Thread: [mod-security-users] RBL support available in 2.0.0-dev1

Brought to you by: victorhora, zimmerletw

mod-security-users

[mod-security-users] RBL support available in 2.0.0-dev1

From: Ivan R. <iv...@we...> - 2006-03-09 11:52:18

ModSecurity 2.0.0-dev1 is out and it includes support for RBL
operation. Example (it's documented in the manual too):

SecFilterSelective REMOTE_ADDR "@rblCheck sbl-xbl.spamhaus.org"

Regex backreferences will be supported in 2.0.0-dev2 (they
are supported already in the CVS BTW). Caching is not supported
at the moment. I do plan to support it in 2.0.0-dev2.

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
Apache Security (O'Reilly): http://www.apachesecurity.net

Re: [mod-security-users] RBL support available in 2.0.0-dev1

From: <ste...@gm...> - 2006-03-09 16:30:26

> --- Ursprüngliche Nachricht ---
> Von: Ivan Ristic <iv...@we...>
> An: mod...@li...
> Betreff: [mod-security-users] RBL support available in 2.0.0-dev1
> Datum: Thu, 09 Mar 2006 11:52:42 +0000
> 
> 
> ModSecurity 2.0.0-dev1 is out and it includes support for RBL
> operation. Example (it's documented in the manual too):
> 
> SecFilterSelective REMOTE_ADDR "@rblCheck sbl-xbl.spamhaus.org"
> 
> Regex backreferences will be supported in 2.0.0-dev2 (they
> are supported already in the CVS BTW). Caching is not supported
> at the moment. I do plan to support it in 2.0.0-dev2.
> 
Would you recomend using 2.0.0-dev2 in production? Or do I have to expect
alot of problems?


> -- 
> Ivan Ristic, Technical Director
> Thinking Stone, http://www.thinkingstone.com
> ModSecurity: Open source Web Application Firewall
> Apache Security (O'Reilly): http://www.apachesecurity.net
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting
> language
> that extends applications into web and mobile media. Attend the live
> webcast
> and join the prime developer group breaking into this new coding
> territory!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> 

-- 
"Feel free" mit GMX FreeMail!
Monat für Monat 10 FreeSMS inklusive! http://www.gmx.net

Re: [mod-security-users] RBL support available in 2.0.0-dev1

From: Ivan R. <iv...@we...> - 2006-03-09 16:33:20

ste...@gm... wrote:
>> --- Urspr=FCngliche Nachricht ---
>> Von: Ivan Ristic <iv...@we...>
>> An: mod...@li...
>> Betreff: [mod-security-users] RBL support available in 2.0.0-dev1
>> Datum: Thu, 09 Mar 2006 11:52:42 +0000
>>
>>
>> ModSecurity 2.0.0-dev1 is out and it includes support for RBL
>> operation. Example (it's documented in the manual too):
>>
>> SecFilterSelective REMOTE_ADDR "@rblCheck sbl-xbl.spamhaus.org"
>>
>> Regex backreferences will be supported in 2.0.0-dev2 (they
>> are supported already in the CVS BTW). Caching is not supported
>> at the moment. I do plan to support it in 2.0.0-dev2.
>>
> Would you recomend using 2.0.0-dev2 in production? Or do I have to expe=
ct
> alot of problems?

  You mean 2.0.0-dev1. It should be stable but, still, it is
  a development release.

--=20
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
Apache Security (O'Reilly): http://www.apachesecurity.net

Re: [mod-security-users] RBL support available in 2.0.0-dev1

From: Jason H. <Jas...@tr...> - 2006-03-10 02:32:37

Ivan Ristic wrote:
> ModSecurity 2.0.0-dev1 is out and it includes support for RBL
> operation. Example (it's documented in the manual too):
>
> SecFilterSelective REMOTE_ADDR "@rblCheck sbl-xbl.spamhaus.org"
>
> Regex backreferences will be supported in 2.0.0-dev2 (they
> are supported already in the CVS BTW). Caching is not supported
> at the moment. I do plan to support it in 2.0.0-dev2.
>   
FYI about caching...

