How to drop all requests using mod_security

Question

I have an apache2 server with several sites enabled on it, including the default one (000default). The default server is catching lots of spammy requests that are doing nothing but consume bandwidth and fill up the log file.

What would be a minimal virtual host config that would drop all requests that hit the default site?

This is what I have so far using mod_security, but it seems to do nothing but respond with a 403 for all requests:

<VirtualHost *:80>
    ServerName default.only
    SecRuleEngine On
    SecAction "drop,phase:1"
</VirtualHost>

Try `SecRuleEngine off` for other vhosts? – slowpoison Jun 22 '12 at 23:14 — slowpoison, Jun 22 '12 at 23:14
thanks, but that didn't seem to make any difference – izb Jun 22 '12 at 23:16 — izb, Jun 22 '12 at 23:16

score 5 · Answer 1 · answered Jun 25 '12 at 16:43

The mod_security action deny will produce a 403 response whereas drop will immediately close the connection. From the manual:

drop

Description: Immediately initiate a "connection close" action to tear down the TCP connection by sending a FIN packet.

Action Group: Disruptive

Example: The following example initiates an IP collection for tracking Basic Authentication attempts. If the client goes over the threshold of more than 25 attempts in 2 minutes, it will DROP subsequent connections.

SecAction initcol:ip=%{REMOTE_ADDR},nolog
SecRule ARGS:login "!^$" \
    nolog,phase:1,setvar:ip.auth_attempt=+1,deprecatevar:ip.auth_attempt=20/120
SecRule IP:AUTH_ATTEMPT "@gt 25" \
    log,drop,phase:1,msg:'Possible Brute Force Attack"

Note

This action is extremely useful when responding to both Brute Force and Denial of Service attacks in that, in both cases, you want to minimize both the network bandwidth and the data returned to the client. This action causes error message to appear in the log "(9)Bad file descriptor: core_output_filter: writing data to the network"

score 4 · Answer 2 · answered Jun 22 '12 at 23:09

4

Apache has to handle the request in some way, it can't just ignore them. Responding with 403 Forbidden is as close as you get.

answered Jun 22 '12 at 23:09

bahamat

6,263
24
28

1

You *can* drop connections without handling them using the mod_security module. It's the configuration of that module I'm having problems with. – izb Jun 23 '12 at 10:54

score 3 · Accepted Answer · answered Jun 23 '12 at 11:24

3

I managed to fix this with the following config:

<VirtualHost *:80>
    ServerName default.only

    SecRuleEngine On
    SecRule REMOTE_ADDR "^\d" drop,phase:1
</VirtualHost>

answered Jun 23 '12 at 11:24

izb

191
1
10

Thanks, this appears to fix the problem for requests on port 80 but not not 443. If I add analogous virtual host with 443 I get an error on my SSL enabled sites: "Error code: SSL_ERROR_RX_RECORD_TOO_LONG". Is it possible to apply this to 443 as well? – Mike S May 19 '19 at 23:59

score 2 · Answer 4 · answered Jul 05 '17 at 11:47

2

This works for me with libapache2-mod-security2 v2.8.0:

<VirtualHost *:80>
  ServerName 1.2.3.4

  CustomLog /dev/null combined

  # https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual
  SecRuleEngine On
  SecAction id:1,phase:1,nolog,drop
</VirtualHost>

answered Jul 05 '17 at 11:47

Jörg Ludwig

131
6

Thanks, this fixes the problem for requests on port 80 but not 443. If I add analogous virtual host with 443 I get an error on my SSL enabled sites: "Error code: SSL_ERROR_RX_RECORD_TOO_LONG". Is it possible to apply this to 443 as well? – Mike S May 20 '19 at 00:00

How to drop all requests using mod_security

4 Answers4

drop

Linked