Using Project HoneyPot and Mod Security

I am experimenting with a new facet of ModSecurity v2.7.x, the ability to use Project HoneyPot's HTTP Blacklist (HTTPBL) of bad IP addresses to reduce attacks on our server.

What is Project HoneyPot?

Project Honey Pot is the first and only distributed system for identifying spammers and the spambots they use to scrape addresses from your website.

How, What, When, Where?

1) In order to do this, you need to have ModSecurity 2.7.x installed on your server. MS 2.7 has a new variable called "SecHttpBlKey" which uses your Project HoneyPot Access Key.

2) You need a Project HoneyPot access key. It's free.

3) You need to add the following ModSecurity Rule to your rule list for it to work.

Example:

SecHttpBlKey INSERT YOUR ACCESS KEY HERE
SecRule TX:REAL_IP|REMOTE_ADDR "@rbl dnsbl.httpbl.org" "id:'99010',chain,phase:1,t:none,capture,block,msg:'HTTPBL Match of Client IP.',logdata:'%{tx.httpbl_msg}',setvar:tx.httpbl_msg=%{tx.0}"
 SecRule TX:0 "threat score (\d+)" "chain,capture"
 SecRule TX:1 "@gt 20"

4) Restart Apache

I am not getting plenty of log hits that look like this now.

Access denied with code 406 (phase 1). Operator GT matched 20 at TX:1. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "343"] [id "99010"] [msg "HTTPBL Match of Client IP."] [data "RBL lookup of MYACCESSKEY.82.225.47.96.dnsbl.httpbl.org succeeded at REMOTE_ADDR. Suspicious comment spammer IP: 1 days since last activity, threat score 82"]

I like that it blocked this IP which is labeled as a "Dictionary Attacker" in the database. "The Project Honey Pot system has detected behavior from the IP address consistent with that of a mail server and dictionary attacker."

Access denied with code 406 (phase 1). Operator GT matched 20 at TX:1. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "343"] [id "99010"] [msg "HTTPBL Match of Client IP."] [data "RBL lookup of MYACCESSKEY.99.226.10.5.dnsbl.httpbl.org succeeded at REMOTE_ADDR. Suspicious IP: 64 days since last activity, threat score 25"]

What is it doing?

Basically, any IP that is on the HTTP Blacklist (HTTPBL) will be served a 406 Server Response code.

So far it has not put that much strain on the server as far as I can tell and hopefully it will reduce scrappers.

I am still looking for more documentation on this new rule.