View file File name : 999_dreamhost_request_limits.conf Content :#WhiteListing common WordPress Tool UAs SecRule REQUEST_HEADERS:User-Agent "@pmFromFile WPtoolUA.data" "id:999000,phase:1,nolog,allow,ctl:ruleEngine=off" #Wordpress Spam Bruteforce Mitigation SecRule REQUEST_FILENAME "/xmlrpc.php" "chain,phase:1,id:999001,nolog,auditlog,deny,msg:'More than 11 hits to %{REQUEST_FILENAME} in 60 seconds',logdata:'%{MATCHED_VAR} requests seen'" SecRule REQUEST_METHOD "@streq POST" "chain,setvar:IP.HITCOUNT_XMLRPC=+1,expirevar:IP.HITCOUNT_XMLRPC=60" SecRule IP:HITCOUNT_XMLRPC "@gt 11" #Bruteforce Mitigation SecRule REQUEST_FILENAME "/article_add.php" "chain,phase:1,id:999002,nolog,auditlog,deny,msg:'More than 3 hits to %{REQUEST_FILENAME} in 60 seconds',logdata:'%{MATCHED_VAR} requests seen'" SecRule REQUEST_METHOD "@streq POST" "chain,setvar:IP.HITCOUNT_ARTICLE_ADD=+1,expirevar:IP.HITCOUNT_ARTICLE_ADD=60" SecRule IP:HITCOUNT_ARTICLE_ADD "@gt 3" #Wordpress Spam Bruteforce Mitigation SecRule REQUEST_FILENAME "/wp-comments-post.php" "chain,phase:1,id:999003,nolog,auditlog,deny,msg:'More than 3 hits to %{REQUEST_FILENAME} in 60 seconds',logdata:'%{MATCHED_VAR} requests seen'" SecRule REQUEST_METHOD "@streq POST" "chain,setvar:IP.HITCOUNT_WP_COMMENTS=+1,expirevar:IP.HITCOUNT_WP_COMMENTS=60" SecRule IP:HITCOUNT_WP_COMMENTS "@gt 3" #MoveableType Spam Bruteforce Mitigation SecRule REQUEST_FILENAME "/mt-comments.cgi" "chain,phase:1,id:999004,nolog,auditlog,deny,msg:'More than 3 hits to %{REQUEST_FILENAME} in 60 seconds',logdata:'%{MATCHED_VAR} requests seen'" SecRule REQUEST_METHOD "@streq POST" "chain,setvar:IP.HITCOUNT_MT_COMMENTS=+1,expirevar:IP.HITCOUNT_MT_COMMENTS=60" SecRule IP:HITCOUNT_MT_COMMENTS "@gt 3" #Forum Spam Bruteforce Mitigation SecRule REQUEST_FILENAME "/register.php" "chain,phase:2,id:999005,nolog,auditlog,deny,msg:'More than 3 hits to %{REQUEST_FILENAME} in 60 seconds',logdata:'%{MATCHED_VAR} requests seen'" SecRule ARGS "do\=addmember" "chain" SecRule REQUEST_METHOD "@streq POST" "chain,setvar:IP.HITCOUNT_REGISTER=+1,expirevar:IP.HITCOUNT_REGISTER=60" SecRule IP:HITCOUNT_REGISTER "@gt 3" #Forum Spam Bruteforce Mitigation SecRule REQUEST_FILENAME "/ucp.php" "chain,phase:2,id:999006,nolog,auditlog,deny,msg:'More than 3 hits to %{REQUEST_FILENAME} in 60 seconds',logdata:'%{MATCHED_VAR} requests seen'" SecRule ARGS "mode\=register" "chain" SecRule REQUEST_METHOD "@streq POST" "chain,setvar:IP.HITCOUNT_UCP=+1,expirevar:IP.HITCOUNT_UCP=60" SecRule IP:HITCOUNT_UCP "@gt 3" #Comment Spam Bruteforce Mitigation SecRule REQUEST_FILENAME "/add_comment.php" "chain,phase:1,id:999007,nolog,auditlog,deny,msg:'More