Denying hosts with specific keywords?

Forum Moderators: phranque

Message Too Old, No Replies

Denying hosts with specific keywords?

Is there a "DENY FROM" equivalent?

craig1972

10:38 am on Apr 19, 2010 (gmt 0)

Hi.

I would like to know if there's a smart way to block servers from accessing my domain if I do not know their IP address. What I do know is parts of their host names.

I have mod_security installed. I am familiar with rules like these:


SecRule REQUEST_URI "xyz|abc"

Where "xyz" or "abc" are part of host names I wish to block. But not sure if Request_URI is the host name in mod_sec rules? I thought of this:


SecRule "HTTP_USER_AGENT|HTTP_HOST" "^$"
SecRule HTTP_HOST "xyz|abc"

But I wonder if this works as I want it to. The first line should reject anything that does not come from a valid browser. And the second line should block people connecting from servers related to xyz or abc. Right?

jdMorgan

1:24 pm on Apr 19, 2010 (gmt 0)

HTTP_HOST is your server -- or more specifically, the hostname that the client requested when connecting to your server.

REMOTE_HOST is the proper variable to get the hostname of the client.

However, this will only work if your server has reverse-DNS lookups enabled. Also be aware that all HTTP requests qualified by REMOTE_HOST will "hang" until the reverse-DNS lookup request is sent to the DNS server and a reply is received. This includes requests for every page, image, css file, etc. on your site, unless further qualified.

This has a significant potential performance impact on your site, and reduces its reliability (if the DNS server stops, so does your site.)

Jim

craig1972

1:41 pm on Apr 19, 2010 (gmt 0)

Oh. OK. Thanks.