Utilizing the HTTP BlackList (HTTPBL) API with Mod_Security

Astral God

Well-Known Member
Sep 27, 2010
cPanel Access Level
Root Administrator
Utilizing the HTTP BlackList (HTTPBL) API

A very useful tool provided by Project Honeypot is the HTTP Blacklist (HTTPBL). They describe the HTTP BL as follows:

The HTTP Blacklist, or "http:BL", is a system that allows website administrators to take advantage of the data generated by Project Honey Pot in order to keep suspicious and malicious web robots off their sites. Project Honey Pot tracks harvesters, comment spammers, and other suspicious visitors to websites. Http:BL makes this data available to any member of Project Honey Pot in an easy and efficient way.

Http:BL provides data back about the IP addresses of visitors to your website. Data is exchanged over the DNS system. You may query your local DNS server and receive a response back that indicates the type of visitor to your site, how threatening that visitor is, and how long it has been since the visitor has last been seen within the Project Honey Pot trap network.
This is useful data as it tracks IP address of clients who have been flagged as malicious by the Project Honeypot's trap network which means that there is a very low chance of false positives. In the latest ModSecurity version (2.7), we added the capability to use the Http:BL API by allowing the ModSecurity user to specify their registered API key with the new SecHttpBlKey directive.

Description: Configures the user's registered Honeypot Project HTTP BL API Key to use with @rbl.
Syntax: SecHttpBlKey [12 char access key]
Example Usage: SecHttpBlKey whdkfieyhtnf
Scope: Main
Version: 2.7.0

If the @rbl operator uses the dnsbl.httpbl.org RBL (Http:BL Application Programming Interface (API) | Project Honey Pot) you must provide an API key. This key is registered to individual users and is included within the RBL DNS requests.
You can then use rules similar to the following to check the client IP address against the HTTP BL:

SecRule TX:REAL_IP|REMOTE_ADDR "@rbl dnsbl.httpbl.org" "id:'99010',chain,phase:1,t:none,capture,block,msg:'HTTPBL Match of Client IP.',logdata:'%{tx.httpbl_msg}',setvar:tx.httpbl_msg=%{tx.0}"
        SecRule TX:0 "threat score (\d+)" "chain,capture"
                SecRule TX:1 "@gt 20"
If a malicious client connects to your web server, this rule will inspect the "threat score" data returned by the HTTP BL and then it will trigger an alert if it is above the defined threshold limit (20 here). An example alert would be generated and the client would be blocked (depending on your configuration).

[Tue Dec 18 16:22:44 2012] [error] [client] ModSecurity: Warning. Operator GT matched 20 at TX:1. [file "/usr/local/apache/conf/crs/base_rules/modsecurity_crs_15_custom.conf"] [line "2"] [id "999010"] [msg "HTTPBL Match of Client IP."] 
[data "RBL lookup of whdkfieyhtnf. succeeded at REMOTE_ADDR. 
Suspicious comment spammer IP: 1 days since last activity, threat score 80"] 
[hostname "MacBook-Pro-2.local"] [uri "/cgi-bin/printenv"] [unique_id "UNDeo8CoAWoAACDARMkAAAAC"]
More info at SpiderLabs Blog: Setting HoneyTraps with ModSecurity: Project Honeypot Integration - SpiderLabs Anterior