[Modsecurity] Rules for rulsets
Brian Rectanus
brectanu at gmail.com
Fri Jun 23 22:28:38 EDT 2006
[Sorry, replied only to Mike and ment it for the list...]
Hi Mike,
Further along these lines, there are a few mistakes (poor
assumptions?) in the badips.conf that should be corrected. Not all of
the IPs need bound, but some do. To be safe (and actually faster at
matching given a large set like badips.conf) consider binding them
all. This is one of the reasons I would not use this list to do any
blocking.
Consider these which are fine:
SecFilterSelective REMOTE_ADDR 195\.18\.128\.230
SecFilterSelective REMOTE_ADDR 200\.118\.69\.30
Both begin with 3 digits and a dot. One ends w/3 digits and the other
2, but high enough that adding to the end is impossible (> 255).
Now consider this one which is subtly incorrect:
SecFilterSelective REMOTE_ADDR "64\.75\.68\.15"
Why? Because they also match these IPs:
1?64\.75\.68\.15[0-9]?
So, along with blocking some poor shmoes at an IP from "Ulster County
BOCES", you also just blocked 11 additional (legitimate?) IPs from the
Parliment of Austrailia (http://www.aph.gov.au/) range. Oops.
So, to prevent this type of mishap, I suggest always bounding with ^/$ for IPs.
Later. And keep up the great work as it is definitly appreciated.
-B
More information about the Modsecurity
mailing list