[Modsecurity] relay of question from Mandriva lists...

[ET]

Using ML 2006.0 Community.  I've got apache-mod_security installed, and 
have just installed apache-tools, which includes the blacklist tool.  I 
know there's supposed to be a way to get mod_security to use the 
blacklist tool, so that when someone triggers one of its rules you can 
have it pass a command to that, which will in turn stick the IP address 
into iptables for a time.  I can't seem to find the right bit of
documentation to show me how to configure mod_security to use it.

  Anyone know?
############
after further discussion about the security risks of having the user 
Apache runs as/on having access to root functions... like writing to the 
firewall...

Noticed SecFilterDefaultAction.  Looks like I can edit that....

# Action to take by default
SecFilterDefaultAction
"deny,log,status:500,exec:'/var/www/cgi-bin/blacklist.cgi REMOTE_ADDR
3600'"

I'll give that a try and see if it works.  According to the documentation
on the modsecurity.org website:  "You can have one binary executed per
filter match. Execution will add the header mod_security-executed to the
list of request headers."  So I guess the next time someone hits my 
server with one of the things which trigger a rule hit, I'll look for 
that entry and check to see if the IP address in question got itself 
blocked.  Maybe this will work yet.

############

any further thoughts?
-- 
reg. Linux User 167806
webhome http://ed-tharp.is-a-geek.org