How do I restrict a specific client, based on their host name, with ModSecurity SecRule?

I am trying to restrict specific hosts (e.g. AWS) from accessing my webserver. I tried different variations of these but it doesn't work.

# Block AWS
SecRule REQUEST_HEADERS:Host ".*\.amazonaws\.com.*" \
"msg:'AWS blocked',id:10007,log,t:lowercase,drop,phase:1"

I tried:

SecRule REQUEST_HEADERS:Host ".*\.amazonaws\.com.*"
SecRule REQUEST_HEADERS:Host "@rx ^.*\.amazonaws\.com.*$"
SecRule REQUEST_HEADERS:Host "@contains amazonaws.com"

None of the above works, so I am coming to the conclusion that something is wrong with my header query syntax. Here is the example of the host string I am trying to match for exclusion: Host: ec2-12-34-56-78.compute-1.amazonaws.com


Solution 1:

So from what I gather, and as @FarhadSakhaei noted, REQUEST_HEADERS:Host refers to the requested host and not the remote host. This is strange because the REQUEST_HEADERS:User-Agent does return the user agent of the client.

What would work instead is SecRule REMOTE_HOST with Apache directive HostnameLookups set to "On".

e.g.

SecRule REMOTE_HOST "bad\.host\.com$" "msg:'Bad host blocked',id:99999,log,drop,phase:1"

If HostnameLookups is "Off", the REMOTE_HOST will return the IP address of the requesting client. There obviously expect to be some performance hit with HostnameLookups set to "On", so that's the trade-off.