Block HTTP traffic based on XFF IP behind ELB

iptables can only work with IP and we cannot make it use the values from a HTTP header

OS : Amazon Linux

#yum install mod_security
#vim /etc/httpd/conf.d/mod_security.conf

Following rule is added to block Traffic [ELB used]:

SecRule REQUEST_HEADERS:X-Forwarded-For "@Contains 11.222.333.44" "phase:1,log,deny,id:1001"

Following rule is added to block traffic [ELB not used]

SecRule REMOTE_ADDR "^111.222.333.444" "phase:1,log,deny,id:1004"
#/etc/init.d/httpd restart

XFF IP is used since the server is behind ELB.

Similarly following rule can be used to Whitelist an IP:

SecRule REQUEST_HEADERS:X-Forwarded-For "@Contains 111.222.333.444" phase:1,log,allow,ctl:ruleEngine=off,id:10012

The rule above disables ModSecurity scanning for the IP address 111.222.333.444

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s