I’ve been fine-tuning my Mod_Security rules for the last several days and I think I’m just about finished. I found all the rules at GotRoot and I noticed that the black-list rules were all static – meaning that they were probably out of date before they were even published.
According to the documentation for Mod_security2 there is support for Real Time Blacklists (RBL) but I did not have much luck finding how to configure RBL at GotRoot – and Google did not help much either. I found a few sparse blog posts here and there – most of these RBL rules either slowed my server to a crawl or just crashed Apache.
Finally after hours of Googling and tinkering, I came up with a Mod_security2 rule that will check against an RBL:
SecRule REMOTE_ADDR "@rbl bl.spamcop.net" "chain,deny, log, id:350000,msg:'RBL: httpbl.spamcop.net',severity:'1'"
SecRule REMOTE_ADDR "!127.0.0.1"
It seems that this rule works pretty well using spamcop.net. You can replace the “httpbl.spamcop.net” with any RBL you choose, for example httpbl.abuse.ch also works, but is a bit slower (unless you’re in Switzerland I suppose) and I’ll be testing zen.spamhaus.org tomorrow. You can also multiple rules/RBLs at the same time, but expect a noticeable decrease in performance if you do. Also be aware that this rule only works with Mod_security2, not the older (and now obsolete) mod_security 1.9.
I am brand-new to using mod_security so if you have any other tips, advice or wisdom please post them.