The benefit of a global database of blocked addresses has been pointed out in the introduction: If you're running ModSecurity among a set of different Web-Servers, this allows you to deny a client IP among all your instances.
From the ModSecurity point of view, an RBL is simply just a DNS lookup
query. For this, ModSecurity provides a special
operator, which can be used to check a realtime block list.
The following example rule will check our local
RBL and deny a client if its IP is listed on the RBL:
SecRule REMOTE_ADDR "@rbl rbl.localnet" "phase:1,deny,status:403,log,msg:'Client denied by local RBL!'"
This is pretty much all you need to do, to use your local RBL within
Since your RBL might be exposed to all of your ModSecurity instances, e.g.
by configuring the local DNS caches to query your
for the domain
rbl.localnet, you can effectively maintain
one global block-list for all your ModSecurity engines.
A special feature of
jwall-rbld is, that you can even
use ModSecurity to add new IP addresses to that list as denoted in the next
A special feature of the
jwall-rbld is the option to
add and remove IP addresses to the RBL based on a DNS query. This makes
jwall-rbld act like a shared storage of blocked
addresses to a set of clients. In the following, we will refer to the
action of adding a new address to the block-list as block
and denote the removal of an address from the block-list as
Updating queries is disabled per default. As the only way for authorizing updates is the remote address of the querying server, you will have to explicitly enlist all IP addresses which you want to allow blocking and unblocking of addresses.
See the section called “Enabling Updating Queries” for details.
Whether a DNS-query should result in a block or
unblock action, is a matter of the target domain
of the query. Assuming, the
jwall-rbld server is
running with domain set to
Sending DNS queries for the domain
allows authorized clients to add an IP-address to the block list for
a specified number
N of seconds.
The following query will add the address
172.16.0.1 to the block list for 60
By varying the number following
block- you can block
addresses for longer. The following query will block the same address for
5 minutes (300 seconds):
In the same manner, unblocking of an IP address is possible as well. Unblocking does not take a parameter and is carried out by the following query:
When running the
jwall-rbld service in default mode, updates
by DNS queries are disabled. Before the
additional actions based on DNS queries, you will need to create a permission
file, with one line for each IP address you want to accept updating queries from.
Permissions are defined in file
A sample file for permissions can be defined as:
In this examples, the client 127.0.0.1 can send
block as well
unblock queries, whereas
is only allowed to send