Blocking HTTP POST attacks

Question

I'm getting a HTTP POST attack to my server and I want to send all of these requests to a 403 instead of having them get caught by mod_security in order to improve the rejection speed and take some of the burden off Apache. Here's what's happening via mod_security at the moment:

[Tue Jul 31 23:40:42 2012] [error] [client 24.201.202.189] ModSecurity: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/var/asl/rules/10_asl_rules.conf"] [line "63"] [id "390616"] [rev "2"] [msg "Atomicorp.com WAF Rules: POST request must have a Content-Length header"] [severity "WARNING"] [hostname "some-server.domain.com"] [uri "/index.php/1.0"] [unique_id "UBhQ2myulQkAADbaEm8AAACN"]

I'm trying to send any access to the index.php to a 403 via mod_rewrite, but it doesn't appear to be working. I'm assuming that these either don't apply to POST, or I'm missing something. Here's what I'm using right now:

RewriteEngine On
RewriteCond %{HTTP_HOST} !^http://(www\.)?some-server\.domain\.com
RewriteRule ^index\.php$ [F]

The server name is structured like above, but I've replaced it with some generic names for obvious reasons.

Can anyone offer feedback on this and what I may be doing wrong via the mod_rewrite rules?

Thanks!

Answer 1

The solution in this case, since the attack is always the same, was like so:

<LocationMatch "^/index.php/1.0">
order allow,deny
deny from all
</LocationMatch>

Since the attackers always triggered the "denied by server configuration" from that point on, it was cake to block them all at once like so:

for i in $(grep "client denied by server configuration: /usr/local/apache/htdocs/index.php" /usr/local/apache/logs/error_log | cut -d\  -f8 | tr -d ']' | sort | uniq); do csf -d $i; done

Problem solved.