Atomicorp

Security for Everyone
https://forums.atomicorp.com/

Odd rule 350000 issue

https://forums.atomicorp.com/viewtopic.php?t=2358

Page 1 of 1

Odd rule 350000 issue

Posted: Tue Jun 24, 2008 1:13 pm
by Spazholio
Here's what I'm getting in my OSSEC HIDS hourly email:

[modsecurity] [client xxx.xxx.xxx.xxx] [domain www.domain.com] [403] [/20080624/20080624-1105/20080624-110535-uvomP0jpM6cAACZhqEoAAAAL] [file "/etc/httpd/modsecurity.d/00_asl_rbl.conf"] [line "23"] [id "350000"] [msg "RBL: sbl-xbl.spamhaus.org"] [severity "ALERT"] Access denied with code 403 (phase 2). Match of "rx 88.138.0.155" against "REMOTE_ADDR" required.

Now, the issues I'm noticing are this:

This isn't showing up in the Dashboard. I created a 00_asl_custom_exclude.conf (which contains: SecRuleRemoveById 350000)in the /etc/httpd/modsecurity.d dir in order to disable this rule, because it's firing on nearly every one of my domains, and has nothing to do with 88.138.0.155. That is not the IP that's getting reported. Heck, I use ModernBill as my billing software, and they were getting blocked from their IP (which isn't even close to 88.138.0.155).

My question is basically, how can I disable this rule permanently, or how can I determine just what the heck is making it fire? It's not matching on that IP, it's matching on something else. Can anyone shed some light on this?

Posted: Tue Jun 24, 2008 7:51 pm
by scott
You can disable RBL checks in /etc/asl/config, set the following:

MODSEC_00_RBL="off"


and run:
asl -s -f

Posted: Tue Jun 24, 2008 10:13 pm
by Spazholio
Is that actually advised? To disable a whole category of security checks? Or is RBL checking one of those that's not TOO bad to eliminate?

Posted: Wed Jun 25, 2008 7:17 am
by scott
IP's listed on the RBL are known sources of either spam, or malicious activity. Personally, yes, I think disabling it is a bad idea. If your users are coming from RBL sources, which isnt uncommon for a lot of international users, then using it might not be an option.

Posted: Wed Jul 02, 2008 1:45 pm
by hostingguy
We dont use the RBL on our servers, we figure if they are going to do anything bad they will get caught in a specific rule.

Posted: Wed Jul 02, 2008 5:36 pm
by warrenc
I'm using that ruleset as well and get lots of the same alerts. I'm sure it's not too difficult to 'demote' them so that they don't fire off so many OSSEC emails, etc though. I have a ticket in regarding this, hopefully they will help but if not I'll dig into it a bit when I have some time.
All times are UTC-04:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited