mod_security rules

**Jimmyftw** · 01-25-2006 12:18 PM

Is there any way to create rules in mod_security that will block an IP from the server completely if they are found to be accessing a certain address or access it more than once?

**celliott** · 01-25-2006 03:09 PM

Why not just ban the IP on your firewall?

**chirpy** · 01-25-2006 03:22 PM

Indeed, that's not what mod_security is for. As celliott says, use your iptables firewall (if you're using linux) or block using the standard apache allow/deny directives in httpd.conf.

**sh4ka** · 01-25-2006 05:03 PM

It would be great to make some rule to communicate an "x" attacker IP (when mod security already detected apache is being attacked) with the firewall rules to automatically block those bad guys... Does anyone know how to do this with for example APF?

thkz!

**Jimmyftw** · 01-30-2006 07:42 AM

I was just curious if it could be made to block an IP via iptables. Blocking them manually is typically a fruitless effort as most are using proxies which change everyday, but if I can identify certain rules to block an IP after one or two attempts it could stop their scan of a bunch of other address on the server at the time.

**xisn** · 01-30-2006 10:17 AM

Add it into APF.. Works great for us...

**Spiral** · 01-30-2006 10:18 PM

Originally Posted by Jimmyftw

Blocking them manually is typically a fruitless effort as most are using proxies which change everyday, but if I can identify certain rules to block an IP after one or two attempts it could stop their scan of a bunch of other address on the server at the time.

LOL! ROFL! Sorry about the laughing .... there is sort of an inside joke related
to your comment but I will do my best to try to explain:

Our hosting service developed a new technology that allows us to see backwards
through any proxy server or even a chain of proxy servers back to the real IP
effectively rendering all anonymous / privacy type services totally useless.

It's pretty funny to watch bad users try to beat our bans. Most give up quickly
but we had one guy keep trying for 3 weeks before he finally gave up while
we just sat back and enjoyed the show.

**sh4ka** · 02-01-2006 04:20 PM

How did you did it ?? please tell us

Originally Posted by xisn

Add it into APF.. Works great for us...

**rpmws** · 02-01-2006 04:35 PM

Originally Posted by Spiral

LOL! ROFL! Sorry about the laughing .... there is sort of an inside joke related
to your comment but I will do my best to try to explain:

Our hosting service developed a new technology that allows us to see backwards
through any proxy server or even a chain of proxy servers back to the real IP
effectively rendering all anonymous / privacy type services totally useless.

It's pretty funny to watch bad users try to beat our bans. Most give up quickly
but we had one guy keep trying for 3 weeks before he finally gave up while
we just sat back and enjoyed the show.

huh??? how??

**celliott** · 02-02-2006 10:06 AM

Originally Posted by sh4ka

How did you did it ?? please tell us

If you have APF installed on your system you should know the basic commands to make proper use of it.

Go into ssh as root and type "apf -d xx.xx.xxx.x.xx" without quotes obviously. replace xx.xx etc with the IP or Host you wish to ban. This will add the entry into Iptables. You should then reload apf by running /usr/local/sbin/apf -s

**serversphere** · 02-02-2006 12:18 PM

Originally Posted by celliott

If you have APF installed on your system you should know the basic commands to make proper use of it.

I think he meant how did user Spiral implement his anti-proxy technology.

**sh4ka** · 02-02-2006 01:42 PM

Originally Posted by celliott

If you have APF installed on your system you should know the basic commands to make proper use of it.

Go into ssh as root and type "apf -d xx.xx.xxx.x.xx" without quotes obviously. replace xx.xx etc with the IP or Host you wish to ban. This will add the entry into Iptables. You should then reload apf by running /usr/local/sbin/apf -s

Of course I know this, :S
Like the other guy said... It would be great to communicate and ban from APF automatically an offending IP taked from mod security logs, i mean, automatically

Anyone have some ideas about how can be done?

thkz!

**richy** · 02-02-2006 02:43 PM

If you use BFD (from RFXNetworks - like APF), you can then add a rule to scan the Apache logs and if a certain string appears more than a certain amount, it can auto-add the IP add to the firewall blocklist (I've configued BFD to scan my exim_rejectlog for "Mail delivery failed due to listing in RBL ...." style messages and auto-blacklist after 5 mails: the amount of processing my server has to do scanning email has slumped! Wouldn't recommend this way for a shared hosting environment though as it's a bit too "paranoid").

**sh4ka** · 02-02-2006 02:51 PM

Can you give us details about how did you configure it, maybe an example rule ?

thkz!

**budway** · 01-03-2007 01:09 AM

That would not work well since WHM + mod-sec uses a db to store audit_log after a while.

I'm looking to implement this I have seen more than 5 violations per sec on in my logs.

LinkBack

Thread Tools

mod_security rules

mod_security rules

mod_security best rules

Help with mod_security rules

rules mod_security..what about?