Difference between revisions of "Talk:Mod Security"
From Fail2ban
Jump to navigationJump to searchStevan Bajic (talk | contribs) (Created page with 'Would the following regexp not be better then the one currently mentioned in the wiki? ^[^\s]+\s+<HOST>(?:\s+\-){2}\s+.*HTTP\/1\.[01]\"\s+(?:5|4(?!04)) This basically blocks re…') |
Stevan Bajic (talk | contribs) |
||
| Line 3: | Line 3: | ||
This basically blocks requests generating any 5nn or 4nn (except 404) errors. And it does that only to non authenticated users (assuming you trust your own users). | This basically blocks requests generating any 5nn or 4nn (except 404) errors. And it does that only to non authenticated users (assuming you trust your own users). | ||
| + | |||
| + | My mod_security audit log has the following format: | ||
| + | www.example.com 95.211.133.83 - - [26/Mar/2011:02:15:26 +0100] "GET /index.php%3fcPath=23_37/admin/file_manager.php/login.php HTTP/1.1" 403 956 "-" "-" cgpK-l4XDuMAAE8RU08AAAAA "-" /20110326/20110326-0215/20110326-021526-cgpK-l4XDuMAAE8RU08AAAAA 0 1160 md5:1177ddb05d0e361a443f6afc9329c784 | ||
Latest revision as of 04:20, 26 March 2011
Would the following regexp not be better then the one currently mentioned in the wiki?
^[^\s]+\s+<HOST>(?:\s+\-){2}\s+.*HTTP\/1\.[01]\"\s+(?:5|4(?!04))
This basically blocks requests generating any 5nn or 4nn (except 404) errors. And it does that only to non authenticated users (assuming you trust your own users).
My mod_security audit log has the following format:
www.example.com 95.211.133.83 - - [26/Mar/2011:02:15:26 +0100] "GET /index.php%3fcPath=23_37/admin/file_manager.php/login.php HTTP/1.1" 403 956 "-" "-" cgpK-l4XDuMAAE8RU08AAAAA "-" /20110326/20110326-0215/20110326-021526-cgpK-l4XDuMAAE8RU08AAAAA 0 1160 md5:1177ddb05d0e361a443f6afc9329c784
