Blocking in Clients in ModSecurity Clusters

The benefit of a global database of blocked addresses has been pointed out in the introduction: If you're running ModSecurity among a set of different Web-Servers, this allows you to deny a client IP among all your instances.

Using RBL in ModSecurity

From the ModSecurity point of view, an RBL is simply just a DNS lookup query. For this, ModSecurity provides a special @rbl operator, which can be used to check a realtime block list.

The following example rule will check our local rbl.localnet RBL and deny a client if its IP is listed on the RBL:

  SecRule REMOTE_ADDR "@rbl rbl.localnet" "phase:1,deny,status:403,log,msg:'Client denied by local RBL!'"

This is pretty much all you need to do, to use your local RBL within ModSecurity. Since your RBL might be exposed to all of your ModSecurity instances, e.g. by configuring the local DNS caches to query your jwall-rbld for the domain rbl.localnet, you can effectively maintain one global block-list for all your ModSecurity engines.

A special feature of jwall-rbld is, that you can even use ModSecurity to add new IP addresses to that list as denoted in the next section.

Updating DNS Queries

A special feature of the jwall-rbld is the option to add and remove IP addresses to the RBL based on a DNS query. This makes jwall-rbld act like a shared storage of blocked addresses to a set of clients. In the following, we will refer to the action of adding a new address to the block-list as block and denote the removal of an address from the block-list as unblock.

Important

Updating queries is disabled per default. As the only way for authorizing updates is the remote address of the querying server, you will have to explicitly enlist all IP addresses which you want to allow blocking and unblocking of addresses.

See the section called “Enabling Updating Queries” for details.

Whether a DNS-query should result in a block or unblock action, is a matter of the target domain of the query. Assuming, the jwall-rbld server is running with domain set to rbl.localnet.

Blocking with update-queries

Sending DNS queries for the domain block-N.rbl.localnet allows authorized clients to add an IP-address to the block list for a specified number N of seconds.

The following query will add the address 172.16.0.1 to the block list for 60 seconds:

nslookup 1.0.16.172.block-60.rbl.localnet

By varying the number following block- you can block addresses for longer. The following query will block the same address for 5 minutes (300 seconds):

nslookup 1.0.16.172.block-300.rbl.localnet

Unblocking with update-queries

In the same manner, unblocking of an IP address is possible as well. Unblocking does not take a parameter and is carried out by the following query:

nslookup 1.0.16.172.unblock.rbl.localnet

Enabling Updating Queries

When running the jwall-rbld service in default mode, updates by DNS queries are disabled. Before the jwall-rbld processes additional actions based on DNS queries, you will need to create a permission file, with one line for each IP address you want to accept updating queries from.

Permissions are defined in file /etc/jwall-rbld.permissions. A sample file for permissions can be defined as:

127.0.0.1=*
192.168.0.24=block

In this examples, the client 127.0.0.1 can send block as well as unblock queries, whereas 192.168.0.24 is only allowed to send block queries.