0

I am trying to restrict specific hosts (e.g. AWS) from accessing my webserver. I tried different variations of these but it doesn't work.

# Block AWS
SecRule REQUEST_HEADERS:Host ".*\.amazonaws\.com.*" \
"msg:'AWS blocked',id:10007,log,t:lowercase,drop,phase:1"

I tried:

SecRule REQUEST_HEADERS:Host ".*\.amazonaws\.com.*"
SecRule REQUEST_HEADERS:Host "@rx ^.*\.amazonaws\.com.*$"
SecRule REQUEST_HEADERS:Host "@contains amazonaws.com"

None of the above works, so I am coming to the conclusion that something is wrong with my header query syntax. Here is the example of the host string I am trying to match for exclusion: Host: ec2-12-34-56-78.compute-1.amazonaws.com

David
  • 81
  • 1
  • 7
  • 1
    I have same question , but I think REQUEST_HEADERS:Host is related to the requested host , not remote host – Farhad Sakhaei May 03 '21 at 17:14
  • @FarhadSakhaei Well, that makes sense, but REQUEST_HEADERS:User-Agent does return the user agent of the client, so that would makes REQUEST_HEADERS a bit ambiguous. Also, see this from the Wiki: REQUEST_HEADERS This variable can be used as either a collection of all of the request headers or can be used to inspect selected headers (by using the REQUEST_HEADERS:Header-Name syntax). SecRule REQUEST_HEADERS:Host "^[\d\.]+$" "deny,id:47,log,status:400,msg:'Host header is a numeric IP address'" The above example indicates that REQUEST_HEADERS:Host does refer to the requested host. – David May 04 '21 at 12:16
  • @FarhadSakhaei this following should work but I couldn't get it working. REMOTE_HOST If the Apache directive HostnameLookups is set to On, then this variable will hold the remote hostname resolved through DNS. If the directive is set to Off, this variable it will hold the remote IP address (same as REMOTE_ADDR). Possible uses for this variable would be to deny known bad client hosts or network blocks, or conversely, to allow in authorized hosts. SecRule REMOTE_HOST "\.evil\.network\org$" "id:36" – David May 04 '21 at 12:21

2 Answers2

1

So from what I gather, and as @FarhadSakhaei noted, REQUEST_HEADERS:Host refers to the requested host and not the remote host. This is strange because the REQUEST_HEADERS:User-Agent does return the user agent of the client.

What would work instead is SecRule REMOTE_HOST with Apache directive HostnameLookups set to "On".

e.g.

SecRule REMOTE_HOST "bad\.host\.com$" "msg:'Bad host blocked',id:99999,log,drop,phase:1"

If HostnameLookups is "Off", the REMOTE_HOST will return the IP address of the requesting client. There obviously expect to be some performance hit with HostnameLookups set to "On", so that's the trade-off.

David
  • 81
  • 1
  • 7
0

I used such things:

HostnameLookups "On"
SecRule REMOTE_HOST "@rx (?:amazonaws\.com|your-server\.de)"\
 "msg:'Bad host blocked - REMOTE HOST: %REMOTE_HOST}'\
,id:99999,log,drop,block,t:lowercase,phase:request,status:403"

Works great, just completing bad hosts list ....

Farhad Sakhaei
  • 131
  • 2
  • 10