From c7b5f0e4362cc77025f1a79de260712ab72a45db Mon Sep 17 00:00:00 2001
From: vasco <vasco@vascoalves.xyz>
Date: Sun, 31 May 2026 21:53:41 +0100
Subject: [PATCH] oops

---
 conf/modsecurity.conf | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/conf/modsecurity.conf b/conf/modsecurity.conf
index 75cb3c3..980f1e4 100644
--- a/conf/modsecurity.conf
+++ b/conf/modsecurity.conf
@@ -16,9 +16,22 @@ SecRule ARGS "<.*>" \
     "id:950003,phase:2,deny,status:403,msg:'XSS/HTML Injection Detected',log"
 
 # command injection
-SecRule ARGS "exec|cat|more|ls|dir|/etc/passwd" \
+SecRule ARGS "(\"role\".*:.*\"admin\")|exec|cat|more|ls|dir|/etc/passwd" \
     "id:950006,phase:2,deny,status:403,msg:'Command Injection Detected',log"
 
 # path traversal
 SecRule ARGS "(\./|\.\./)|ftp|metrics|api-docs" \
-    "id:950007,phase:2,deny,status:403,msg:'Path Traversal Attempt',log"
\ No newline at end of file
+    "id:950007,phase:2,deny,status:403,msg:'Path Traversal Attempt',log"
+
+# exposed stuff
+SecRule REQUEST_URI "ftp|metrics|api-docs" \
+    "id:950008,phase:2,deny,status:500,msg:'Attempt to access ftp, metrics, api-docs',log"
+
+# rate limiting on login endpoint
+# (max 5 requests per 30s per IP)
+SecAction \
+    "id:950009,phase:1,initcol:ip=%{REMOTE_ADDR},pass,nolog"
+SecRule REQUEST_URI "@streq /rest/user/login" \
+    "id:950010,phase:2,pass,nolog,setvar:ip.login_count=+1,expirevar:ip.login_count=30"
+SecRule IP:LOGIN_COUNT "@gt 5" \
+    "id:950011,phase:2,deny,status:429,msg:'Rate Limit Exceeded on Login',log"