# Make sure this is set (needed for connection tracking data).
# I don't think SecDataDir is configured by default.. It needs to be set.
# Ensure the folder is owned by the webserver user with secure permissions.
SecDataDir /tmp/secdatadir

# The 404 handler should be sufficient as it'll deflect the attack to a non-php page.
# Use 410 (Gone) otherwise, as some people handle 404 with a php page (BAD!).
# Expire tracking in 5 minutes, and decrement the hit counter by 10 every 5 seconds.
# --------
SecRule REQUEST_METHOD "(^HEAD$)" "chain,msg:'bot',id:'ruicruz_keepdead',rev:'1',phase:1,deny,status:404,severity:'1'"
SecAction "nolog,noauditlog,initcol:IP=%{REMOTE_ADDR},setvar:IP.headcount=+1,expirevar:IP.headcount=300,deprecatevar:IP.headcount=10/5,chain,t:none"
SecRule IP:HEADCOUNT "@gt 5" "setenv:MODSEC=bot-ratelimit"
# -------- for any help, contact mail at ruicruz dot pt --------