The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Block a request using mod security

Discussion in 'Security' started by wrender, Sep 19, 2011.

  1. wrender

    wrender Well-Known Member

    Joined:
    Sep 29, 2007
    Messages:
    69
    Likes Received:
    3
    Trophy Points:
    8
    Hello, I have the following requests that are flooding an account on my server. I was wondering if anyone would know how to block them using mod security. The malware has already been removed from the website, but these requests keep coming in.

    Code:
    41.151.74.5 - - [19/Sep/2011:10:46:08 -0600] "POST /.5camj/?action=fbgen&v=128&crc=669 HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; na; )"
    75.21.86.95 - - [19/Sep/2011:10:46:08 -0600] "POST /.5camj/?action=fbgen&v=128&crc=669 HTTP/1.1" 403 35 "-" "Mozilla/4.0 (compatible; MSIE 7.0; na; )"
    70.145.15.72 - - [19/Sep/2011:10:46:09 -0600] "POST /.5camj/?action=fbgen&v=128&crc=669 HTTP/1.1" 403 36 "-" "Mozilla/4.0 (compatible; MSIE 7.0; na; )"
    69.126.163.200 - - [19/Sep/2011:10:46:10 -0600] "POST /.5camj/?action=fbgen&v=128&crc=669 HTTP/1.1" 403 38 "-" "Mozilla/4.0 (compatible; MSIE 7.0; na; )"
    24.193.193.150 - - [19/Sep/2011:10:46:10 -0600] "POST /.5camj/?action=fbgen&v=128&crc=669 HTTP/1.1" 403 38 "-" "Mozilla/4.0 (compatible; MSIE 7.0; na; )"
    71.246.183.244 - - [19/Sep/2011:10:46:11 -0600] "POST /.5camj/?action=fbgen&v=128&crc=669 HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; na; )"
    208.107.187.12 - - [19/Sep/2011:10:46:16 -0600] "POST /.5camj/?action=fbgen&v=128&crc=669 HTTP/1.1" 403 38 "-" "Mozilla/4.0 (compatible; MSIE 7.0; na; )"
    50.12.127.45 - - [19/Sep/2011:10:46:17 -0600] "POST /.5camj/?action=fbgen&v=128&crc=669 HTTP/1.1" 403 36 "-" "Mozilla/4.0 (compatible; MSIE 7.0; na; )"
    77.127.222.165 - - [19/Sep/2011:10:46:19 -0600] "POST /.5camj/?action=fbgen&v=128&crc=669 HTTP/1.1" 403 38 "-" "Mozilla/4.0 (compatible; MSIE 7.0; na; )"
    188.64.204.79 - - [19/Sep/2011:10:46:20 -0600] "POST /.5camj/?action=fbgen&v=128&crc=669 HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; na; )"
    99.163.84.134 - - [19/Sep/2011:10:46:23 -0600] "POST /.5camj/?action=fbgen&v=128&crc=669 HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; na; )"
    
    I have tried the following line in my mod security rules, but it doesn't seem to work.
    Code:
    SecRule REQUEST_URI "POST /.5camj/?action=fbgen&v=128&crc=669 HTTP/1.1" deny,nolog
     
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    How about this one?

    Code:
    SecRule REQUEST_URI "/.5camj/*" nolog,deny
     
  3. wrender

    wrender Well-Known Member

    Joined:
    Sep 29, 2007
    Messages:
    69
    Likes Received:
    3
    Trophy Points:
    8
    Hmmm. Still not working.
     
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Could you try logging it rather than using nolog to see if it is even hitting that rule?
     
  5. wrender

    wrender Well-Known Member

    Joined:
    Sep 29, 2007
    Messages:
    69
    Likes Received:
    3
    Trophy Points:
    8
    Hey really appreciate your help on this. When I check the mod security log, it is showing the "301" and "403" errors from apache. Like this:

    [19/Sep/2011:16:32:19 --0600] TnfC89FhweQAB5BHuDYAAAAK 99.163.84.134 52372 MYSERVERIP 80
    --1065d06a-B--
    POST /.5camj/?action=fbgen&v=128&crc=669 HTTP/1.1
    Connection: close
    Host: address
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; na; )
    Content-type: application/x-www-form-urlencoded
    Content-Length: 0

    --1065d06a-F--
    HTTP/1.1 301 Moved Permanently
    X-Powered-By: PHP/5.2.17
    X-Drupal-Cache: MISS
    Expires: Sun, 19 Nov 1978 05:00:00 GMT
    Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
    ETag: "1316471539"
    Last-Modified: Mon, 19 Sep 2011 22:32:19 GMT
    Location: address/.5camj
    Content-Length: 0
    Connection: close
    Content-Type: text/html

    --1065d06a-H--
    Apache-Error: [file "mod_authz_host.c"] [line 311] [level 3] client denied by server configuration: /home/cpaneluser/public_html/webaddress/.5camj
    Stopwatch: 1316471539020383 546677 (- - -)
    Producer: ModSecurity for Apache/2.5.13 (ModSecurity: Open Source Web Application Firewall).
    Server: Apache
     
    #5 wrender, Sep 19, 2011
    Last edited: Sep 19, 2011
  6. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    These are being denied then. You cannot prevent them from trying to hit the machine itself. They are simply not being successful on what they are trying.
     
