Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Simple mod_security quesiton. Need an informed opinion please.

Discussion in 'Security' started by jols, Nov 17, 2006.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    168
    Okay, we are seeing a lot of these in the basic Apache access log:

    165.21.154.70 - - [17/Nov/2006:02:29:37 -0600] "-" 408 -
    165.21.154.72 - - [17/Nov/2006:02:29:37 -0600] "-" 408 -
    165.21.154.74 - - [17/Nov/2006:02:29:37 -0600] "-" 408 -
    165.21.154.71 - - [17/Nov/2006:02:29:37 -0600] "-" 408 -
    165.21.154.71 - - [17/Nov/2006:02:29:37 -0600] "-" 408 -
    165.21.154.76 - - [17/Nov/2006:02:29:37 -0600] "-" 408 -
    165.21.154.71 - - [17/Nov/2006:02:29:41 -0600] "-" 408 -
    165.21.154.70 - - [17/Nov/2006:02:29:44 -0600] "-" 408 -


    So is there a way to use mod_security to block IPs using "-"?

    Would this block all kind of legitimate traffic as well?

    How would I best write a rule for this?

    Thanks very much for anything here!
     
  2. Rafaelfpviana

    Rafaelfpviana Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    142
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Brazil
    Well, with mod_security you won't block the ip, you'll simply drop the requests and show a custum error message.

    Would this block all kind of legitimate traffic as well?
    > No, it will only block the trafic of that specific request

    How would I best write a rule for this?
    > Try this:

    SecFilterSelective THE_REQUEST "^-$"
     
  3. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    168
    Thanks very much.

    One question:

    Doesn't the carrot (^) mean, "look for the following ANYWHERE (in the line)"? If so then I think I will use just the following to keep legitimate blocks down to a roar:

    SecFilterSelective THE_REQUEST "-$"
     
  4. Rafaelfpviana

    Rafaelfpviana Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    142
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Brazil
    ^ means beginning of the line and $ means end :D
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice