mod-security-users

[mod-security-users] SecFilterInheritance

[Shelagh G. <sh...@sm...>]

I run a small web hosting business and recently we've been plagued with
trackback spam.  It's been so bad recently that if I don't catch that attack
at the start and disable all the trackback scripts the server very quickly
becomes unusable and has to be rebooted.  To try and stem the tide I've
implemented Peter Wood's script
(http://prwdot.org/docs/blacklist_to_modsec.html) that uses the MT Blacklist
to create a set of rules for ModSecurity to block comments and trackbacks
containing spam.  Peter suggested bypassing ModSecurity for certain
locations and I've figured out how to do this for a file, eg, 
<Files mt.cgi>
SecFilterInheritance Off
</Files>

I would like to know how to do this for a whole directory, is it possible?

The other situation I'd like some help with is one of my customers who
doesn't blog at all.  Their site is devoted to transcribing a census index.
The only forms on the site are those used by the transcribers for data entry
in a password-protected area which is never going to get spammed.  One the
one hand they could just bypass ModSecurity completely but the handy thing
I've noticed about Peter's script is that not only is it blocking comments
and trackbacks it appears to be blocking a lot of referrer spam as well.
I'm assuming there is a way, using a .htaccess file, to stop ModSecurity
scanning the data entry forms but to continue blocking the referrer spam.

Thanks - Shelagh

Re: [mod-security-users] SecFilterInheritance

[Peter W. <prw...@gm...>]

Hi Shelagh,

Funny running into you here. :-)

> containing spam.  Peter suggested bypassing ModSecurity for certain
> locations and I've figured out how to do this for a file, eg, 
> 
> <Files mt.cgi> 
> SecFilterInheritance Off 
> </Files> 
> 
> I would like to know how to do this for a whole directory, is it possible? 

<Files> limits scope by filename. You can use either one of the
following directives to achieve what you want:

<Directory>
Limit scope based on absolute filesystem paths
http://httpd.apache.org/docs-2.0/mod/core.html#directory

<Location>
Limit scope based on URL
http://httpd.apache.org/docs-2.0/mod/core.html#location

FYI, these are Apache directives, and are not specific to mod_security.

> I'm assuming there is a way, using a .htaccess file, to stop ModSecurity
> scanning the data entry forms but to continue blocking the referrer spam. 

They would simply need to put the following in their .htaccess file:

<IfModule mod_security.c>
SecFilterInheritance Off
SecFilterSelective HTTP_Referer "example rule to block"
</IfModule>

This would only block content found in referers. Be sure to note that
this does not necessarily eliminate referrers from Apache's log files.
You would need to do some custom log configuration in Apache so that
requests blocked by mod_security do not show up in the Apache logs.

Peter
-- 
Peter R. Wood | email: prw...@gm... | blog: http://prwdot.org/

Re: [mod-security-users] SecFilterInheritance

[Peter W. <prw...@gm...>]

> <Directory>
> Limit scope based on absolute filesystem paths
> http://httpd.apache.org/docs-2.0/mod/core.html#directory
> 
> <Location>
> Limit scope based on URL
> http://httpd.apache.org/docs-2.0/mod/core.html#location

P.S.

The links to documentation are for Apache 2.0x. For Apache 1.x, the links are:

<Directory>: http://httpd.apache.org/docs/mod/core.html#directory
<Location>: http://httpd.apache.org/docs/mod/core.html#location

-- 
Peter R. Wood | email: prw...@gm... | blog: http://prwdot.org/