Hello,
I am getting the following in the apache/error.log. There are plenty of such errors coming in daily. So I would like to block them. They are from different ips. So fail2ban is not a good option. They come from "mail2000.com.tw". How can I block this domain from trying to CONNECT ?
[Sat Feb 07 09:52:21 2015] [error] [client 118.165.130.55] ModSecurity: Access denied with code 403 (phase 1). Match of "rx ^(?:(?:[a-z]{3,10}\\\\s+(?:\\\\w{3,7}?://[\\\\w\\\\-\\\\./]*(?::\\\\d+)?)?/[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?|connect (?:\\\\d{1,3}\\\\.){3}\\\\d{1,3}\\\\.?(?::\\\\d+)?|options \\\\*)\\\\s+[\\\\w\\\\./]+|get /[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?)$" against "REQUEST_LINE" required. [file "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "37"] [id "960911"] [rev "2.2.5"] [msg "Invalid HTTP Request Line"] [data "CONNECT mx0.mail2000.com.tw:25 HTTP/1.0"] [severity "WARNING"] [tag "https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-960911";] [tag "http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1";] [tag "RULE_MATURITY/8"] [tag "RULE_ACCURACY/8"] [hostname "mx0.mail2000.com.tw"] [uri "/"] [unique_id "VNXgVX8AAAEAAHqycsoAAAAC"]
I tried the following in /etc/apache2/sites-available/default. Will this work ?
<VirtualHost *:80> ..... ..... </VirtualHost> <Files *> <LimitExcept GET POST> deny from all </LimitExcept> Thanks. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
