How to block and to test for unauthorized access
Posted: Mon Apr 23, 2012 9:00 pm
Hello everyone,
Ive been using modsecurity with your delayed ruleset to help protect my apache2 web server for some time now. Its been working great until just recently. I was thumbing through my servers web access logs and found some entries that are worrying me. My question is how can I write a new rule for modsec that will block this unauthorized access and how can I test to ensure the new rule is working. I suppose I could write a mod_rewrite rule for this if I had to, but I would much rather write a modsec rule for this. Thanks for your time.
The unauthorized access:
120.38.196.182 - - [22/Apr/2012:17:17:06 -0600] "GET http://5566.net/ HTTP/1.1" 200 9101
Modsecurity Version:
ModSecurity for Apache/2.6.1
Modsecuirty ruleset:
modsec-201202181610
Loaded Modules:
core_module (static)
authn_file_module (static)
authn_default_module (static)
authz_host_module (static)
authz_groupfile_module (static)
authz_user_module (static)
authz_default_module (static)
auth_basic_module (static)
deflate_module (static)
log_config_module (static)
ssl_module (static)
mpm_prefork_module (static)
http_module (static)
mime_module (static)
dir_module (static)
alias_module (static)
rewrite_module (static)
so_module (static)
unique_id_module (shared)
headers_module (shared)
php5_module (shared)
evasive20_module (shared)
security2_module (shared)
Ive been using modsecurity with your delayed ruleset to help protect my apache2 web server for some time now. Its been working great until just recently. I was thumbing through my servers web access logs and found some entries that are worrying me. My question is how can I write a new rule for modsec that will block this unauthorized access and how can I test to ensure the new rule is working. I suppose I could write a mod_rewrite rule for this if I had to, but I would much rather write a modsec rule for this. Thanks for your time.
The unauthorized access:
120.38.196.182 - - [22/Apr/2012:17:17:06 -0600] "GET http://5566.net/ HTTP/1.1" 200 9101
Modsecurity Version:
ModSecurity for Apache/2.6.1
Modsecuirty ruleset:
modsec-201202181610
Loaded Modules:
core_module (static)
authn_file_module (static)
authn_default_module (static)
authz_host_module (static)
authz_groupfile_module (static)
authz_user_module (static)
authz_default_module (static)
auth_basic_module (static)
deflate_module (static)
log_config_module (static)
ssl_module (static)
mpm_prefork_module (static)
http_module (static)
mime_module (static)
dir_module (static)
alias_module (static)
rewrite_module (static)
so_module (static)
unique_id_module (shared)
headers_module (shared)
php5_module (shared)
evasive20_module (shared)
security2_module (shared)