Mod_Security Question

[J.T.]

Like all of us, I get a lot of vulnerability probers all day every day.

I've not had time to link up Fail2Ban with LSWS properly so I'm looking to do a quick Mod-Security rule to nip at least a few if I can in the meanwhile. But I don't have much experience with Mod_Security rules and I can't get mine to work based on the documentation.

Requests I want to deny immediately include:

58.53.128.61 - - [11/Jun/2010:07:46:25 +0100] "GET http://proxyjudge1.proxyfire.net/fastenv HTTP/1.1" 404 27619 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.53.128.61 - - [11/Jun/2010:10:02:25 +0100] "GET http://proxyjudge3.proxyfire.net/fastenv HTTP/1.1" 404 15604 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
221.192.199.35 - - [10/Jun/2010:12:12:39 +0100] "GET http://www.wantsfly.com/prx2.php?hash=8F6A3CACF19FF50A4E6DAF910050037D721194BC6A50 HTTP/1.0" 404 27673 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
125.65.165.184 - - [11/Jun/2010:12:32:46 +0100] "GET http://zerg.helllabs.net/cgi-bin/textenv.pl HTTP/1.1" 404 27630 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

They are all open proxy scanners. Sure, they get 404's but on our system, they are "heavy" 404's which takes up a fair bit of resources. I'd like LSWS to block these right away.

Request Filter Rules at Server level I tried for the wantsfly one:

SecFilterSelective REQUEST_URI "wantsfly.com"
SecFilterSelective REQUEST_URI "*wantsfly.com*"

The latter gets an error.

How do I say "Block everything with wantsfly.com or proxyfire in the URI"?

Thanks!

 

[mistwang]

SecFilterSelective REQUEST_URI ".*wantsfly\.com.*"