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,456
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  8. wrender

    wrender Well-Known Member

    Joined:
    Sep 29, 2007
    Messages:
    69
    Likes Received:
    3
    Trophy Points:
    8
    Ok. So since apache is already denying the request since the file/directory doesn't exist, mod security will not do anything additional? We are just trying to eliminate these requests from even getting to apache as they are just garbage/malware requests.
     
  9. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    You cannot prevent them from getting to Apache using mod_security as that is Apache using that module to process the request and deny it. The only way to prevent it from even getting to the server to process the request entirely would be using iptables, but iptables firewall blocks based on IP or port or connection number and you are showing different IPs.
     
  10. tquang

    tquang Member

    Joined:
    Sep 22, 2011
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Code:
    41.151.74.5 - - [19/Sep/2011:10:46:08 -0600] "POST /.5camj/?action=fbgen&v=128&crc=669 HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; na; )"
    75.21.86.95 - - [19/Sep/2011:10:46:08 -0600] "POST /.5camj/?action=fbgen&v=128&crc=669 HTTP/1.1" 403 35 "-" "Mozilla/4.0 (compatible; MSIE 7.0; na; )"
    70.145.15.72 - - [19/Sep/2011:10:46:09 -0600] "POST /.5camj/?action=fbgen&v=128&crc=669 HTTP/1.1" 403 36 "-" "Mozilla/4.0 (compatible; MSIE 7.0; na; )"
    69.126.163.200 - - [19/Sep/2011:10:46:10 -0600] "POST /.5camj/?action=fbgen&v=128&crc=669 HTTP/1.1" 403 38 "-" "Mozilla/4.0 (compatible; MSIE 7.0; na; )"
    24.193.193.150 - - [19/Sep/2011:10:46:10 -0600] "POST /.5camj/?action=fbgen&v=128&crc=669 HTTP/1.1" 403 38 "-" "Mozilla/4.0 (compatible; MSIE 7.0; na; )"
    71.246.183.244 - - [19/Sep/2011:10:46:11 -0600] "POST /.5camj/?action=fbgen&v=128&crc=669 HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; na; )"
    208.107.187.12 - - [19/Sep/2011:10:46:16 -0600] "POST /.5camj/?action=fbgen&v=128&crc=669 HTTP/1.1" 403 38 "-" "Mozilla/4.0 (compatible; MSIE 7.0; na; )"
    50.12.127.45 - - [19/Sep/2011:10:46:17 -0600] "POST /.5camj/?action=fbgen&v=128&crc=669 HTTP/1.1" 403 36 "-" "Mozilla/4.0 (compatible; MSIE 7.0; na; )"
    77.127.222.165 - - [19/Sep/2011:10:46:19 -0600] "POST /.5camj/?action=fbgen&v=128&crc=669 HTTP/1.1" 403 38 "-" "Mozilla/4.0 (compatible; MSIE 7.0; na; )"
    188.64.204.79 - - [19/Sep/2011:10:46:20 -0600] "POST /.5camj/?action=fbgen&v=128&crc=669 HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; na; )"
    99.163.84.134 - - [19/Sep/2011:10:46:23 -0600] "POST /.5camj/?action=fbgen&v=128&crc=669 HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; na; )"
    
    With this kind of attack. You can easy block that when use mod_security2. However, your rule wrong.
    You have 3 way to block that

    1: In .htaccess
    Code:
    RewriteEngine on
    RewriteCond %{HTTP_USER_AGENT} "MSIE 7.0; na;"
    RewriteRule ^(.*)$ http://127.0.0.1:11$1 [R,L]
    =>Never had browser with user-agent name MSIE 7.0; na;

    2: In mosecurity
    Code:
    SecRule REQUEST_URI "/\.5camj/\?action=fbgen\&v=128\&crc=669" "phase:1,nolog,redirect:http://127.0.0.1"
    =>Using Regular Express (please search google for more info/document)
    =>Why redirect to 127.0.0.1 (not drop/block)? Because i want attacker received fallback of him/her by 127.0.0.1 (localhost)
    =>However, anybody when access this link could error time-out or not access

    3: In modsecurity
    As same above, but i want to attacker get URI greater than 5 time will be blocked
    Code:
    SecAction "phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}"
    SecRule REQUEST_URI "/\.5camj/\?action=fbgen\&v=128\&crc=669" "nolog,phase:1,setvar:ip.ddos=+1,deprecatevar:ip.ddos=2/60,expirevar:ip.ddos=120"
    SecRule IP:DDOS "@gt 5" "phase:1,nolog,drop"
    =>Line 1: set variable
    =>Line 2: set URI you want to audit.
    =>Every 1 minute (60 second), decrease 2
    =>GT (greater than) 5 will be blocked (and block in 120sec)
     
Loading...

Share This Page