Description
I am using @rbl xbl.spamhaus.org. rule for protecting my Fediverse server and I face the issue that with latest version of either ModSecurity or the docker.io/owasp/modsecurity-crs:nginx container the collection handling for the IP collection seems to not longer work properly.
In my pi-hole I see a huge number of queries to .xbl.spamhaus.org for all the ip addresses checked and with queries to the same ip based query many times where I would expect that this is not the case due to how I set up the ModSecurity rules.
- The issue is happening with the latest version of the docker.io/owasp/modsecurity-crs:nginx container.
- It is far less a occuring with docker.io/owasp/modsecurity-crs:4.10-nginx-202501050801 even when mounting ruleset 4.14 to this container.
- I don't believe it is a problem with the CRS.
Based on what I see I would see it as if
- the expirevar for the IP collection is not working properly
- maybe the persistent store is causing the problem (as I don't see any problems with the TX collection which is also a collection but not persistet). This might be an docker image problem.
According to modsecurity.conf the SecTmpDir is set to /tmp/modsecurity/tmp (as data and upload directory are also located in /tmp/modsecurity).
This directory is empty. Wouldn't this be the directory for persistent storage and shouldn't there be a file for the IP collection database?
This is the rules I use:
# xbl.spamhaus.org to block malicious/infected ips
SecAction \
"phase:1,id:1100,\
t:none,pass,nolog,\
tag:'COLLECTIONS',\
initcol:ip=%{remote_addr},\
setvar:'tx.real_ip=%{remote_addr}'"
SecRule IP:SPAMMER "@eq 1" \
"phase:1,id:1101,\
t:none,deny,log,auditlog,\
msg:'Request from Known SPAM Source (Previous RBL Match)',\
tag:'AUTOMATION/MALICIOUS',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}'"
SecRule IP:PREVIOUS_RBL_CHECK "@eq 1" "phase:1,id:1102,t:none,pass,nolog,skipAfter:END_RBL_LOOKUP"
SecAction "phase:1,id:1103,\
t:none,pass,nolog,\
setvar:ip.previous_rbl_check=1,\
expirevar:ip.previous_rbl_check=3600"
SecRule REMOTE_ADDR "@rbl xbl.spamhaus.org." \
"phase:1,id:1104,\
t:none,deny,log,auditlog,\
msg:'RBL Match for SPAM Source',\
tag:'AUTOMATION/MALICIOUS',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:ip.spammer=1,\
expirevar:ip.spammer=3600"
SecMarker END_RBL_LOOKUP
This is part of my setup.conf before including the CRS rules. As said, it worked much better (but also not perfect) with the older docker image mentioned above.