Re: [mod-security-users] Ideas for future features..

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Zach Roberts wrote:
>
> The problem is that the idea of using flatfiles for a blacklist cannot
> possibly be sustained indefinitely as more of this comment spam
> surfaces. Even blocking the robots by IPs will be nearly impossible
> using firewalls or flatfiles as even firewalls will start to slow down
> servers after tens of thousands of IPs are added.

  That's a problem because these devices are rule-based and they
  need to be processed sequentially.

  Some news: the 2.0.0 code in the CVS supports blacklisting on the
  Apache level. The IP addresses are stored in a SDBM database and
  only one lookup is needed per request to establish whether it is
  blacklisted or not.

  There is also a new action - "blockip:DURATION". This may not be
  very useful at the moment but:

  1. 2.0.0 will also add a rating mechanism, similar to that used
     by spam filters.

  2. I want to enable ModSecurity to keep track of IP, user, session,
     and address ratings.

  So, for example, if you get too many hits from the same IP address
  you can choose to block it for a while.

  OK, now back to the original proposal. There are two ways to approach
  it:

  1. At the moment the database contains only the blacklisted
     addresses. It is possible to start caching clean IP addresses.
     That would replace one or multiple DNS resolution attempts with
     a single lookup.

  2. ModSecurity v2.0.0 is also likely to have an API (web-based)
     to allow IP addresses to be added and removed from the list.
     An external tool could be used to add/remove the IP addresses.

> Blar's mod_access_rbl was one attempt at this but, the results aren't
> cached so it isn't very efficient.

  This is v1 above - it's pretty trivial to add to ModSecurity.

> A rule such as..
> 
> SecFilterSelective "ARG_url" "^(http|https):/"
> lookup:combined.surbl.org,denyonfail

  What would the above lookup? The contents of paramter "url"?
  Perhaps it is a better idea to use regex backreferences for
  this...

> Even a way of mod_security extracting the domain from the arguement and
> then passing it to the surbl would be even better.

  Right, backreferences.

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall