[Owasp-modsecurity-core-rule-set] block CONNECT

Aniyan Rajan aniyan.rajan6 at gmail.com
Mon Feb 9 07:04:29 UTC 2015


I am getting the following in the apache/error.log. There are plenty of 
such errors coming in daily. So I would like to block them. They are 
from different ips. So fail2ban is not a good option. They come from 
"mail2000.com.tw". How can I block this domain from trying to CONNECT ?

[Sat Feb 07 09:52:21 2015] [error] [client] ModSecurity: 
Access denied with code 403 (phase 1). Match of "rx 
/[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?)$" against "REQUEST_LINE" 
required. [file 
[line "37"] [id "960911"] [rev "2.2.5"] [msg "Invalid HTTP Request 
Line"] [data "CONNECT mx0.mail2000.com.tw:25 HTTP/1.0"] [severity 
"WARNING"] [tag 
"https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-960911"] [tag 
"http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1"] [tag 
"RULE_MATURITY/8"] [tag "RULE_ACCURACY/8"] [hostname 
"mx0.mail2000.com.tw"] [uri "/"] [unique_id "VNXgVX8AAAEAAHqycsoAAAAC"]

I tried the following in /etc/apache2/sites-available/default. Will this 
work ?
<VirtualHost *:80>

<Files *>
<LimitExcept GET POST>
deny from all


More information about the Owasp-modsecurity-core-rule-set mailing list