Project HoneyPOT is very good to avoid spammers, hackers and crackers, before they arrive to your sites. Modsecurity can implement this, and COMOD could add this.
Project HoneyPOT: https://www.projecthoneypot.org/
How to do it:
# This is your HoneyPOT API Key
SecHttpBlKey "PUT-YOUR-API-KEY-HERE"
#This is the rule
SecRule TX:REAL_IP|REMOTE_ADDR "[at]rbl dnsbl.httpbl.org" \
"id:'901',\
chain,\
phase:1,\
t:none,\
capture,\
block,\
msg:'COMODO WAF: HoneyPOT Project Match of Client IP',\
logdata:'%{tx.httpbl_msg}',\
setvar:tx.httpbl_msg=%{tx.0},\
setvar:tx.ip_atacante=%{REMOTE_ADDR},\
redirect:https://www.projecthoneypot.org/ip_%{tx.ip_atacante}"
SecRule TX:0 "threat score (\d+)" \
"chain,capture"
SecRule TX:1 "[at]gt 20"
Just for you to know, what this does, look at this, spammer stoped:
901: COMODO WAF: HoneyPOT Project Match of Client IP
Request: GET /index.php?option=com_phocaguestbook&view=phocaguestbook&id=1&Itemid=72
Action Description: Access denied with redirection to https://www.projecthoneypot.org/ip_188.123.248.103 using status 302 (phase 1).
Justification: Operator GT matched 20 at TX:1.
From CSF Firewall? Very different, many ip’s that visit our site are not on the list that CSF download, you’ve to use the DNS RBL to catch them, plus you use the SCORE, only above 20 should be blocked.
It’s much more efective, than CSF Firewall Honeypot. Also i’ve both, and this rule catchs alot of ip’s that are not on the CSF List.