Re: [mod-security-users] RBL support available in 2.0.0-dev1

[Ivan R. <iv...@we...>]

Jason Haar wrote:
> Ivan Ristic wrote:
>> ModSecurity 2.0.0-dev1 is out and it includes support for RBL
>> operation. Example (it's documented in the manual too):
>>
>> SecFilterSelective REMOTE_ADDR "@rblCheck sbl-xbl.spamhaus.org"
>>
>> Regex backreferences will be supported in 2.0.0-dev2 (they
>> are supported already in the CVS BTW). Caching is not supported
>> at the moment. I do plan to support it in 2.0.0-dev2.
>>   
> FYI about caching...
> 
> I am just going through an issue with the lack of *NEGATIVE TTL* caching
> (DNS NCACHE support) within  djbdns's  dnscache. It really hits the
> performance of SpamAssassin from far-away countries (from the RBL
> servers) like mine (New Zealand).
> 
> Be aware that you probably want to cache both *successful* and
> *unsuccessful* lookups as you cannot rely on the DNS server your OS is
> using to do it for you. The negative caching especially is important, as
> realistically, 99.9% of the IPs that connect to a Web server won't be in
> any RBL.

  Noted.

  BTW, it should be possible to use the IP blacklisting mechanism
  for caching even now (the drawback is you won't be able to use
  it for something else). The following works in 2.0.0-dev1:

  # Enable IP tracking
  SecIpInfo On
  SecDataDir /var/lib/msa

  # Deny access to those we know are in the RBL
  SecFilterSelective IP_BLOCK_MESSAGE "INRBL" log,deny,status:403
  # Do not lookup the addresses we saw recently
  SecFilterSelective IP_IS_BLOCKED "@eq 1" skip:2
  # Block addresses in RBL
  SecFilterSelective REMOTE_ADDR "@rblCheck sbl-xbl.spamhaus.org" \
      "log,deny,status:403,blockip:3600,msg:'INRBL'"
  # Put all addresses on the list but with a different message
  SecFilterSelective REMOTE_ADDR !^$ nolog,pass,blockip:3600,msg:'NOTRBL'

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
Apache Security (O'Reilly): http://www.apachesecurity.net