File: //etc/modsecurity/mod_sec3_CRS/999_dreamhost_request_limits.conf
#WhiteListing common WordPress Tool UAs
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile WPtoolUA.data" "id:999000,phase:1,nolog,allow,ctl:ruleEngine=off"
#Wordpress Spam Bruteforce Mitigation
SecRule REQUEST_FILENAME "/xmlrpc.php" "chain,phase:1,id:999001,nolog,auditlog,deny,msg:'More than 11 hits to %{REQUEST_FILENAME} in 60 seconds',logdata:'%{MATCHED_VAR} requests seen'"
	SecRule REQUEST_METHOD "@streq POST" "chain,setvar:IP.HITCOUNT_XMLRPC=+1,expirevar:IP.HITCOUNT_XMLRPC=60"
		SecRule IP:HITCOUNT_XMLRPC "@gt 11"
#Bruteforce Mitigation
SecRule REQUEST_FILENAME "/article_add.php" "chain,phase:1,id:999002,nolog,auditlog,deny,msg:'More than 3 hits to %{REQUEST_FILENAME} in 60 seconds',logdata:'%{MATCHED_VAR} requests seen'"
	SecRule REQUEST_METHOD "@streq POST" "chain,setvar:IP.HITCOUNT_ARTICLE_ADD=+1,expirevar:IP.HITCOUNT_ARTICLE_ADD=60"
		SecRule IP:HITCOUNT_ARTICLE_ADD "@gt 3"
#Wordpress Spam Bruteforce Mitigation
SecRule REQUEST_FILENAME "/wp-comments-post.php" "chain,phase:1,id:999003,nolog,auditlog,deny,msg:'More than 11 hits to %{REQUEST_FILENAME} in 60 seconds',logdata:'%{MATCHED_VAR} requests seen'"
	SecRule REQUEST_METHOD "@streq POST" "chain,setvar:IP.HITCOUNT_WP_COMMENTS=+1,expirevar:IP.HITCOUNT_WP_COMMENTS=60"
		SecRule IP:HITCOUNT_WP_COMMENTS "@gt 11"
#MoveableType Spam Bruteforce Mitigation
SecRule REQUEST_FILENAME "/mt-comments.cgi" "chain,phase:1,id:999004,nolog,auditlog,deny,msg:'More than 3 hits to %{REQUEST_FILENAME} in 60 seconds',logdata:'%{MATCHED_VAR} requests seen'"
	SecRule REQUEST_METHOD "@streq POST" "chain,setvar:IP.HITCOUNT_MT_COMMENTS=+1,expirevar:IP.HITCOUNT_MT_COMMENTS=60"
		SecRule IP:HITCOUNT_MT_COMMENTS "@gt 3"
#Forum Spam  Bruteforce Mitigation
SecRule REQUEST_FILENAME "/register.php" "chain,phase:2,id:999005,nolog,auditlog,deny,msg:'More than 3 hits to %{REQUEST_FILENAME} in 60 seconds',logdata:'%{MATCHED_VAR} requests seen'"
	SecRule ARGS "do\=addmember" "chain"
		SecRule REQUEST_METHOD "@streq POST" "chain,setvar:IP.HITCOUNT_REGISTER=+1,expirevar:IP.HITCOUNT_REGISTER=60"
			SecRule IP:HITCOUNT_REGISTER "@gt 3"
#Forum Spam Bruteforce Mitigation
SecRule REQUEST_FILENAME "/ucp.php" "chain,phase:2,id:999006,nolog,auditlog,deny,msg:'More than 3 hits to %{REQUEST_FILENAME} in 60 seconds',logdata:'%{MATCHED_VAR} requests seen'"
	SecRule ARGS "mode\=register" "chain"
		SecRule REQUEST_METHOD "@streq POST" "chain,setvar:IP.HITCOUNT_UCP=+1,expirevar:IP.HITCOUNT_UCP=60"
			SecRule IP:HITCOUNT_UCP "@gt 3"
#Comment Spam Bruteforce Mitigation
