ModSecurity with RBL Database

This tutorial we showing how you can use ModSecurity with RBL database’s to block access to web server.

ModSecurity RBL

We can use at mod_security phase 1 to optimise these rules and reduce server load, before PHP start executing requests. Here are more information how to ModSecurity processing phases. Also you can use Local DNS Resolvers to cache RBL requests.

Block All access

This example we show, how you can block all access to RBL Database. This will reduce server load, when a client sends GET request, only header information and server with mod_security check then is allowed make requests or block request.

SecRule REMOTE_ADDR "@rbl rbl.malware.expert" "id:'400010',phase:1,drop,noauditlog,msg:'Malware host detected by rbl.malware.expert'"

Block POST Requests only to server

Sometimes you don’t wanna block all requests, only like POST request to wp-login.php or xmlrpc.php and etc. We need make chain rule for this.

SecRule REQUEST_METHOD "POST" "id:'400010',phase:1,chain,drop,noauditlog,msg:'Malware host detected by rbl.malware.expert'"
SecRule REMOTE_ADDR "@rbl rbl.malware.expert"

Final words

If you don’t wanna build own rules, you can use Malware Expert – ModSecurity rules to protect your web server vulnerabilities and attacks.