Re: [mod-security-users] RBL support available in 2.0.0-dev1
Brought to you by:
victorhora,
zimmerletw
From: Ivan R. <iv...@we...> - 2006-03-10 08:53:37
|
Jason Haar wrote: > Ivan Ristic wrote: >> ModSecurity 2.0.0-dev1 is out and it includes support for RBL >> operation. Example (it's documented in the manual too): >> >> SecFilterSelective REMOTE_ADDR "@rblCheck sbl-xbl.spamhaus.org" >> >> Regex backreferences will be supported in 2.0.0-dev2 (they >> are supported already in the CVS BTW). Caching is not supported >> at the moment. I do plan to support it in 2.0.0-dev2. >> > FYI about caching... > > I am just going through an issue with the lack of *NEGATIVE TTL* caching > (DNS NCACHE support) within djbdns's dnscache. It really hits the > performance of SpamAssassin from far-away countries (from the RBL > servers) like mine (New Zealand). > > Be aware that you probably want to cache both *successful* and > *unsuccessful* lookups as you cannot rely on the DNS server your OS is > using to do it for you. The negative caching especially is important, as > realistically, 99.9% of the IPs that connect to a Web server won't be in > any RBL. Noted. BTW, it should be possible to use the IP blacklisting mechanism for caching even now (the drawback is you won't be able to use it for something else). The following works in 2.0.0-dev1: # Enable IP tracking SecIpInfo On SecDataDir /var/lib/msa # Deny access to those we know are in the RBL SecFilterSelective IP_BLOCK_MESSAGE "INRBL" log,deny,status:403 # Do not lookup the addresses we saw recently SecFilterSelective IP_IS_BLOCKED "@eq 1" skip:2 # Block addresses in RBL SecFilterSelective REMOTE_ADDR "@rblCheck sbl-xbl.spamhaus.org" \ "log,deny,status:403,blockip:3600,msg:'INRBL'" # Put all addresses on the list but with a different message SecFilterSelective REMOTE_ADDR !^$ nolog,pass,blockip:3600,msg:'NOTRBL' -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall Apache Security (O'Reilly): http://www.apachesecurity.net |