The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Simple mod_security quesiton. Need an informed opinion please.

Discussion in 'Security' started by jols, Nov 17, 2006.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Okay, we are seeing a lot of these in the basic Apache access log:

    165.21.154.70 - - [17/Nov/2006:02:29:37 -0600] "-" 408 -
    165.21.154.72 - - [17/Nov/2006:02:29:37 -0600] "-" 408 -
    165.21.154.74 - - [17/Nov/2006:02:29:37 -0600] "-" 408 -
    165.21.154.71 - - [17/Nov/2006:02:29:37 -0600] "-" 408 -
    165.21.154.71 - - [17/Nov/2006:02:29:37 -0600] "-" 408 -
    165.21.154.76 - - [17/Nov/2006:02:29:37 -0600] "-" 408 -
    165.21.154.71 - - [17/Nov/2006:02:29:41 -0600] "-" 408 -
    165.21.154.70 - - [17/Nov/2006:02:29:44 -0600] "-" 408 -


    So is there a way to use mod_security to block IPs using "-"?

    Would this block all kind of legitimate traffic as well?

    How would I best write a rule for this?

    Thanks very much for anything here!
     
  2. Rafaelfpviana

    Rafaelfpviana Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    142
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brazil
    Well, with mod_security you won't block the ip, you'll simply drop the requests and show a custum error message.

    Would this block all kind of legitimate traffic as well?
    > No, it will only block the trafic of that specific request

    How would I best write a rule for this?
    > Try this:

    SecFilterSelective THE_REQUEST "^-$"
     
  3. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Thanks very much.

    One question:

    Doesn't the carrot (^) mean, "look for the following ANYWHERE (in the line)"? If so then I think I will use just the following to keep legitimate blocks down to a roar:

    SecFilterSelective THE_REQUEST "-$"
     
  4. Rafaelfpviana

    Rafaelfpviana Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    142
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brazil
    ^ means beginning of the line and $ means end :D
     
Loading...

Share This Page