Re: [mod-security-users] Filter Rules by IP Address

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

SecFilterSelective REMOTE_ADDR  ^196.168.0.94$ allow
worked.  I tried that before Ryan replied but with allow,pass.
So i guess wiht pass in it, it was allowing the IP address but still
applying the other rules.

I really appreciate your help guys.

Thanks a lot,
Naveen

On 10/25/05, Ryan Barnett <rcb...@gm...> wrote:
> Sorry about that - I used the wrong env token.  Use this instead -
>
> SecFilterSelective REMOTE_ADDR "^192\.168\.0\.94$" allow
>
> Also, just use "allow" at the end.  This should tell mod_security to allo=
w
> the request and to not apply and other filters.
>
> If it is still getting blocked by another filter, check the debug log fil=
e
> Looking at your conf file, you need to turn this on (0 does no logging).
> Set this log level to 9 if you want the most verbose info. -
>
> # You normally won't need debug logging
>     SecFilterDebugLevel 9
>     SecFilterDebugLog logs/modsec_debug_log
>
> --
> Ryan C. Barnett
> Web Application Security Consortium (WASC) Member
> CIS Apache Benchmark Project Lead
> SANS Instructor: Securing Apache
> GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
>
> Author: Preventing Web Attacks with Apache
>
> On 10/25/05, Naveen Amradi <na...@gm...> wrote:
> >
> > HI Ryan,
> >
> >   I appreciate your quick response and help.
> >  I am still not able to configure it properly.
> > Just like u said i added
> >
> > SecFilterSelective REMOTE_HOST "^192\.168\.0\.94$" allow,pass
> >
> > I tried putting it right below the SecFilterEnging and other places too=
.
> And i am getting this error in the log file. Maybe i am missing something=
.
> >
> >
> > UNIQUE_ID: xv7hbIJKVE8AAFQjVXYAAAAE
> > Request: 196.168.0.94 - - [25/Oct/2005:11:39:02 --0500] "GET
> /study_abroad/TMPzad38oxcyx.htm HTTP/1.1" 403 232
> > Handler: server-parsed
> > ----------------------------------------
> > GET /study_abroad/TMPzad38oxcyx.htm HTTP/1.1
> > User-Agent: Contribute
> > Host: www.outreach.olemiss.edu
> > Cookie:
> phpbb2mysql_data=3Da%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22=
%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%223%22%3B%7D;
> PHPSESSID=3D59ded4be35990378545d942f2a11c0f9
> > mod_security-message: Access denied with code 403. Pattern match "/tmp"=
 at
> THE_REQUEST
> > mod_security-action: 403
> >
> > HTTP/1.1 403 Forbidden
> > Content-Length: 232
> >
> > Could you help me?And Just for info i am trying to configure Macromedia
> Contribute.
> >
> > Thanks a lot,
> >
> > naveen
> >
> >
> > On 10/25/05, Ryan Barnett <rcb...@gm... > wrote:
> >
> > >
> > > Naveen,
> > > Think of the mod_security directives (SecFilter|SecFilterSelective) a=
s
> you would firewall rules in that the order in which they are specified in
> the httpd.conf file does matter.  Again, like firewall rules, once a filt=
er
> matches the incoming HTTP request it will trigger the actions specified.
> With this being said, if you want to "whitelist" an IP address to allow t=
his
> client access, then add in a rule like this near the top of your
> Mod_Security directives -
> > >
> > > SecFilterSelective REMOTE_HOST "^192\.168\.1\.100$" allow,pass
> > >
> > > Add this just below the mod_security general directives (such as
> SecFilterEngine, etc....).
> > >
> > > That should do it.
> > >
> > > --
> > > Ryan C. Barnett
> > > Web Application Security Consortium (WASC) Member
> > > CIS Apache Benchmark Project Lead
> > > SANS Instructor: Securing Apache
> > > GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
> > > Author: Preventing Web Attacks with Apache
> > >
> > >
> > > On 10/25/05, Naveen Amradi <na...@gm... > wrote:
> > > > HI All,
> > > >
> > > >   Newbie of ModSecurity. I was wondering is there a way to
> > > > open up rules for certain ip addresses.
> > > >
> > > > Thanks a gazillion!
> > > > Naveen
> > >
> > >
> > >
> > >
> >
> >
>
>
>
>