Default Apache page - access denied on rule 350000

andy928 · **Posted:** Tue Jul 10, 2012 7:19 pm

Hello All,

A client cannot access our website - a default Apache page pops up. After checking modsec_debug.log it seems that it was triggered by

Code:

[10/Jul/2012:17:34:44 --0400] [www.mydomain.com/sid#2b54f88fb890][rid#2b550005a0f8][/icons/powered_by_rh.png][1]  [file "/etc/httpd/conf/mod_security_rules/rules_asl/00_asl_rbl.conf"] [line "48"] [id "350000"] [rev "2"] [msg "Global RBL Match: IP is on the xbl.spamhaus.org Blacklist (Report False Positives to www.spamhaus.org)"] [severity "ERROR"] Access denied with code 403 (phase 1). RBL lookup of 213.211.150.75.xbl.spamhaus.org succeeded at REMOTE_ADDR (Illegal 3rd party exploits).

Adding client IP to a whitelist fixed the problem. Here is what puzzles me: the listed IP 213.211.150.75 is not the client's IP (his IP is 75.150.211.213). Both IPs (75.150.211.213 and 213.211.150.75) are not in the spamhouse black list. What is happening here? Why Modsecurity picks that IP 213.211.150.75?

Please advise.

Thanks!

mikeshinn · **Posted:** Wed Jul 11, 2012 10:46 am

Thanks for the question. All RBL lookups with any tool by any author reverses the IP address to fit the zone model that DNS uses in the FQDN lookup, so a look up for the IP 1.2.3.4 will look like 4.3.2.1.rbl.domain.com, because 1 is the superset that 2 is subset of, and 3 is a subset of that and so on. Thats the standard all the RBLs use, because thats how DNS zones work, so the request is normal. Its not looking up 4.3.2.1 its looking up the IP 1.2.3.4.

If an RBL operator reports an IP on their blacklist, you will need to contact them about the IP, the rules do not do anything except ask your DNS server to look up the IP, and then report what your DNS server said. RBLs are generally realtime, which means the IPs on the list are a reflection of their condition in real time, which means that if you check the IP 24 hours later against an RBL the IP may or may not be on that RBL anymore (hence the term realtime).

So the rule is not wrong, it simply can not, it doesnt do anything except ask your DNS server to look up an IP, and then it reports what your DNS server said. So if spamhaus confirmed that the IP was never on their RBL, then your DNS server is very broken and you will need to look into whats wrong with it. My guess would be that the IP was on spamhauses RBL at the time the lookup occurred, and at some point afterwards was removed from the RBL.

I hope this helps.

andy928 · **Posted:** Wed Jul 11, 2012 8:46 pm

Thank you, Michael. In fact, i checked that IP with spamhouse in about 5 min after talking to the client. How can I check if something is wrong with my DNS server? I am on a dedicated server and have access to all settings. All common tests confirm that there are no reported problems with DNS.

Is there another way to track that error?

Thanks,

Andrew

faris · **Joined:** Thu Dec 09, 2004 11:19 am **Posts:** 1846

You can do a manual lookup using dig

Typically the syntax is

Code:

dig @localhost domain.tld

To check an RBL, you quite often have to reverse the IP and append it to the RBL. So to lookup 111.222.333.444 you'd need to use something like

Code:

dig @localhost 444.333.222.111.rbl.rblcompany.tld

e.g.

Code:

dig @localhost 444.333.222.111.zen.spamhaus.org

You might want to compare the answer that gives with doing the same lookup on a nother DNS server. e.g. Google's DNS, OpenDNS, your ISP's DNS etc. Just change @localhost to @8.8.8.8 or @ip-or-domain-of-dns-server

If I remember correcly, NX Domain = not listed. 127.0.0.2 and over means listed.

Default Apache page - access denied on rule 350000

Who is online