Modsecurity block request

Question

How can I block in modsecurity these requests:
12.54.87.55:443
https://12.54.87.55

tried

SecRule REQUEST_URI "12.54.87.55:443" phase:1,id:1008,log,deny,status:403

but seems like it's not working.
I want to block all the requests where Host header is a numeric IP address

score 0 · Answer 1 · answered May 30 '18 at 12:14

0

This is one of the many examples of rules given in the ModSecurity Rule Writing Workshop:

SecRule REQUEST_HEADERS:Host "^[\d\.]+$" "phase:1,t:none,block,msg:'Host is an IP address'"

answered May 30 '18 at 12:14

fvu

Thanks @fvu The problem is I have an Apache server with multiple vhosts, and when you request 12.12.12.12:443 apache is redirecting to the first valid ssl cert it finds, before modsecurity does anything. Your code above works only with 80 port. – Zero Hour May 30 '18 at 12:22

1 Answers1