[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: blocking ips with iptables accessing invalid URL



You get that alert/denial because you're accessing the webserver by IP, not by name.  You can set mod_security to log only - we're in the middle of implementing it and had to do that for a while to filter out false positives.

Rob Marti

-----Original Message-----
From: redhat-list-bounces redhat com [mailto:redhat-list-bounces redhat com] On Behalf Of ESGLinux
Sent: Wednesday, July 08, 2009 6:49 AM
To: General Red Hat Linux discussion list
Subject: Re: blocking ips with iptables accessing invalid URL

>
>
> With Apache, a very useful tool to block this events is mod_security.
>

Very interesting apache module, I didn´t know about it.

I have installed and looks nice and powerfull. For example I access my test computer with ip and with this module loaded it doesn´t work anymore:

[08/Jul/2009:13:41:49 +0200] [192.168.1.191/sid#8ffde98][rid#94e5820][/][1]
Access denied with code 400 (phase 2). Pattern match "^[\d\.]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "60"] [id "960017"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"]

I´ll have to configure it....


Thanks

ESG
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request redhat com?subject=subscribe
https://www.redhat.com/mailman/listinfo/redhat-list


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]