The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Configure mod_security to ignore HTTP requests that were already denied

Discussion in 'Security' started by MindStar, Jan 24, 2013.

  1. MindStar

    MindStar Member

    Mar 29, 2007
    Likes Received:
    Trophy Points:

    I have a script which automatically blocks access to areas of my website based upon what I deem to be malicious activity, the blocking is performed at IP level and is written to a file which is included in the httpd.conf

    I'm trying to figure out how to configure Modsecurity so that it ignores (does not filter, log, or take any action on) HTTP requests made from an IP address which has been blocked by an Apache Access Control statement.

    e.g. in my httpd.conf file I have something like

    <File *>
    order deny, allow

    deny from

    I do not want Modsecurity to perform any analysis of any requests originating from an IP which has been blocked. i.e. when an IP has been blocked for malicious activity, it should not appear in the modsecurity logs, even if it attempts further malicious activity. I only want to see new instances of malicious activity in the modsecurity log.

    My server configuration is such that I have hundreds of IPs which are blocked, so it is not really feasible (or necessary) to duplicate the list of blocked IPs in the modsecurity configuration.

    So far I have tried using the following rule to ignore requests that resulted in a 403 (permission denied) response status, but this does not appear to prevent modsecurity from analysising and reporting on the request.

    # ignore access denied by Apache Access Control
    SecRule RESPONSE_STATUS "@eq 403" "phase:3,allow,pass,nolog,id:'1111'" 
    I have confirmed that my deny from IP address include file is working as intended.

    Any modsecurity advice gratefully received.


Share This Page