Simple mod_security quesiton. Need an informed opinion please.

[jols]

Okay, we are seeing a lot of these in the basic Apache access log:

165.21.154.70 - - [17/Nov/2006:02:29:37 -0600] "-" 408 -
165.21.154.72 - - [17/Nov/2006:02:29:37 -0600] "-" 408 -
165.21.154.74 - - [17/Nov/2006:02:29:37 -0600] "-" 408 -
165.21.154.71 - - [17/Nov/2006:02:29:37 -0600] "-" 408 -
165.21.154.71 - - [17/Nov/2006:02:29:37 -0600] "-" 408 -
165.21.154.76 - - [17/Nov/2006:02:29:37 -0600] "-" 408 -
165.21.154.71 - - [17/Nov/2006:02:29:41 -0600] "-" 408 -
165.21.154.70 - - [17/Nov/2006:02:29:44 -0600] "-" 408 -


So is there a way to use mod_security to block IPs using "-"?

Would this block all kind of legitimate traffic as well?

How would I best write a rule for this?

Thanks very much for anything here!

 

[Rafaelfpviana]

Well, with mod_security you won't block the ip, you'll simply drop the requests and show a custum error message.

Would this block all kind of legitimate traffic as well?
> No, it will only block the trafic of that specific request

How would I best write a rule for this?
> Try this:

SecFilterSelective THE_REQUEST "^-$"

 

[jols]

Thanks very much.

One question:

Doesn't the carrot (^) mean, "look for the following ANYWHERE (in the line)"? If so then I think I will use just the following to keep legitimate blocks down to a roar:

SecFilterSelective THE_REQUEST "-$"

 

[Rafaelfpviana]

^ means beginning of the line and $ means end :D