenv:RQ_SERVER_ADDR=%{SERVER_ADDR},\
setenv:RQ_SERVER_PORT=%{SERVER_PORT},\
setenv:RQ_REQUEST_URI=%{REQUEST_URI},\
setenv:RQ_REQUEST_LINE=%{REQUEST_LINE},\
setenv:RQ_SCRIPT_FILENAME=%{SCRIPT_FILENAME},\
setenv:RQ_SCRIPT_USERNAME=%{SCRIPT_USERNAME},\
setenv:RQ_USERAGENT=%{REQUEST_HEADERS.User-Agent},\
exec:/script.sh"