than 3 hits to %{REQUEST_FILENAME} in 60 seconds',logdata:'%{MATCHED_VAR} requests seen'" SecRule REQUEST_METHOD "@streq POST" "chain,setvar:IP.HITCOUNT_ADD_COMMENT=+1,expirevar:IP.HITCOUNT_ADD_COMMENT=60" SecRule IP:HITCOUNT_ADD_COMMENT "@gt 3" #Drupal Spam Bruteforce Mitigation SecRule REQUEST_FILENAME "/register/" "chain,phase:2,id:999008,nolog,auditlog,deny,msg:'More than 3 hits to %{REQUEST_FILENAME} in 60 seconds',logdata:'%{MATCHED_VAR} requests seen'" SecRule ARGS "q\=user/register" chain SecRule REQUEST_METHOD "@streq POST" "chain,setvar:IP.HITCOUNT_DRUPAL_REGISTER=+1,expirevar:IP.HITCOUNT_DRUPAL_REGISTER=60" SecRule IP:HITCOUNT_DRUPAL_REGISTER "@gt 3" #MediaWiki Spam Bruteforce Mitigation SecRule REQUEST_FILENAME "/index.php" "chain,phase:2,id:999009,nolog,auditlog,deny,msg:'More than 3 hits to %{REQUEST_FILENAME} in 60 seconds',logdata:'%{MATCHED_VAR} requests seen'" SecRule ARGS "title\=Special\:Userlogin" "chain" SecRule REQUEST_METHOD "@streq POST" "chain,setvar:IP.HITCOUNT_WIKI=+1,expirevar:IP.HITCOUNT_WIKI=60" SecRule IP:HITCOUNT_WIKI "@gt 3" #WP-Login.php Bruteforce Mitigation SecRule RESPONSE_STATUS "@eq 302" "chain,phase:3,t:none,nolog,setvar:IP.HITCOUNT_WP_LOGIN=0,id:999016,pass" SecRule REQUEST_FILENAME "/wp-login.php" "t:none,t:lowercase,chain" SecRule REQUEST_METHOD "@streq post" SecRule REQUEST_FILENAME "/wp-login.php" "chain,phase:3,id:999017,t:none,nolog,allow" SecRule REQUEST_METHOD "@streq POST" "chain,setvar:IP.HITCOUNT_WP_LOGIN=+1,expirevar:IP.HITCOUNT_WP_LOGIN=60" SecRule RESPONSE_STATUS "@eq 200" SecRule IP:HITCOUNT_WP_LOGIN "@ge 5" "chain,phase:2,id:999012,nolog,auditlog,t:none,deny,msg:'More than 4 Invalid Authentication attempts to %{REQUEST_FILENAME} in 60 seconds',logdata:'%{MATCHED_VAR} requests seen'" SecRule REQUEST_METHOD "@streq POST" "setvar:IP.HITCOUNT_WP_LOGIN=0" #Wordpress DDos Attack Mitigation SecRule REQUEST_FILENAME "/load-scripts.php" "chain,phase:1,id:999013,nolog,auditlog,deny,msg:'More than 5 hits to %{REQUEST_FILENAME} in 60 seconds',logdata:'%{MATCHED_VAR} requests seen'" SecRule REQUEST_METHOD "@streq POST" "chain,setvar:IP.HITCOUNT_LOAD_SCRIPTS=+1,expirevar:IP.HITCOUNT_LOAD_SCRIPTS=60" SecRule IP:HITCOUNT_LOAD_SCRIPTS "@gt 5" #Wordpress DDos Attack Mitigation SecRule REQUEST_FILENAME "/load-styles.php" "chain,phase:1,id:999014,nolog,auditlog,deny,msg:'More than 5 hits to %{REQUEST_FILENAME} in 60 seconds',logdata:'%{MATCHED_VAR} requests seen'" SecRule REQUEST_METHOD "@streq POST" "chain,setvar:IP.HITCOUNT_LOAD_STATS=+1,expirevar:IP.HITCOUNT_LOAD_STATS=60" SecRule IP:HITCOUNT_LOAD_STATS "@gt 5"