modsecurity_crs_15_custom_whitelist.conf

# ----------------------------------------------------------------------
# This is where we whitelist our admin access points, good user-agents, 
# search engines etc.
#
# NOTE: /etc/apache2/apache2.conf must have 
#      HostnameLookups Double
#
# ----------------------------------------------------------------------

# SecHttpBlKey <key>

#
# Your admin access whitelist.
# Make sure you put your host domain in whitelist-domains.data
# e.g. .ftmon.org
#
SecRule REMOTE_HOST "@pmFromFile whitelist-domains.data" "phase:1,id:'10001',nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"

#
# You can put you home desktop IP in whitelist-addr.data or another remote
# host you want to use for administration.
#
# IMPORTANT: Don't forget to add 127.0.01. to whitelist-addr.data
#
SecRule REMOTE_ADDR "@pmFromFile whitelist-addr.data" "phase:1,id:'10002',nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"



#
# Using reverse lookups we can safely whitelist the "good guys" 
#
SecRule REMOTE_HOST "@endsWith .googlebot.com" "phase:1,id:'10010',nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"
SecRule REMOTE_HOST "@endsWith .msn.com" "phase:1,id:'10012',nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"
SecRule REMOTE_HOST "@endsWith .zemanta.com" "phase:1,id:'10013',nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"
SecRule REMOTE_HOST "@endsWith .tfbnw.net" "phase:1,id:'10014',nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"
SecRule REMOTE_HOST "@endsWith .yandex.com" "phase:1,id:'10015',nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"
SecRule REMOTE_HOST "@endsWith .google.com" "phase:1,id:'10016',nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"
#SecRule REMOTE_HOST "@endsWith .websitedefender.com" "phase:1,id:'10017',nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"
SecRule REMOTE_HOST "@endsWith .wordpress.com" "phase:1,id:'10018',nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"
SecRule REMOTE_HOST "@endsWith .crawl.yahoo.net" "phase:1,id:'10019',nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"
SecRule REMOTE_HOST "@endsWith .experf.gq1.yahoo.com" "phase:1,id:'10020',nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"
SecRule REMOTE_HOST "@endsWith .hlfs.bf1.yahoo.com" "phase:1,id:'10021',nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"


#
# Good citizen user-agent whitleist. Unfortunately the following crawlers don't 
# have a recognizable IP range so spammers could still spoof them if they really
# wanted to. But, more likely to happen for google or bing user-agents.
#
SecRule REQUEST_HEADERS:User-Agent "^facebookexternalhit"  "phase:1,id:'10032',nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"
SecRule REQUEST_HEADERS:User-Agent "^GoogleProducer"  "phase:1,id:'10033',nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"
SecRule REQUEST_HEADERS:User-Agent "^Pinterest Domain Verifier"  "phase:1,id:'10034',nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"
SecRule REQUEST_HEADERS:User-Agent "^FeedBlitz"  "phase:1,id:'10035',nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"
SecRule REQUEST_HEADERS:User-Agent "^Zimbiobot"  "phase:1,id:'10036',nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"
SecRule REQUEST_HEADERS:User-Agent "^Disqus"  "phase:1,id:'10037',nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"
SecRule REQUEST_HEADERS:User-Agent "PaperLiBot"  "phase:1,id:'10038',nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"
SecRule REQUEST_HEADERS:User-Agent "^Jetpack by Wordpress"  "phase:1,id:'10039',nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"


# 
# Google and Bing probably track referer behaviour, so I don't want to block
# this activity even if it is from automated tools and bad places.
#
SecRule REQUEST_HEADERS:Referer "^http://www\.google\.com.*/search"  "phase:1,id:'10040',nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"
SecRule REQUEST_HEADERS:Referer "^http://www\.bing\.com.*/search"  "phase:1,id:'10041',nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"
SecRule REQUEST_HEADERS:Referer "^http://.*search\.yahoo\.com/search"  "phase:1,id:'10042',nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"
SecRule REQUEST_HEADERS:Referer "^http://www\.squidoo\.com"  "phase:1,id:'10043',nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"
SecRule REQUEST_HEADERS:Referer "^http://www\.google\.com.*/url"  "phase:1,id:'10044',nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"