modsecurity whitelist ip range

Question

I'm trying to whitelist a range of ips (Googlebots) on modsecurity on an Ubuntu 12.04 server. For example, here's a range that I need to whitelist:

66.249.64.0/19

I've tried several ways as suggested by others, but only single ips are being blocked, when i try as a range, the whitelist is ignored. I've added the rule to the /usr/share/modsecurity-crs/modsecurity_crs_10_config.conf in a new section at the bottom of the file.

This works:

SecRule REMOTE_ADDR "^66.249.65.3" phase:1,nolog,allow,ctl:ruleEngine=Off

These Don't work:

SecRule REMOTE_ADDR "^66.249.64.0/19" phase:1,nolog,allow,ctl:ruleEngine=off

SecRule REMOTE_ADDR "@ipMatch 66.249.64.0/19" "phase:1,nolog,allow"

SecRule REMOTE_ADDR "^66.249.64\0/19$" phase:1,nolog,allow,ctl:ruleEngine=Off

I"ve seen several different syntaxes suggested, but none seem to work for my installation. Does the version of mod-security matter? any suggestions? TIA

Answer 1

This one should work; allows all IPs starting with 66.249.64.

SecRule REMOTE_ADDR "^66\.249\.64" "phase:1,nolog,allow"

Answer 2

This works with mod_security >=2.8

SecRule REMOTE_ADDR "@ipMatch 192.168.1.100,192.168.1.50,10.10.50.0/24" phase:1,nolog,allow,ctl:ruleEngine=Off

Answer 3

I am using Ubuntu but the result may be the same

SecRule REMOTE_ADDR "@ipMatch 66.249.0.0/16" "id:26091975,phase:2,pass,nolog,allow,ctl:ruleEngine=Off"

It is working very well in my servers. If you want to take logs just get rid off nolog command in the sentence. You may change the mask in order to be more precise but it depends on you.

Be aware of using the correct phase. In my case is phase 2.

To be more confident just read: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#ipMatch

They prefer @ipMatch operator rather than regexp. Follow @ModSecurity at Twitter

Answer 4

If you are under a load balancer use:

SecRule REQUEST_HEADERS:X-Forwarded-For "@Contains 37.161.74.122" phase:1,nolog,allow,pass,ctl:ruleEngine=off,id:1