Simple mod_security quesiton. Need an informed opinion please.

jols

Well-Known Member
Mar 13, 2004
1,110
3
168
Okay, we are seeing a lot of these in the basic Apache access log:

165.21.154.70 - - [17/Nov/2006:02:29:37 -0600] "-" 408 -
165.21.154.72 - - [17/Nov/2006:02:29:37 -0600] "-" 408 -
165.21.154.74 - - [17/Nov/2006:02:29:37 -0600] "-" 408 -
165.21.154.71 - - [17/Nov/2006:02:29:37 -0600] "-" 408 -
165.21.154.71 - - [17/Nov/2006:02:29:37 -0600] "-" 408 -
165.21.154.76 - - [17/Nov/2006:02:29:37 -0600] "-" 408 -
165.21.154.71 - - [17/Nov/2006:02:29:41 -0600] "-" 408 -
165.21.154.70 - - [17/Nov/2006:02:29:44 -0600] "-" 408 -


So is there a way to use mod_security to block IPs using "-"?

Would this block all kind of legitimate traffic as well?

How would I best write a rule for this?

Thanks very much for anything here!
 

Rafaelfpviana

Well-Known Member
Mar 12, 2004
141
0
166
Brazil
Well, with mod_security you won't block the ip, you'll simply drop the requests and show a custum error message.

Would this block all kind of legitimate traffic as well?
> No, it will only block the trafic of that specific request

How would I best write a rule for this?
> Try this:

SecFilterSelective THE_REQUEST "^-$"
 

jols

Well-Known Member
Mar 13, 2004
1,110
3
168
Thanks very much.

One question:

Doesn't the carrot (^) mean, "look for the following ANYWHERE (in the line)"? If so then I think I will use just the following to keep legitimate blocks down to a roar:

SecFilterSelective THE_REQUEST "-$"