mod_security brute force prevention

brute_prevention.conf

        # Retrieve the IP address
        SecAction id:'2000000',phase:1,nolog,pass,initcol:IP=%{REMOTE_ADDR}

         # Enforce an existing IP address block
        SecRule IP:bf_block "@eq 1" \
                "id:'2000001',phase:1,deny,\
                msg:'IP address blocked because of suspected brute-force attack'"

        # Retrieve the username
        SecRule REQUEST_HEADERS:Authorization "Basic (.*)" "chain,capture,phase:1,pass,id:'2000002'"
                SecRule TX:1 "^([-a-zA-Z0-9_]+):" "t:base64Decode,chain,capture"
                SecAction initcol:USER=%{TX.1}

        # Enforce an existing username block
        SecRule USER:bf_block "@eq 1" \
                "id:'2000003',phase:1,deny,\
                msg:'Username \"%{REMOTE_USER}\" blocked because of suspected brute-force attack'"

        # Check that this is a POST
        SecRule REQUEST_METHOD "@streq GET" "id:'2000004',phase:5,chain,t:none,nolog,pass"
                # AND Check for authentication failure and increment counters
                # NOTE this is for a Rails application, you probably need to customize this
                SecRule RESPONSE_STATUS "!200" \
                        "setvar:IP.bf_counter=+1,setvar:USER.bf_counter=+1"


        # Check for too many failures for a single username
        SecRule USER:bf_counter "@ge 3" \
                "id:'2000005',phase:5,t:none,pass,\
                setvar:USER.bf_block,\
                setvar:!USER.bf_counter,\
                expirevar:USER.bf_block=600"

        # Check for too many failures from a single IP address. Block for 10 minutes.
        SecRule IP:bf_counter "@ge 3" \
                "id:'2000006',phase:5,pass,t:none, \
                setvar:IP.bf_block,\
                setvar:!IP.bf_counter,\
                expirevar:IP.bf_block=600"