[Owasp-modsecurity-core-rule-set] block CONNECT

Aniyan Rajan aniyan.rajan6 at gmail.com
Mon Feb 9 07:04:29 UTC 2015


Hello,


I am getting the following in the apache/error.log. There are plenty of 
such errors coming in daily. So I would like to block them. They are 
from different ips. So fail2ban is not a good option. They come from 
"mail2000.com.tw". How can I block this domain from trying to CONNECT ?


[Sat Feb 07 09:52:21 2015] [error] [client 118.165.130.55] ModSecurity: 
Access denied with code 403 (phase 1). Match of "rx 
^(?:(?:[a-z]{3,10}\\\\s+(?:\\\\w{3,7}?://[\\\\w\\\\-\\\\./]*(?::\\\\d+)?)?/[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?|connect 
(?:\\\\d{1,3}\\\\.){3}\\\\d{1,3}\\\\.?(?::\\\\d+)?|options 
\\\\*)\\\\s+[\\\\w\\\\./]+|get 
/[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?)$" against "REQUEST_LINE" 
required. [file 
"/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] 
[line "37"] [id "960911"] [rev "2.2.5"] [msg "Invalid HTTP Request 
Line"] [data "CONNECT mx0.mail2000.com.tw:25 HTTP/1.0"] [severity 
"WARNING"] [tag 
"https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-960911"] [tag 
"http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1"] [tag 
"RULE_MATURITY/8"] [tag "RULE_ACCURACY/8"] [hostname 
"mx0.mail2000.com.tw"] [uri "/"] [unique_id "VNXgVX8AAAEAAHqycsoAAAAC"]


I tried the following in /etc/apache2/sites-available/default. Will this 
work ?
<VirtualHost *:80>
.....
.....
</VirtualHost>

<Files *>
<LimitExcept GET POST>
deny from all
</LimitExcept>


Thanks.


More information about the Owasp-modsecurity-core-rule-set mailing list