Using Mod Security to block troublesome visitors

One of the servers I have been asked to look at has been having problems with intermittent slowing down and occasional freezes on Apache.

It was proving difficult to track down as it could take days sometimes and other times only hours to happen. I left /server-status in apache running and saved the output regularly with a script. when it finally came back with a failure it was a single URL that was causing the problems but with different parameters. We couldn’t just disable the URL in question as it works when no parameters were passed and it was an important site (for the client)

The software being used was postnuke and only caused a problem when “theme=printer” was passed as part of the URL.

We did a load of looking at the code in question, checking the MySQL database etc etc and finally decided that a block via mod_security for the URL in question would cover it.

SecRule QUERY_STRING “name=News&file=article&sid=[0-9]{1,3}&theme=Printer” “deny,log,auditlog,redirect:http://127.0.0.1”

The funny thing about this was, every single IP address that used this URL tracked back to the Yahoo Search Engine. I have no idea why that should be. No other search engine spidered this particular combination of parameters. I never did think much to PostNuke to be honest. Anyway, the server is working reliably now which is the main thing.

Be the first to comment

Leave a Reply

Your email address will not be published.


*