SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess On
SecDebugLog /var/log/modsecurity/debug.log
SecDebugLogLevel 0
SecAuditLogParts ABIJ
SecAuditLogType Serial
SecAuditLog /var/log/modsecurity/audit.log

# sql injection
SecRule REQUEST_URI|ARGS "['\";]|--" \
    "id:950001,phase:1,deny,status:403,msg:'SQL Injection Attack Detected',log"

# xss / html injection
SecRule REQUEST_URI ARGS "<.*>" \
    "id:950003,phase:1,deny,status:403,msg:'XSS/HTML Injection Detected',log"

# command injection
SecRule ARGS "(\"role\".*:.*\"admin\")|exec|cat|more|ls|dir|/etc/passwd" \
    "id:950006,phase:2,deny,status:403,msg:'Command Injection Detected',log"

# path traversal
SecRule REQUEST_URI|ARGS "\%00|\%2500|\.\./|ftp|metrics|api-docs" \
    "id:950007,phase:2,deny,status:403,msg:'Path traversal attempt',log"

# exposed stuff (redundante ?)
SecRule REQUEST_URI|ARGS "\%00|\%2500|ftp|metrics|api-docs" \
    "id:950008,phase:2,deny,status:500,msg:'Attempt to access ftp, metrics, api-docs',log"

# rate limiting on login endpoint
# (max 5 requests per 30s per IP)
SecAction \
    "id:950009,phase:1,initcol:ip=%{REMOTE_ADDR},pass,nolog"
SecRule REQUEST_URI "@streq /rest/user/login" \
    "id:950010,phase:2,pass,nolog,setvar:ip.login_count=+1,expirevar:ip.login_count=30"
SecRule IP:LOGIN_COUNT "@gt 5" \
    "id:950011,phase:2,deny,status:429,msg:'Rate Limit Exceeded on Login',log"