mod_secure script to block IPs that causes multiple 404s

Question

I want to ban IP addresses that causes mupltiple 404 errors on my web site. I've Googled a lot and found a few scripts that gave me ideas to start. And I combined them. Here is my script:

# Determining temp data dir    
SecDataDir "C:\logs\datastore"
#
# Loading previous data for the IP request
SecAction "phase:1,initcol:ip=%{REMOTE_ADDR},id:'1006'"
#
# Incrementing block_script counter if client caused status #404
SecRule RESPONSE_STATUS "@streq 404" "phase:2,pass,setvar:ip.block_script=+1,expirevar:ip.block_script=30,id:'1007'"
#
# Denying the request if the block_script counter is greater than 3
SecRule IP:BLOCK_SCRIPT "@gt 3" "phase:2,deny,status:403,id:'1008'"

For some reason, it doesn't work. I believe there is some error. I am very sorry, I am not coding guru or even programmer. I am just playin with my homebrewed project when I have a time. I hope that somebody will help me and my mistake is easy to find and fix.

Thanks in advance!

'datastore' dir is created, accessible and I there I can see 2 files of 0 bytes size.

Thanks!

Answer 1

Looks like final and precisely working version is:

SecAction "phase:1,initcol:ip=%{REMOTE_ADDR},id:'1006'"
SecRule RESPONSE_STATUS "@streq 404" "phase:3,pass,setvar:ip.block_script=+1,expirevar:ip.block_script=600,id:'1007'"
SecRule IP:BLOCK_SCRIPT "@ge 3" "phase:2,deny,status:403,id:'1008'"

You have to change ip.block_script var (ban time) and 3 after ge (errors counter) to required values. E.g. 3600 and 5 accordingly.