Configure mod_security to ignore HTTP requests that were already denied


Mar 29, 2007

I have a script which automatically blocks access to areas of my website based upon what I deem to be malicious activity, the blocking is performed at IP level and is written to a file which is included in the httpd.conf

I'm trying to figure out how to configure Modsecurity so that it ignores (does not filter, log, or take any action on) HTTP requests made from an IP address which has been blocked by an Apache Access Control statement.

e.g. in my httpd.conf file I have something like

<File *>
order deny, allow

deny from

I do not want Modsecurity to perform any analysis of any requests originating from an IP which has been blocked. i.e. when an IP has been blocked for malicious activity, it should not appear in the modsecurity logs, even if it attempts further malicious activity. I only want to see new instances of malicious activity in the modsecurity log.

My server configuration is such that I have hundreds of IPs which are blocked, so it is not really feasible (or necessary) to duplicate the list of blocked IPs in the modsecurity configuration.

So far I have tried using the following rule to ignore requests that resulted in a 403 (permission denied) response status, but this does not appear to prevent modsecurity from analysising and reporting on the request.

# ignore access denied by Apache Access Control
SecRule RESPONSE_STATUS "@eq 403" "phase:3,allow,pass,nolog,id:'1111'"
I have confirmed that my deny from IP address include file is working as intended.

Any modsecurity advice gratefully received.