Atomicorp

Security for Everyone
https://forums.atomicorp.com/

What is triggered first, IPTABLES or MODSEC?

https://forums.atomicorp.com/viewtopic.php?t=3713

Page 1 of 1

What is triggered first, IPTABLES or MODSEC?

Posted: Sat Dec 19, 2009 1:55 am
by Sergio
Hi,
I have the following scenario:

I have a global deny file where IPs are blacklisted, in there is an IP 75.135.132.235. Also, I have blacklisted the same IP in one of my mod_sec rules.

To my understanding, when this IP is trying to connect to the server, it will be blocked by IPTABLES so the connection will be stopped. But something weird is happening, look at the modsec log:
2009-12-18 21:27:23 75.135.132.235 /guestbook.php?do=do_sign HTTP/1.1 www.somedomain.com Access denied with code 406 (phase 2). Matched phrase "75.135.132.235" at REMOTE_ADDR. [file "/usr/local/apache/conf/modsec_rules/00_asl_rbl.conf"] [line "10"] [id "350002"] [rev "2"] [msg "IP Match: SPAMMER is in My Blacklist"] [severity "ERROR"] 406
So, the question is, why the IP was blocked by the modsec rule if it has to be stopped at the very momment of trying to connect to the server?

Is this a security issue that IPTABLE didn't stop this?

What do you think?

Regards,
Sergio

Re: What is triggered first, IPTABLES or MODSEC?

Posted: Sat Dec 19, 2009 11:02 am
by scott
Your firewall rules occur at layer 3, so if they are set up correctly it would stop there. If you're looking for more information on how to do this, check out our book:
http://www.amazon.com/Troubleshooting-L ... 877&sr=8-1

You've probably got your order wrong

Re: What is triggered first, IPTABLES or MODSEC?

Posted: Sat Dec 19, 2009 12:54 pm
by mikeshinn
(Thread moved because this is not an ASL issue, this is regarding custom iptable rules on a non-ASL system)

Exactly. iptables happens down at the kernel and network interface level, so its always comes before something like apache (and therefore modsec). The most common mistakes people make with iptable rules are using "-A" instead of "-I" for a rule. -A means append, -I means insert. -A puts the rule at the bottom of the list - usually *after* their allow rules. netfilter is first come first served, from first to last. So when it hits a match, it processes it and if an earlier rule allow traffic to port 80 then that will match before a later rule blocking an IP and the later rule will never match.

We wrote a whole book on troubleshooting iptable rules, or you could just use ASL which does blacklisting easily with iptables. :-)

Re: What is triggered first, IPTABLES or MODSEC?

Posted: Sun Dec 20, 2009 11:03 am
by Sergio
Thank you Scott and Mike,
I will do a check on this.

Regards,
Sergio
All times are UTC-04:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited