[Modsecurity] (GET|HEAD|POST|PUT|PROPFIND|OPTIONS|SEARCH) -
How to prevent?
Chris H.
fbsd at 1command.com
Wed Jul 5 06:11:58 EDT 2006
Hello, and thank you for your response...
Quoting Michael Shinn <mike at gotroot.com>:
> On Sun, 2006-07-02 at 17:22 -0700, Chris H. wrote:
>> Greetings,
>> I'm attempting to prevent the following request methods by selected IP's
>> GET|HEAD|POST|PUT|PROPFIND|OPTIONS|SEARCH
>>
>> How can this be done?
>>
>> I already have the following for matching the IP's:
>> SecFilterSelective REMOTE_ADDR
>> "^(nnn.nn.nnn.nnn|nnn.nn.nn.nn|nn.nnn.mmm.nnn)$" \
>> "action(s)"
>
> It sounds like what you might want is a chain.
Indeed. I was sure of that but wasn't sure of how to best impliment it.
> You can link rules
> together by adding chain as the action for the rule. Example:
>
> SecFilter foo chain
> SecFilter bar
>
> So in your case, something like this should work (YMMV, please test
> first):
>
> SecFilterSelective REMOTE_ADDR "^(nnn.nn.nnn.nnn|nnn.nn.nn.nn|
> nn.nnn.mmm.nnn)$" chain
> SecFilterSelective HTTP_METHOD "(GET|HEAD|POST|PUT|PROPFIND|OPTIONS|
> SEARCH)" "actions"
Thanks. I'll try it. I felt the immediate need to try something and
ended up doing this:
SecFilterSelective REQUEST_METHOD \
"^(GET|HEAD|POST|PUT|PROPFIND|OPTIONS|SEARCH)$" \
chain
SecFilterSelective REMOTE_ADDR "^(list|of|bad|ips|here)$" \
"deny,log,exec:/bin/echo Sorry this method is not permitted by your host"
Which returns the following in the log:
========================================
UNIQUE_ID: RKtFjNix8yIAAKYSFEU
Request: bad.ip.number.here - - [04/Jul/2006:21:52:29 -0700] "HEAD /
HTTP/1.1" 403 0
Handler: server-parsed
----------------------------------------
HEAD / HTTP/1.1
Connection: close
Host: my.domain.here
Referer: http://www.offending.domain/
User-Agent: Mozilla/4.0 (compatible; blah blah blah)
mod_security-executed: /bin/echo Sorry this method is not permitted by
your host
mod_security-message: Access denied with code 403. Pattern match
"^(long|list|of|naughty|ips|here)$" at REMOTE_ADDR.
mod_security-action: 403
So it at least takes action. But what I _really_ hope to achive here;
is to _completely_ block their request, and _only_ return the message.
In other words, _prevent_ the server from returning _anything_ but the
message supplied by /bin/echo. Will your suggestion achieve this for
me?
Thanks again for your response.
--Chris
>
>>
>> Thank you for all your time and consideration.
>>
>>
>> _______________________________________________
>> Modsecurity mailing list
>> Modsecurity at gotroot.com
>> http://lists.gotroot.com/mailman/listinfo/modsecurity
> --
> Michael T. Shinn KeyID:0xDAE2EC86
> Key Fingerprint: 1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86
>
> Got Root? http://www.gotroot.com
> modsecurity rules: http://www.modsecurityrules.com
> Troubleshooting Firewalls: http://troubleshootingfirewalls.com
>
>
--
panic: kernel trap (ignored)
-----------------------------------------------------------------
FreeBSD 5.4-RELEASE-p12 (SMP - 900x2) Tue Mar 7 19:37:23 PST 2006
/////////////////////////////////////////////////////////////////
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: PGP Digital Signature
Url : http://lists.gotroot.com/pipermail/modsecurity/attachments/20060705/94a8e753/attachment.bin
More information about the Modsecurity
mailing list