Hi,
would you be very kind to help me on this?

I have checked all the info that the MODSEC database generates everytime a rule is triggered and I saw that there is the registry for all the HOSTs (connected IPs to my server) that has triggered the rules.

Well, this caught my attention that most of the time the same IPs are the ones that are trying to inject malware code from different places and that is why my following question...

Is it possible to have a rule that blocks the HOST IP from a list that I could maintain myself? I know that I could add this IPs to my FireWall but the list is from about 9,000 IPs, and the FireWall could not handle all that info.

Your help and input is appreciated.

Regards,
Sergio

Sure it can be done. Doing that from an RBL might be faster and more scalable though. Plus you could share it across multiple hosts.

Right now, my firewall is using http://www.spamhaus.org/drop/drop.lasso, but doesn't block this IPs, I don't know why. This is why I will like to have this rule.

Regards,
Sergio

Order matters with firewall rules, you'd want to -I (insert) those rather than -A (add) to ensure your other rules dont have an accept before them.

Yes, we know that, but the problem is with some ISPs like the one here in my country. The IPs are blacklisted and appears in almost all RBL. So, when I tried the ASL RBL rules in my server a lot of customers in my country were block, that is why I can't use something like.

But after reading your post, I tweaked your RBL Rule to something like this:



What do you think?

Regards,
Sergio

Dear Scott,
I have set this rule on my server and is working like a charm, I have done a few tests and it works.

Regards,
Sergio

That should work perfectly. Make sure you put in your local conf files and not the official ASL rule files, otherwise an update may overwrite it.

I'll also add this to the feature list so we can add it into the GUI as a local blacklist.

Michael,
the best thing of this rule is that this will save server time a lot, because instead of check malware list everytime the same IP tries to do a damage (that in my case, after 20 times the IP is blocked), it will block the offensive IPs since the start.

Rigth now I have added to MyIP-Blacklist.txt about 1,000 IPs, hope this will stop this people.

Regards,
Sergio

UPDATE...

After installing this new rule in my server, I have seen that in two days the hack attempts drop dramatically, I am happy, lol. It was a far better method than using the MALWARE-BLACKLIST.TXT file that contains hundred of blacklisted domains.

The only thing that I will like to know is if it is possible to work with CIDRs, to block a range of IPs in just one definition in the text file. Is it possible?

Regards,
Sergio