Mod_security rule to block GET requests via querystring or referer

apache-2.2mod-security

In the last days in my VPS there are many many GET requests on 1 file that cause a high memory load (all came from a single refer url, with different IPs).

Until now I've blocked these requests via .htaccess

# by refurl
RewriteCond %{HTTP_REFERER} domain\.com [NC]
RewriteRule .* - [F]
# by querystring
RewriteCond %{QUERY_STRING} \ba=ZicX9v\b [NC]
RewriteRule ^ - [F]

But in this way the requests are still processed by apache and still cause an high memory load.

Can I block this requests with mod_security (maybe on phase1) to prevent/decrease the memory load?

Until now I have set this rule to mod_secuurity (but i'm not sure is right):

SecRule REQUEST_HEADERS:REFERER "(?i:(THEDOMAIN))" phase:1,deny,status:412,id:'1234'

PS: my VPS is linux with apache2.2

EDIT: my entire website force HTTPS, not sure if should I add something

Best Answer

I tested your rule and it seems to work.

You could also test it with curl, with something like that:

curl --referer https://bad-referer-domain.com  https://your-site.com

drop

Description: Immediately initiate a "connection close" action to tear down the TCP connection by sending a FIN packet.

Action Group: Disruptive

Example: The following example initiates an IP collection for tracking Basic Authentication attempts. If the client goes over the threshold of more than 25 attempts in 2 minutes, it will DROP subsequent connections.

SecAction initcol:ip=%{REMOTE_ADDR},nolog
SecRule ARGS:login "!^$" \
    nolog,phase:1,setvar:ip.auth_attempt=+1,deprecatevar:ip.auth_attempt=20/120
SecRule IP:AUTH_ATTEMPT "@gt 25" \
    log,drop,phase:1,msg:'Possible Brute Force Attack"

Note

This action is extremely useful when responding to both Brute Force and Denial of Service attacks in that, in both cases, you want to minimize both the network bandwidth and the data returned to the client. This action causes error message to appear in the log "(9)Bad file descriptor: core_output_filter: writing data to the network"

Domain – Limit mod_security rule to one vhost only

Here are some different ways to do that:

instead of having a global exception file, put the exceptions inside the virtual host definitions
if you want to have an exception file separate from the actual virtual host definition, don't include it in the main server config - instead include it from inside the virtual host.
instead of using <Location>, use SecRule and the ctl:ruleRemoveByID action. Example:

SecRule SERVER_NAME "somedomain\.com$" "@streq /test/.*" "ctl:ruleRemoveByID=981244"

If possible, the first one would be by far the simplest.

Best Answer

Related Solutions

Apache – How to Drop All Requests Using mod_security

drop

Domain – Limit mod_security rule to one vhost only

Related Topic