I am just going through an issue with the lack of *NEGATIVE TTL* caching
(DNS NCACHE support) within  djbdns's  dnscache. It really hits the
performance of SpamAssassin from far-away countries (from the RBL
servers) like mine (New Zealand).

Be aware that you probably want to cache both *successful* and
*unsuccessful* lookups as you cannot rely on the DNS server your OS is
using to do it for you. The negative caching especially is important, as
realistically, 99.9% of the IPs that connect to a Web server won't be in
any RBL.

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Re: [mod-security-users] RBL support available in 2.0.0-dev1

From: Ivan R. <iv...@we...> - 2006-03-10 08:53:37

Jason Haar wrote:
> Ivan Ristic wrote:
>> ModSecurity 2.0.0-dev1 is out and it includes support for RBL
>> operation. Example (it's documented in the manual too):
>>
>> SecFilterSelective REMOTE_ADDR "@rblCheck sbl-xbl.spamhaus.org"
>>
>> Regex backreferences will be supported in 2.0.0-dev2 (they
>> are supported already in the CVS BTW). Caching is not supported
>> at the moment. I do plan to support it in 2.0.0-dev2.
>>   
> FYI about caching...
> 
> I am just going through an issue with the lack of *NEGATIVE TTL* caching
> (DNS NCACHE support) within  djbdns's  dnscache. It really hits the
> performance of SpamAssassin from far-away countries (from the RBL
> servers) like mine (New Zealand).
> 
> Be aware that you probably want to cache both *successful* and
> *unsuccessful* lookups as you cannot rely on the DNS server your OS is
> using to do it for you. The negative caching especially is important, as
> realistically, 99.9% of the IPs that connect to a Web server won't be in
> any RBL.

  Noted.

  BTW, it should be possible to use the IP blacklisting mechanism
  for caching even now (the drawback is you won't be able to use
  it for something else). The following works in 2.0.0-dev1:

  # Enable IP tracking
  SecIpInfo On
  SecDataDir /var/lib/msa

  # Deny access to those we know are in the RBL
  SecFilterSelective IP_BLOCK_MESSAGE "INRBL" log,deny,status:403
  # Do not lookup the addresses we saw recently
  SecFilterSelective IP_IS_BLOCKED "@eq 1" skip:2
  # Block addresses in RBL
  SecFilterSelective REMOTE_ADDR "@rblCheck sbl-xbl.spamhaus.org" \
      "log,deny,status:403,blockip:3600,msg:'INRBL'"
  # Put all addresses on the list but with a different message
  SecFilterSelective REMOTE_ADDR !^$ nolog,pass,blockip:3600,msg:'NOTRBL'

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
Apache Security (O'Reilly): http://www.apachesecurity.net

Re: [mod-security-users] RBL support available in 2.0.0-dev1

From: Tom A. <tan...@oa...> - 2006-03-10 14:25:50

Jason Haar wrote:
> FYI about caching...
> 
> I am just going through an issue with the lack of *NEGATIVE TTL* caching
> (DNS NCACHE support) within  djbdns's  dnscache. It really hits the
> performance of SpamAssassin from far-away countries (from the RBL
> servers) like mine (New Zealand).
> 
> Be aware that you probably want to cache both *successful* and
> *unsuccessful* lookups as you cannot rely on the DNS server your OS is
> using to do it for you. The negative caching especially is important, as
> realistically, 99.9% of the IPs that connect to a Web server won't be in
> any RBL.

I hope that such a cache would also allow local blacklisting of
non-RBL'd addresses so that prior failures of other rules could trigger
(through a "blacklist" action) the rejection of all requests from that
address without having to run the full gamut of rules on each subsequent
hit.

Tom