modsecurity whitelist ip range

user2431427 picture user2431427 · Dec 29, 2013 · Viewed 11.7k times · Source

I'm trying to whitelist a range of ips (Googlebots) on modsecurity on an Ubuntu 12.04 server. For example, here's a range that I need to whitelist:

66.249.64.0/19

I've tried several ways as suggested by others, but only single ips are being blocked, when i try as a range, the whitelist is ignored. I've added the rule to the /usr/share/modsecurity-crs/modsecurity_crs_10_config.conf in a new section at the bottom of the file.

This works:

SecRule REMOTE_ADDR "^66.249.65.3" phase:1,nolog,allow,ctl:ruleEngine=Off

These Don't work:

SecRule REMOTE_ADDR "^66.249.64.0/19" phase:1,nolog,allow,ctl:ruleEngine=off

SecRule REMOTE_ADDR "@ipMatch 66.249.64.0/19" "phase:1,nolog,allow"

SecRule REMOTE_ADDR "^66.249.64\0/19$" phase:1,nolog,allow,ctl:ruleEngine=Off

I"ve seen several different syntaxes suggested, but none seem to work for my installation. Does the version of mod-security matter? any suggestions? TIA

Answer

Alex Moleiro picture Alex Moleiro · Feb 12, 2015

I am using Ubuntu but the result may be the same

SecRule REMOTE_ADDR "@ipMatch 66.249.0.0/16" "id:26091975,phase:2,pass,nolog,allow,ctl:ruleEngine=Off"

It is working very well in my servers. If you want to take logs just get rid off nolog command in the sentence. You may change the mask in order to be more precise but it depends on you.

Be aware of using the correct phase. In my case is phase 2.

To be more confident just read: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#ipMatch

They prefer @ipMatch operator rather than regexp. Follow @ModSecurity at Twitter