Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Utilizing the HTTP BlackList (HTTPBL) API with Mod_Security

Discussion in 'Security' started by Astral God, Dec 28, 2012.

  1. Astral God

    Astral God Well-Known Member

    Sep 27, 2010
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    Utilizing the HTTP BlackList (HTTPBL) API

    A very useful tool provided by Project Honeypot is the HTTP Blacklist (HTTPBL). They describe the HTTP BL as follows:

    This is useful data as it tracks IP address of clients who have been flagged as malicious by the Project Honeypot's trap network which means that there is a very low chance of false positives. In the latest ModSecurity version (2.7), we added the capability to use the Http:BL API by allowing the ModSecurity user to specify their registered API key with the new SecHttpBlKey directive.

    You can then use rules similar to the following to check the client IP address against the HTTP BL:

    SecRule TX:REAL_IP|REMOTE_ADDR "@rbl" "id:'99010',chain,phase:1,t:none,capture,block,msg:'HTTPBL Match of Client IP.',logdata:'%{tx.httpbl_msg}',setvar:tx.httpbl_msg=%{tx.0}"
            SecRule TX:0 "threat score (\d+)" "chain,capture"
                    SecRule TX:1 "@gt 20"
    If a malicious client connects to your web server, this rule will inspect the "threat score" data returned by the HTTP BL and then it will trigger an alert if it is above the defined threshold limit (20 here). An example alert would be generated and the client would be blocked (depending on your configuration).

    [Tue Dec 18 16:22:44 2012] [error] [client] ModSecurity: Warning. Operator GT matched 20 at TX:1. [file "/usr/local/apache/conf/crs/base_rules/modsecurity_crs_15_custom.conf"] [line "2"] [id "999010"] [msg "HTTPBL Match of Client IP."] 
    [data "RBL lookup of succeeded at REMOTE_ADDR. 
    Suspicious comment spammer IP: 1 days since last activity, threat score 80"] 
    [hostname "MacBook-Pro-2.local"] [uri "/cgi-bin/printenv"] [unique_id "UNDeo8CoAWoAACDARMkAAAAC"]
    More info at SpiderLabs Blog: Setting HoneyTraps with ModSecurity: Project Honeypot Integration - SpiderLabs Anterior

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice