Re: [mod-security-users] Modsecurity and known bad IP address filter
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Modsecurity and known bad IP address filter
|
From: Ryan B. <RBa...@tr...> - 2013-03-04 17:34:33
|
On 3/4/13 11:58 AM, "Reindl Harald" <h.r...@th...> wrote: > > >Am 04.03.2013 17:35, schrieb Canell: >> Ryan Barnett, >> >> I recall reading somewhere that ModSecurity can be configured to >>reference a service site such that it >> can dynamically check each active IP against the service for know bad >>IP address and block those IP addresses. >> >> If this is so, where do I look for configuration with such a serviceŠ >>andŠ. what would be some >> recommended services to reference. > >i doubt this is not a good idea and will lead so >a self-DOS if you are under attack To Reindl's point - the blog post I mentioned in my last email (http://blog.spiderlabs.com/2011/07/advanced-topic-of-the-week-updated-real -time-blacklist-lookups.html) lists at the end some perf considerations. The main one being local DNS caching or using ModSecurity's persistent IP storage so that you only do actual @rbl checks periodically (say once a day) and then cache the results. When considering response actions based on IP intelligence, if you determine that some IP addresses are bad you want to deny based on this alone, then I suggest you use exec actions to update local/remote FW rules to move blocking to edge network devices. -Ryan ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
