ModSecurity: my first rules

I have been using ModSecurity for quite some time now to protect a webserver, but i never felt the need to write my own rules. Recently though, my site got quite a lot of spam in the comments of my TikiWiki based site. Since i was not willing to disable the anonymous comment posting i decided to see if i could use Mod_Security to block the spam.

The spam all looked alike with the following characteristics. It all contained a list uri’s with a pipe | before them. So decided to try the most easy way, by blocking all posts with this characteristic.

SecFilterSelective REQUEST_URI “.php” chain

SecFilterSelective POST_PAYLOAD ” | http:”

And it works fine:

[Sat Jul 01 12:37:32 2006] [error] [client 211.47.162.225] mod_security: Access denied with code 404. Pattern match ” \\| http\\:” at POST_PAYLOAD …

Surely the rule can be much refined, but as long as it works as it does, and i see no bad side effects, i’m happy 😉

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s