ModSecurity: my first rules

Posted on Jul 11, 2006

I have been using ModSecurity for quite some time now to protect a webserver, but i never felt the need to write my own rules. Recently though, my site got quite a lot of spam in the comments of my TikiWiki based site. Since i was not willing to disable the anonymous comment posting i decided to see if i could use Mod_Security to block the spam.

The spam all looked alike with the following characteristics. It all contained a list uri’s with a pipe | before them. So decided to try the most easy way, by blocking all posts with this characteristic.

SecFilterSelective REQUEST_URI “.php” chain

SecFilterSelective POST_PAYLOAD " | http:"

And it works fine:

[Sat Jul 01 12:37:32 2006] [error] [client 211.47.162.225] mod_security: Access denied with code 404. Pattern match " \\| http\:" at POST_PAYLOAD …

Surely the rule can be much refined, but as long as it works as it does, and i see no bad side effects, i’m happy ;-)