Default Apache page - access denied on rule 350000

Community support forums for the free/delayed modsecurity rules feed. There is no such thing as a bad question here as long as it pertains to using the delayed modsecurity rules feed. Newbies feel free to get help getting started or asking questions that may be obvious.
andy928
New Forum User
New Forum User
Posts: 4
Joined: Tue Jul 10, 2012 7:05 pm
Location: Australia

Default Apache page - access denied on rule 350000

Unread post by andy928 »

Hello All,

A client cannot access our website - a default Apache page pops up. After checking modsec_debug.log it seems that it was triggered by

Code: Select all

[10/Jul/2012:17:34:44 --0400] [www.mydomain.com/sid#2b54f88fb890][rid#2b550005a0f8][/icons/powered_by_rh.png][1]  [file "/etc/httpd/conf/mod_security_rules/rules_asl/00_asl_rbl.conf"] [line "48"] [id "350000"] [rev "2"] [msg "Global RBL Match: IP is on the xbl.spamhaus.org Blacklist (Report False Positives to www.spamhaus.org)"] [severity "ERROR"] Access denied with code 403 (phase 1). RBL lookup of 213.211.150.75.xbl.spamhaus.org succeeded at REMOTE_ADDR (Illegal 3rd party exploits).
Adding client IP to a whitelist fixed the problem. Here is what puzzles me: the listed IP 213.211.150.75 is not the client's IP (his IP is 75.150.211.213). Both IPs (75.150.211.213 and 213.211.150.75) are not in the spamhouse black list. What is happening here? Why Modsecurity picks that IP 213.211.150.75?

Please advise.

Thanks!
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Default Apache page - access denied on rule 350000

Unread post by mikeshinn »

Thanks for the question. All RBL lookups with any tool by any author reverses the IP address to fit the zone model that DNS uses in the FQDN lookup, so a look up for the IP 1.2.3.4 will look like 4.3.2.1.rbl.domain.com, because 1 is the superset that 2 is subset of, and 3 is a subset of that and so on. Thats the standard all the RBLs use, because thats how DNS zones work, so the request is normal. Its not looking up 4.3.2.1 its looking up the IP 1.2.3.4.

If an RBL operator reports an IP on their blacklist, you will need to contact them about the IP, the rules do not do anything except ask your DNS server to look up the IP, and then report what your DNS server said. RBLs are generally realtime, which means the IPs on the list are a reflection of their condition in real time, which means that if you check the IP 24 hours later against an RBL the IP may or may not be on that RBL anymore (hence the term realtime).

So the rule is not wrong, it simply can not, it doesnt do anything except ask your DNS server to look up an IP, and then it reports what your DNS server said. So if spamhaus confirmed that the IP was never on their RBL, then your DNS server is very broken and you will need to look into whats wrong with it. My guess would be that the IP was on spamhauses RBL at the time the lookup occurred, and at some point afterwards was removed from the RBL.

I hope this helps.
andy928
New Forum User
New Forum User
Posts: 4
Joined: Tue Jul 10, 2012 7:05 pm
Location: Australia

Re: Default Apache page - access denied on rule 350000

Unread post by andy928 »

Thank you, Michael. In fact, i checked that IP with spamhouse in about 5 min after talking to the client. How can I check if something is wrong with my DNS server? I am on a dedicated server and have access to all settings. All common tests confirm that there are no reported problems with DNS.

Is there another way to track that error?

Thanks,

Andrew
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Default Apache page - access denied on rule 350000

Unread post by faris »

You can do a manual lookup using dig

Typically the syntax is

Code: Select all

dig @localhost domain.tld
To check an RBL, you quite often have to reverse the IP and append it to the RBL. So to lookup 111.222.333.444 you'd need to use something like

Code: Select all

dig @localhost 444.333.222.111.rbl.rblcompany.tld
e.g.

Code: Select all

dig @localhost 444.333.222.111.zen.spamhaus.org
You might want to compare the answer that gives with doing the same lookup on a nother DNS server. e.g. Google's DNS, OpenDNS, your ISP's DNS etc. Just change @localhost to @8.8.8.8 or @ip-or-domain-of-dns-server

If I remember correcly, NX Domain = not listed. 127.0.0.2 and over means listed.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Post Reply