[From nobody Mon Jan  7 18:22:32 2008
Subject: Re: [Modsecurity] Rules for rulsets
From: Michael Shinn &lt;mike@gotroot.com&gt;
To: Brian Rectanus &lt;brectanu@gmail.com&gt;
In-Reply-To: &lt;b61a4e530606231921k494966abvab5f788f1843eb6c@mail.gmail.com&gt;
References: &lt;20060623013321.wjp20yky88sk8kc4@webmail.1command.com&gt;
	&lt;1151093882.4004.2.camel@localhost.localdomain&gt;
	&lt;20060623173151.ixrb82dwgkggok80@webmail.1command.com&gt;
	&lt;1151112067.4004.28.camel@localhost.localdomain&gt;
	&lt;20060623183151.g2guudbzwco4w04g@webmail.1command.com&gt;
	&lt;1151113108.4004.30.camel@localhost.localdomain&gt;
	&lt;b61a4e530606231921k494966abvab5f788f1843eb6c@mail.gmail.com&gt;
Content-Type: text/plain
Message-Id: &lt;1151117121.4004.51.camel@localhost.localdomain&gt;
Mime-Version: 1.0
X-Mailer: Evolution 2.6.2 (2.6.2-1.fc5.5) 
Date: Fri, 23 Jun 2006 22:45:34 -0400
Content-Transfer-Encoding: 7bit

On Fri, 2006-06-23 at 22:21 -0400, Brian Rectanus wrote:
&gt; Hi Mike,
&gt; 
&gt; Further along these lines, there are a few mistakes (poor
&gt; assumptions?) in the badips.conf that should be corrected.  

Thanks for the comment.  badips.conf is totally depreciated (and if I
wasn't clear, it has been for some time).  I just haven't gotten around
to removing it yet from the website, so folks, I will not be making any
fixes to badips.conf.  There is a much better: gotroot RBLS.

Both mod_access with the patch from gotroot.com and the upcoming
mod_security 2.0 support RBLs, which is, IMHO, a much better way to
support IPs than badips.conf - plus I'll also be able to do SURBLS
through 2.0 of modsec.  So blacklist.conf, and a big part of
blacklist2.conf may also into RBL format too.  At least for some of the
fields, where I can get a URL easily enough.

Realtime RBL lookups not only scale better (I can publish millions of
records if I want, and it won't kill your box!  Hurray!), but if you run
a local caching DNS your performance will be faster than mod_security
lookups against the current IPs file.  Also, this method also allows for
IPs to be added and removed, well in real time.  So three good reasons
to use RBLs only.  :-)

I have a test RBL right now, if you want to try out the new way to do
badips.conf, via RBL, let me know and I'll send you the details.  You
have to promise though that you won't send your irrate users to me to
remove them - this is currently a test RBL without a web frontend to
allow easy removals.  There may be mistakes, I might flip out a start
blocking people with blue eyes.  Who knows, it could get ugly.  Then
again, it might be amazing, and you simply won't be able to live without
it.  Then again, its no different than badips.conf at present (theres no
automatic way to remove yourself from that list either).

I'm pretty close to opening the RBL up completely, but I want to finish
the web frontend so that users with infected machines can complain that
their systems should be removed from the RBL or else they will sue me.
(Happened already... and we laughed and laughed... ah... fix computer or
threaten to spend thousands on lawyer to sue someone blocking you from
connecting to their website... sue! sue!  Money grows on trees!  I have
a right to use your computer for my own purposes!  How dare you deny me
from using your stuff!)

Yeah... so I gotta finish the web front end first.  :-)

Anyway, the RBL is close to being done (I'm using it now), so if you
want to do things the new way, let me know and I'll send you details
about how to use.  Or, just wait a little while and I'll open it to the
whole universe.

-- 
Michael T. Shinn                                    KeyID:0xDAE2EC86
Key Fingerprint:  1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86
http://pgp.mit.edu:11371/pks/lookup?op=get&amp;search=0xDAE2EC86
  
Got Root?  http://www.gotroot.com
modsecurity rules: http://www.modsecurityrules.com
Troubleshooting Firewalls:  http://troubleshootingfirewalls.com
]