Sorry for the long lead time for this reply. This is actually a more complicated problem then it ought to be. Currently ModSecurity does not support easy methods of persisting data permanently. Compounding this issue is that while ModSecurity is running, it uses SDBM which has a somewhat low storage limit per variable (these would also be removed each time you restart). What I would recommend would be modifying this rule (or adding a custom one) to call a LUA script when triggered. This LUA script should add/append to an IP blacklist file. Once in file format it is easy enough to block these using ipmatchfromfile. The rule would probably start similarly to 'SecRule REMOTE_ADDR "@ipMatchFromFile blacklist.ip Š¹. Hopefully this helps a bit.
On 2/9/15, 2:04 AM, "Aniyan Rajan" <aniyan.raj...@gmail.com> wrote: >Hello, > > >I am getting the following in the apache/error.log. There are plenty of >such errors coming in daily. So I would like to block them. They are >from different ips. So fail2ban is not a good option. They come from >"http://scanmail.trustwave.com/?c=4062&d=5uDY1ObqUZnGj7BGQHeiLo2p2q3I23ooY >tUAWWYzeg&s=5&u=http%3a%2f%2fmail2000%2ecom%2etw". How can I block this >domain from trying to CONNECT ? > > >[Sat Feb 07 09:52:21 2015] [error] [client 118.165.130.55] ModSecurity: >Access denied with code 403 (phase 1). Match of "rx >^(?:(?:[a-z]{3,10}\\\\s+(?:\\\\w{3,7}?://[\\\\w\\\\-\\\\./]*(?::\\\\d+)?)? >/[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?|connect >(?:\\\\d{1,3}\\\\.){3}\\\\d{1,3}\\\\.?(?::\\\\d+)?|options >\\\\*)\\\\s+[\\\\w\\\\./]+|get >/[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?)$" against "REQUEST_LINE" >required. [file >"/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_20_protocol_vi >olations.conf"] >[line "37"] [id "960911"] [rev "2.2.5"] [msg "Invalid HTTP Request >Line"] [data "CONNECT >http://scanmail.trustwave.com/?c=4062&d=5uDY1ObqUZnGj7BGQHeiLo2p2q3I23ooYo >BRCWUwLA&s=5&u=http%3a%2f%2fmx0%2email2000%2ecom%2etw%3a25 HTTP/1.0"] >[severity >"WARNING"] [tag >"http://scanmail.trustwave.com/?c=4062&d=5uDY1ObqUZnGj7BGQHeiLo2p2q3I23ooY >oBWDzBnfw&s=5&u=https%3a%2f%2fwww%2eowasp%2eorg%2findex%2ephp%2fModSecurit >y%5fCRS%5fRuleID-960911"] [tag >"http://scanmail.trustwave.com/?c=4062&d=5uDY1ObqUZnGj7BGQHeiLo2p2q3I23ooY >oNeUmIwLQ&s=5&u=http%3a%2f%2fwww%2ew3%2eorg%2fProtocols%2frfc2616%2frfc261 >6-sec3%2ehtml%23sec3%2e2%2e1"] [tag >"RULE_MATURITY/8"] [tag "RULE_ACCURACY/8"] [hostname >"http://scanmail.trustwave.com/?c=4062&d=5uDY1ObqUZnGj7BGQHeiLo2p2q3I23ooY >t1XWGU8Kw&s=5&u=http%3a%2f%2fmx0%2email2000%2ecom%2etw"] [uri "/"] >[unique_id "VNXgVX8AAAEAAHqycsoAAAAC"] > > >I tried the following in /etc/apache2/sites-available/default. Will this >work ? ><VirtualHost *:80> >..... >..... ></VirtualHost> > ><Files *> ><LimitExcept GET POST> >deny from all ></LimitExcept> > > >Thanks. >_______________________________________________ >Owasp-modsecurity-core-rule-set mailing list >Owasp-modsecurity-core-rule-set@lists.owasp.org >http://scanmail.trustwave.com/?c=4062&d=5uDY1ObqUZnGj7BGQHeiLo2p2q3I23ooYt >BWUmVndg&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2fow >asp-modsecurity-core-rule-set ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
