Message Board

Tracking Harvesters/Spammers

Older Posts ]   [ Newer Posts ]
 Modsec denied IPs
Author: D.Alder   (26 Jan 10 10:13pm)
My server has modsecurity enabled and multiple times a day I will get emails from my system telling me the firewall (in this case iptables managed via Config Security and Firewall - an awesome product for cP{anel/WHM servers) has blocked an IP and usually because it has failed to meet the modsec ruleset standards. Usually it says an automated program visited the site and was blocked.

What I want to know is - should I be reporting these IPs to this project - I don't have any evidence they are spambots but their activity is in line with a spambot's behavior.
 
 Re: Modsec denied IPs
Author: D.Alder   (27 Jan 10 12:30pm)
Here is an example of what I'm talking about

[Tue Jan 26 16:41:38 2010] [error] [client 141.65.161.70] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "39"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [hostname "rossland.thealders.net"] [uri "/"] [unique_id "qlUeedFh3UoAAE1sDOAAAAAL"]

and I see that IP 141.65.161.70 is already been noticed by others here.

Basically I'm looking for guidelines on what to report and what not to report
 
 Re: Modsec denied IPs
Author: M.Prince   (29 Jan 10 2:19am)
Adding any information like that to the comment section of the Project Honey Pot site can help other people investigating the same IP gather data which would be useful when they're investigating the same IP.
 
 Re: Modsec denied IPs
Author: D.Alder   (29 Jan 10 9:25am)
Thanks



do not follow this link

Privacy Policy | Terms of Use | About Project Honey Pot | FAQ | CloudFlare Site Protection | Contact Us

Copyright © 2004–14, Unspam Technologies, Inc. All rights reserved.

contact | wiki | email