Knowledgebase
Mod Security: SecRule REQUEST_URI best practices
Posted by gpl24, 10-01-2011, 11:38 PM | In your expert opinion, what would you do in this scenario:
I receive daily probes to specific CMS URL's I do not have. Upon further investigation, many of the probes appear to originate from compromised hosting servers. I got tired of filing manual abuse reports, so I setup mod security to auto-block these turds.
Now, because they're looking for hack-able URLs like admin, etc; should this be a 406 or 404 result?
This is what I have right now:
If a better practice is to 404 these, how can I do that? By default, this is shooting a 406 response.
Side question: If I 404 this rule, would mod security still block these attempts if they fall within the mod security duration rules? (Currently, 406 mod_security responses send these IPs to perma-blocks on the firewall)
|
|
Add to Favourites
Print this Article |
Also Read