store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Mon Dec 22, 2014 3:27 pm

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 7 posts ] 
Author Message
 Post subject: Spamhaus rule blocks UNLISTED IP?
Unread postPosted: Thu Sep 16, 2010 8:23 am 
Offline
New Forum User
New Forum User

Joined: Thu Sep 16, 2010 7:59 am
Posts: 3
Hi,

I added the ASL ruleset to my server, the riles include an IP check of the spamhaus.org blacklist.
Then my own IP ( 81.82.210.15) was blocked by this rule, but when ckecing it on spamhouse.org, it says my IP is notlisted!

check results of spamhaus.org sebsite:
81.82.210.15 is not listed in the SBL
81.82.210.15 is not listed in the PBL
81.82.210.15 is not listed in the XBL

But in my error logs:
[Thu Sep 16 13:46:02 2010] [error] [client 81.82.210.15] ModSecurity: Access denied with code 403 (phase 2). RBL lookup of 15.210.82.81.xbl.spamhaus.org succeeded at REMOTE_ADDR. [file "/etc/apache2/gotrootrules/00_asl_rbl.conf"] [line "30"] [id "350000"] [rev "2"] [msg "Global RBL Match: IP is on the xbl.spamhaus.org Blacklist"] [severity "ERROR"] [hostname "www.easynames.be"] [uri "/images/plan1.jpg"] [unique_id "TJIDelhQw80AACxpHAMAAAAF"]

How can that be?
(when i do a NSLOOKUP of 15.210.82.81.xbl.spamhaus.org on my webserver, it returns
Server: 88.80.192.118
Address: 88.80.192.118#53

** server can't find 15.210.82.81.xbl.spamhaus.org: NXDOMAIN

)

thanks for any answers!
Sven


Top
 Profile  
 
 Post subject: Re: Spamhaus rule blocks UNLISTED IP?
Unread postPosted: Thu Sep 16, 2010 11:58 am 
Offline
New Forum User
New Forum User

Joined: Thu Sep 16, 2010 7:59 am
Posts: 3
I now removed the RBL rules and it works fine..

But anyhow, if anyone knows a solution, it's welcome!


Top
 Profile  
 
 Post subject: Re: Spamhaus rule blocks UNLISTED IP?
Unread postPosted: Thu Sep 16, 2010 12:51 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3680
Location: Chantilly, VA
Are you using the realtime or delayed rules? If you are a realtime rules customer, please send a support request to support@atomicorp.com with your account information (I can't find you in our system, so if you are a customer you need to let us know your account details with your request).

As an aside, this isn't a rule issue. The RBL engine is very simple: If your DNS setup returns a match, mod_Sec will fire, if not it won't - theres literally no way for the rule to get the answer wrong. Your issue could be a local configuration issue, or just luck - RBLs change in realtime, so you may have just missed it being on their list. One minute it could be on their list, the next its not.

Again, if you are a paid customer please open a support request and we would be happy to look into this for you, including logging into your system to see if you do have a DNS issue.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Spamhaus rule blocks UNLISTED IP?
Unread postPosted: Fri Sep 17, 2010 9:13 am 
Offline
New Forum User
New Forum User

Joined: Thu Sep 16, 2010 7:59 am
Posts: 3
Thanks for the answer!

No, I am not a customer yet, but I'm gonne be soon I think!
(first I will configure my server with the delayed rules, my goal is to be sure my JOOMLA services are really secured... Does the realtime protection offers special protection for this?)


Top
 Profile  
 
 Post subject: Re: Spamhaus rule blocks UNLISTED IP?
Unread postPosted: Fri Sep 17, 2010 11:30 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3680
Location: Chantilly, VA
Quote:
Thanks for the answer!


Our pleasure. We've not seen a case where its the rule, per se, because the logic is so simple but we have seen cases where either local or upstream DNS issues caching records longer than they should, but honestly thats rare - most of the time its just that spamhaus' data is usually nice and dynamic so by the time you go back and look its usually changed to reflect the current state of that IP (safe). Of course, the question in this case is did that happen?

Quote:
No, I am not a customer yet, but I'm gonne be soon I think!
(first I will configure my server with the delayed rules, my goal is to be sure my JOOMLA services are really secured... Does the realtime protection offers special protection for this?)


They do. The realtime rules contain additional security rules, performance enhancements and bug fixes, as well as Just In Time Patches for applications, including Joomla, and Positive Security rules for popular web applications including Joomla.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Spamhaus rule blocks UNLISTED IP?
Unread postPosted: Mon Sep 20, 2010 9:49 pm 
Offline
Forum Regular
Forum Regular

Joined: Wed Mar 19, 2008 10:22 pm
Posts: 111
I see a lot of false positives if I enable the RBL as well. Including the Google and Yahoo bots :( I'm a customer but I don't know how to check if there is a DNS problem?

Message: [file "/etc/httpd/modsecurity.d/00_asl_rbl.conf"] [line "48"] [id "350000"] [rev "2"] [msg "Global RBL Match: IP is on the xbl.spamhaus.org Blacklist"] [severity "ERROR"] Access denied with code 403 (phase 2). RBL lookup of 2.65.249.66.xbl.spamhaus.org succeeded at REMOTE_ADDR.

http://whois.domaintools.com/66.249.65.2

Edit: Facebook also seems to get blocked yet it's not listed on the spamhaus.org site...

Message: [file "/etc/httpd/modsecurity.d/00_asl_rbl.conf"] [line "48"] [id "350000"] [rev "2"] [msg "Global RBL Match: IP is on the xbl.spamhaus.org Blacklist"] [severity "ERROR"] Access denied with code 403 (phase 2). RBL lookup of 251.181.63.69.xbl.spamhaus.org succeeded at REMOTE_ADDR.


Top
 Profile  
 
 Post subject: Re: Spamhaus rule blocks UNLISTED IP?
Unread postPosted: Tue Sep 21, 2010 2:53 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3680
Location: Chantilly, VA
You should contact the RBL operator if you find that their system is returning incorrect answers. As previously mentioned, the code in mod_security is very simple, it just asks your DNS server is theres a match, if your DNS server (or whatever you have configured as DNS on your server) says there is then its reported as a match. All that line is telling you is that your DNS server(s) are returning that IP as being on that RBLs list at the time the query is done. RBLs are real-time, they change so you be running into cases where the RBL operator recognized the IP was on the list incorrectly and removed it, or someone else reported it as a false postive.

mod_security doesn't control those RBLs or your DNS server(s), so the first place to look is with your DNS, and if your DNS isn't the issue then contact the RBL operator with your false positive report.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group