Skip to main content

Adding blacklists to ModSecurity

  • Generating the API key on HoneyPot website
  • Creating a rule (must have the first ID)
nano -w /etc/crs4/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
# HTTPBL Check
SecHttpBlKey API key

SecRule TX:REAL_IP|REMOTE_ADDR "@rbl dnsbl.httpbl.org" \
        "id:001001001,\
        phase:1,\
        capture,\
        block,\
        log,\
        msg:'HTTPBL Match of Client IP.',\
        logdata:'%{tx.httpbl_msg}',\
        setvar:tx.httpbl_msg=%{tx.0},\
        chain"

SecRule TX:0 "threat score (\d+)" "chain,capture"
SecRule TX:1 "@gt 20"
Back to top