Message Board

Tracking Harvesters/Spammers

Modsec denied IPs

Author: D.Alder (26 Jan 10 10:13pm)

My server has modsecurity enabled and multiple times a day I will get emails from my system telling me the firewall (in this case iptables managed via Config Security and Firewall - an awesome product for cP{anel/WHM servers) has blocked an IP and usually because it has failed to meet the modsec ruleset standards. Usually it says an automated program visited the site and was blocked.

What I want to know is - should I be reporting these IPs to this project - I don't have any evidence they are spambots but their activity is in line with a spambot's behavior.

Re: Modsec denied IPs

Author: D.Alder (27 Jan 10 12:30pm)

Here is an example of what I'm talking about

[Tue Jan 26 16:41:38 2010] [error] [client 141.65.161.70] ModSecurity: Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "39"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [hostname "rossland.thealders.net"] [uri "/"] [unique_id "qlUeedFh3UoAAE1sDOAAAAAL"]

and I see that IP 141.65.161.70 is already been noticed by others here.

Basically I'm looking for guidelines on what to report and what not to report

Re: Modsec denied IPs

Author: M.Prince (29 Jan 10 2:19am)

Adding any information like that to the comment section of the Project Honey Pot site can help other people investigating the same IP gather data which would be useful when they're investigating the same IP.

Re: Modsec denied IPs

Author: D.Alder (29 Jan 10 9:25am)

Thanks