Limiting ModSecurity rule to specific files?

joaosavioli

Well-Known Member
Feb 7, 2008
64
11
58
Hi!

Please, how could I limit the action of this rule only in wp-login.php and xmlrpc.php?
SecRule REQUEST_HEADERS:User-Agent "@contains gecko" "id:5000501,t:none,t:lowercase,deny,nolog,msg:'BAD BOT - Detected and Blocked. '"

Thank you!
Joao
 

fuzzylogic

Well-Known Member
Nov 8, 2014
153
93
78
cPanel Access Level
Root Administrator
70% of legitimate http requests to your server will have gecko in the User Agent: string.
So without posting some context as to why you want to do this and exactly what are you trying to achieve posting an answer to your question will only confuse people who read this thread in the future.

gecko is not equal to "BAD BOT"
 
  • Like
Reactions: cPanelMichael

joaosavioli

Well-Known Member
Feb 7, 2008
64
11
58
Hi @fuzzylogic, thank you for replying!

Sorry for confusing.

We can change "gecko" for "python-requests".
My problem is brute force in wp-login.php files. I could block all traffic of python-requests user agent, but I'd like to limit this block only in wp-login.php and xmlrpc.php files.

What I need is this rule with a & conditional.

Could you help me?

Cheers!
Joao
 

joaosavioli

Well-Known Member
Feb 7, 2008
64
11
58
Hi @Infopro, thank you for replying!

These solutions didn't work well for high attack. The best way in my opinion is use modsecurity rules.

Cheers!
Joao
 

fuzzylogic

Well-Known Member
Nov 8, 2014
153
93
78
cPanel Access Level
Root Administrator
Here is a rule that will do as you requested.
It has the REQUEST_FILENAME conditional you wanted.
It also has the first conditional for the REQUEST_METHOD to be equal to POST.
This is the fastest way to achieve a non-match and a fast exit of the rule. (99.9% of requests to your server will be non-matches to this rule, so fast exit is important)
All requests to xmlrpc will be POST
All dictionary attack requests to wp-login will be POST
(browser based macros will have that POST preceded by a GET request to wp-login)

Code:
# Deny WordPress wp-login and xmlrpc to python-requests User Agent
SecRule REQUEST_METHOD "@streq POST" "msg:'Deny post to wp-login and xmlrpc from python-requests User Agent',id:20000000,phase:1,t:none,log,deny,status:403,chain"
SecRule REQUEST_HEADERS:User-Agent "@contains python-requests" "t:lowercase,chain"
SecRule REQUEST_FILENAME "@rx (?:wp-login|xmlrpc)\.php$" "t:lowercase"
Example request from the modsec audit_log of rule functioning...
Code:
--c3cf7f5f-A--
[01/Jun/2019:10:00:21 +0000] xxxxxxxxxxxxxxxxxxxxxxxxxx xx.xx.xx.xx 50364 xx.xx.xx.xx 443
--c3cf7f5f-B--
POST /xmlrpc.php HTTP/2.0
User-Agent: python-requests/2.10.0
Accept: */*
Host: domainname.com

--c3cf7f5f-F--
HTTP/1.1 403 Forbidden
Accept-Ranges: bytes
Content-Length: 925
Connection: close
Content-Type: text/html; charset=UTF-8

--c3cf7f5f-H--
Message: Access denied with code 403 (phase 1). Pattern match "(?:wp-login|xmlrpc)\\.php$" at REQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec/modsec2.user.conf"] [line "425"] [id "20000000"] [msg "Deny post to wp-login and xmlrpc from python-requests User Agent"]
 
  • Like
Reactions: Infopro

fuzzylogic

Well-Known Member
Nov 8, 2014
153
93
78
cPanel Access Level
Root Administrator
As a matter of interest "OWASP ModSecurity Core Rule Set V3.0" provided by cPanel has a Paranoia Level 2 rule (913101) that uses the pmFromFile operator to parse the file scripting-user-agents.data which has among its list of User Agents, "python-requests".

So if Your Paranoia Level was set to 2 or above this rule would cause requests with python-requests in the User Agent to be blocked.
I'm not suggesting that you set the Paranoia Level higher, but it is feasible for you to copy rule 913101, change its id No. and add it back using the WHM Home » Security Center » ModSecurity™ Tools » Add Custom Rule.
 

joaosavioli

Well-Known Member
Feb 7, 2008
64
11
58
Hi @fuzzylogic, sorry for delay.

I've tried just one time, but I didn't test with POST action because I have a script that use GET for test, but It seems will work for me!
By the time, I could fix this with this rule bellow:

SecRule REQUEST_URI "wp-login.php" "chain,id:5000500,t:none,t:lowercase,deny,nolog,msg:'BAD BOT - Detected and Blocked. '"
SecRule REQUEST_HEADERS:User-Agent "@contains python-requests" "t:none,t:lowercase"

Thank you very much!

Cheers!
Joao