modsecurity whitelist ip range

Question

I'm trying to whitelist a range of ips (Googlebots) on modsecurity on an Ubuntu 12.04 server. For example, here's a range that I need to whitelist:

66.249.64.0/19

I've tried several ways as suggested by others, but only single ips are being blocked, when i try as a range, the whitelist is ignored. I've added the rule to the /usr/share/modsecurity-crs/modsecurity_crs_10_config.conf in a new section at the bottom of the file.

This works:

SecRule REMOTE_ADDR "^66.249.65.3" phase:1,nolog,allow,ctl:ruleEngine=Off

These Don't work:

SecRule REMOTE_ADDR "^66.249.64.0/19" phase:1,nolog,allow,ctl:ruleEngine=off

SecRule REMOTE_ADDR "@ipMatch 66.249.64.0/19" "phase:1,nolog,allow"

SecRule REMOTE_ADDR "^66.249.64\0/19$" phase:1,nolog,allow,ctl:ruleEngine=Off

I"ve seen several different syntaxes suggested, but none seem to work for my installation. Does the version of mod-security matter? any suggestions? TIA

I'm using mod-security 2.2 which installs from apt-get on Ubuntu 12.04 LTS. I did find this entry on Modsecurity's blog... > SecRule REMOTE_ADDR "^192\.168\.10\.69$" phase:1,log,allow:request but it doesn't explain how to insert ip ranges. any ideas? — user2431427, Dec 29 '13 at 10:01

score 7 · Answer 1 · answered Feb 11 '15 at 23:02

I am using Ubuntu but the result may be the same

SecRule REMOTE_ADDR "@ipMatch 66.249.0.0/16" "id:26091975,phase:2,pass,nolog,allow,ctl:ruleEngine=Off"

It is working very well in my servers. If you want to take logs just get rid off nolog command in the sentence. You may change the mask in order to be more precise but it depends on you.

Be aware of using the correct phase. In my case is phase 2.

To be more confident just read: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#ipMatch

They prefer @ipMatch operator rather than regexp. Follow @ModSecurity at Twitter

This one works as it has a rule ID, and that now seems to be required. — Lee S, Feb 22 '15 at 11:25

score 3 · Answer 2 · answered Sep 09 '14 at 11:52

3

This works with mod_security >=2.8

SecRule REMOTE_ADDR "@ipMatch 192.168.1.100,192.168.1.50,10.10.50.0/24" phase:1,nolog,allow,ctl:ruleEngine=Off

answered Sep 09 '14 at 11:52

user3839879

31
2

score 2 · Answer 3 · edited Jun 27 '17 at 15:12

2

This one should work; allows all IPs starting with 66.249.64.

SecRule REMOTE_ADDR "^66\.249\.64" "phase:1,nolog,allow"

edited Jun 27 '17 at 15:12

Adam Azad

11,171
5
29
70

answered Jan 01 '14 at 17:10

Kasem Alsharaa

892
1
6
15

`.` matches any character so I think this should be `\.` – wkarl Oct 07 '15 at 17:18

score 1 · Answer 4 · edited Jun 15 '17 at 13:23

1

If you are under a load balancer use:

SecRule REQUEST_HEADERS:X-Forwarded-For "@Contains 37.161.74.122" phase:1,nolog,allow,pass,ctl:ruleEngine=off,id:1

edited Jun 15 '17 at 13:23

Eric Aya

69,473
35
181
253

answered Jun 15 '17 at 09:45

Sebastien Horin

10,803
4
52
54

modsecurity whitelist ip range

4 Answers4