ModSecurity Rules Have Been Tightened – some things to be aware of.
We have implemented a comprehensive update to our mod-security rule set due to high resource usage from comment spammers, as well as forum/software exploitations. As with all mod-security rule set changes, there is a chance that tight rules can interfere with the normal operation of your site in some cases.
If you are having problems with error 403 Forbidden or other problems that happen once in a while for mysterious reasons, the apparent error that is generated is normally a page saying:
- 500 Internal Server Error
- 403 Forbidden: You don’t have permission to access
on this server. - Not Acceptable: An appropriate representation of the requested resource
could not be found on this server.
You’ll need to contact support with the location of the file that you got the error on, or the IP address of the person that got the error if someone is reporting it to you. We will then look in the logs and see what security rule is causing the error, and remove it or write an exception depending on the severity of the risk.
Update: note from Network Status Blog Moved here:
We have had two reports of folks that have gotten mod-security errors on their entire sites, as well as our drak.net site, since our implementation of the expanded and stricter mod-security rules. We have left this backup server with the old rule set to enable folks to check on what’s going on here.
Apache now gives errors for anyone attempting to contact it who’s IP address is located on the Spamhaus SBL or XBL list. The SBL is a realtime database of IP addresses of verified spam sources and spam operations (including spammers, spam gangs and spam support services), maintained by the Spamhaus Project team and supplied as a free service to help email administrators better manage incoming email streams – we are now applying it to Apache as well. The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of hijacked PCs infected by illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits – again, this is now applying to Apache as well in hopes that this will dramatically scale back the amount of attacks and comment spam on the server.
The XBL wholly incorporates data from two highly-trusted DNSBL sources, with tweaks by Spamhaus to maximize the data efficiency and lower False Positives. The main components are:
- the CBL (Composite Block List) from cbl.abuseat.org
- the NJABL Open Proxy IPs list from www.njabl.org.
The CBL List has caught two of our own clients. What the CBL list does is take its source data from very large spamtraps/mail infrastructures, and only lists IPs exhibiting characteristics which are specific to open proxies of various sorts (HTTP, socks, AnalogX, wingate etc) and dedicated Spam BOTs which have been abused to send spam, worms/viruses that do their own direct mail transmission, or some types of trojan-horse or “stealth” spamware, dictionary mail harvesters etc. The CBL also lists certain portions of SpamBot infrastructure, such as Spam BOT/virus infector download web sites, and other web sites or name servers exclusively dedicated to the use of Spam BOTs. Considerable care is taken to avoid listing IP addresses that have are or are likely to be shared with legitimate use.
If your machine is infected, you may be on the CBL list as a known part of a botnet even if you have no idea you are part of one. If a machine sharing your IP address at work or at home has performed actions as part of a botnet whether deliberately or because you have infected computers, you may be on this list. If you are accessing your site from a public place like a coffee house or public wifi, you may get 406 errors and apache may refuse to allow you to connect to your own site if you are coming in from an IP address that is a known risk. The CBL does not block IP ranges, only specific IPs that have evidenced the behavior they outline.
You can check your IP against Spamhaus here, and against the CBL list here. If you are on the CBL List, DrakNet will not whitelist your IP. If your computer is infected, you are putting your own site and your visitors and our servers at risk. You can read the DrakNet blog here regarding what a botnet does and some of the risks to your site here. You will need to secure your network, and remove yourself from the blocklist (there are directions on the site) in order to view your site on our Network again. If you are blocked at a public wifi spot, choosing another will likely clear up the issue.