SecRule REQUEST_FILENAME "/add_comment.php" "chain,phase:1,id:999007,nolog,auditlog,deny,msg:'More than 3 hits to %{REQUEST_FILENAME} in 60 seconds',logdata:'%{MATCHED_VAR} requests seen'"
	SecRule REQUEST_METHOD "@streq POST" "chain,setvar:IP.HITCOUNT_ADD_COMMENT=+1,expirevar:IP.HITCOUNT_ADD_COMMENT=60"
		SecRule IP:HITCOUNT_ADD_COMMENT "@gt 3"
#Drupal Spam Bruteforce Mitigation
SecRule REQUEST_FILENAME "/register/" "chain,phase:2,id:999008,nolog,auditlog,deny,msg:'More than 3 hits to %{REQUEST_FILENAME} in 60 seconds',logdata:'%{MATCHED_VAR} requests seen'"
	SecRule ARGS "q\=user/register" chain
		SecRule REQUEST_METHOD "@streq POST" "chain,setvar:IP.HITCOUNT_DRUPAL_REGISTER=+1,expirevar:IP.HITCOUNT_DRUPAL_REGISTER=60"
			SecRule IP:HITCOUNT_DRUPAL_REGISTER "@gt 3"
#MediaWiki Spam Bruteforce Mitigation
SecRule REQUEST_FILENAME "/index.php" "chain,phase:2,id:999009,nolog,auditlog,deny,msg:'More than 3 hits to %{REQUEST_FILENAME} in 60 seconds',logdata:'%{MATCHED_VAR} requests seen'"
	SecRule ARGS "title\=Special\:Userlogin" "chain"
		SecRule REQUEST_METHOD "@streq POST" "chain,setvar:IP.HITCOUNT_WIKI=+1,expirevar:IP.HITCOUNT_WIKI=60"
			SecRule IP:HITCOUNT_WIKI "@gt 3"
#WP-Login.php Bruteforce Mitigation
SecRule RESPONSE_STATUS "@eq 302" "chain,phase:3,t:none,nolog,setvar:IP.HITCOUNT_WP_LOGIN=0,id:999016,pass"
        SecRule REQUEST_FILENAME "/wp-login.php" "t:none,t:lowercase,chain"
                SecRule REQUEST_METHOD "@streq post"
SecRule REQUEST_FILENAME "/wp-login.php" "chain,phase:3,id:999017,t:none,nolog,allow"
        SecRule REQUEST_METHOD "@streq POST" "chain,setvar:IP.HITCOUNT_WP_LOGIN=+1,expirevar:IP.HITCOUNT_WP_LOGIN=60"
                SecRule RESPONSE_STATUS "@eq 200"
SecRule IP:HITCOUNT_WP_LOGIN "@ge 5" "chain,phase:2,id:999012,nolog,auditlog,t:none,deny,msg:'More than 4 Invalid Authentication attempts to %{REQUEST_FILENAME} in 60 seconds',logdata:'%{MATCHED_VAR} requests seen'"
        SecRule REQUEST_METHOD "@streq POST" "setvar:IP.HITCOUNT_WP_LOGIN=0"
#Wordpress DDos Attack Mitigation
SecRule REQUEST_FILENAME "/load-scripts.php" "chain,phase:1,id:999013,nolog,auditlog,deny,msg:'More than 5 hits to %{REQUEST_FILENAME} in 60 seconds',logdata:'%{MATCHED_VAR} requests seen'"
	SecRule REQUEST_METHOD "@streq POST" "chain,setvar:IP.HITCOUNT_LOAD_SCRIPTS=+1,expirevar:IP.HITCOUNT_LOAD_SCRIPTS=60"
		SecRule IP:HITCOUNT_LOAD_SCRIPTS "@gt 5"
#Wordpress DDos Attack Mitigation
SecRule REQUEST_FILENAME "/load-styles.php" "chain,phase:1,id:999014,nolog,auditlog,deny,msg:'More than 5 hits to %{REQUEST_FILENAME} in 60 seconds',logdata:'%{MATCHED_VAR} requests seen'"
    SecRule REQUEST_METHOD "@streq POST" "chain,setvar:IP.HITCOUNT_LOAD_STATS=+1,expirevar:IP.HITCOUNT_LOAD_STATS=60"
	SecRule IP:HITCOUNT_LOAD_STATS "@gt 5"