Web Application Defender's Cookbook by Ryan C. Barnett, Jeremiah Grossman

This recipe demonstrates how to use the jwall-rbld package to host your own internal RBL server.

As the previous recipes have shown, there is obvious value in using third-party RBL repositories to gain intelligence about client IP addresses. An additional layer of defense would be to run your own internal RBL system that your systems can both query and update for dynamic, collaborative intelligence.

ModSecurity’s persistent storage mechanism uses the SDBM library. It was chosen because it was already included in the Apache Portable Runtime (APR) and because it allows for concurrent transaction usage. The persistent storage mechanism serves its intended purpose, but it does have one shortcoming: It contains only data from local Apache instances. This means that if you have a server farm of hundreds of Apache servers, each individual Apache instance has its own local persistent storage file. This scenario causes issues when you want to tag a client as malicious globally in your enterprise and implement blocking. This is where the idea of running your own RBL becomes valuable.

ModSecurity power user Christian Bockermann has created a number of support tools, which are available on his web site, https://jwall.org/. The jwall-rbld tool is a real-time blacklist daemon process written in Java and acts as a ...