Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Limiting ModSecurity rule to specific files?

Discussion in 'Security' started by joaosavioli, May 29, 2019.

Tags:
  1. joaosavioli

    joaosavioli Well-Known Member

    Joined:
    Feb 7, 2008
    Messages:
    64
    Likes Received:
    11
    Trophy Points:
    58
    Hi!

    Please, how could I limit the action of this rule only in wp-login.php and xmlrpc.php?
    SecRule REQUEST_HEADERS:User-Agent "@contains gecko" "id:5000501,t:none,t:lowercase,deny,nolog,msg:'BAD BOT - Detected and Blocked. '"

    Thank you!
    Joao
     
  2. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    131
    Likes Received:
    76
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    70% of legitimate http requests to your server will have gecko in the User Agent: string.
    So without posting some context as to why you want to do this and exactly what are you trying to achieve posting an answer to your question will only confuse people who read this thread in the future.

    gecko is not equal to "BAD BOT"
     
    cPanelMichael likes this.
  3. joaosavioli

    joaosavioli Well-Known Member

    Joined:
    Feb 7, 2008
    Messages:
    64
    Likes Received:
    11
    Trophy Points:
    58
    Hi @fuzzylogic, thank you for replying!

    Sorry for confusing.

    We can change "gecko" for "python-requests".
    My problem is brute force in wp-login.php files. I could block all traffic of python-requests user agent, but I'd like to limit this block only in wp-login.php and xmlrpc.php files.

    What I need is this rule with a & conditional.

    Could you help me?

    Cheers!
    Joao
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,943
    Likes Received:
    485
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. joaosavioli

    joaosavioli Well-Known Member

    Joined:
    Feb 7, 2008
    Messages:
    64
    Likes Received:
    11
    Trophy Points:
    58
    Hi @Infopro, thank you for replying!

    These solutions didn't work well for high attack. The best way in my opinion is use modsecurity rules.

    Cheers!
    Joao
     
  6. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    131
    Likes Received:
    76
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Here is a rule that will do as you requested.
    It has the REQUEST_FILENAME conditional you wanted.
    It also has the first conditional for the REQUEST_METHOD to be equal to POST.
    This is the fastest way to achieve a non-match and a fast exit of the rule. (99.9% of requests to your server will be non-matches to this rule, so fast exit is important)
    All requests to xmlrpc will be POST
    All dictionary attack requests to wp-login will be POST
    (browser based macros will have that POST preceded by a GET request to wp-login)

    Code:
    # Deny WordPress wp-login and xmlrpc to python-requests User Agent
    SecRule REQUEST_METHOD "@streq POST" "msg:'Deny post to wp-login and xmlrpc from python-requests User Agent',id:20000000,phase:1,t:none,log,deny,status:403,chain"
    SecRule REQUEST_HEADERS:User-Agent "@contains python-requests" "t:lowercase,chain"
    SecRule REQUEST_FILENAME "@rx (?:wp-login|xmlrpc)\.php$" "t:lowercase"
    Example request from the modsec audit_log of rule functioning...
    Code:
    --c3cf7f5f-A--
    [01/Jun/2019:10:00:21 +0000] xxxxxxxxxxxxxxxxxxxxxxxxxx xx.xx.xx.xx 50364 xx.xx.xx.xx 443
    --c3cf7f5f-B--
    POST /xmlrpc.php HTTP/2.0
    User-Agent: python-requests/2.10.0
    Accept: */*
    Host: domainname.com
    
    --c3cf7f5f-F--
    HTTP/1.1 403 Forbidden
    Accept-Ranges: bytes
    Content-Length: 925
    Connection: close
    Content-Type: text/html; charset=UTF-8
    
    --c3cf7f5f-H--
    Message: Access denied with code 403 (phase 1). Pattern match "(?:wp-login|xmlrpc)\\.php$" at REQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec/modsec2.user.conf"] [line "425"] [id "20000000"] [msg "Deny post to wp-login and xmlrpc from python-requests User Agent"]
     
    Infopro likes this.
  7. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    131
    Likes Received:
    76
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    As a matter of interest "OWASP ModSecurity Core Rule Set V3.0" provided by cPanel has a Paranoia Level 2 rule (913101) that uses the pmFromFile operator to parse the file scripting-user-agents.data which has among its list of User Agents, "python-requests".

    So if Your Paranoia Level was set to 2 or above this rule would cause requests with python-requests in the User Agent to be blocked.
    I'm not suggesting that you set the Paranoia Level higher, but it is feasible for you to copy rule 913101, change its id No. and add it back using the WHM Home » Security Center » ModSecurity™ Tools » Add Custom Rule.
     
  8. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    131
    Likes Received:
    76
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    @joaosavioli
    Did rule 20000000 work in the way you were hoping?
     
  9. joaosavioli

    joaosavioli Well-Known Member

    Joined:
    Feb 7, 2008
    Messages:
    64
    Likes Received:
    11
    Trophy Points:
    58
    Hi @fuzzylogic, sorry for delay.

    I've tried just one time, but I didn't test with POST action because I have a script that use GET for test, but It seems will work for me!
    By the time, I could fix this with this rule bellow:

    SecRule REQUEST_URI "wp-login.php" "chain,id:5000500,t:none,t:lowercase,deny,nolog,msg:'BAD BOT - Detected and Blocked. '"
    SecRule REQUEST_HEADERS:User-Agent "@contains python-requests" "t:none,t:lowercase"

    Thank you very much!

    Cheers!
    Joao
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice