The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

mod security rules to block get requests by url

Discussion in 'Security' started by ipel, Apr 17, 2015.

  1. ipel

    ipel Registered

    Apr 24, 2014
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Website Owner
    In the last days in my VPS there are many many GET requests on 1 file that cause a high memory load (all came from a single referer, but with different IPs).

    Until now I've blocked these requests via .htaccess, but in this way the requests are still processed by apache and still cause an high memory load..

    Can I block this requests with mod_security v2 (maybe on phase1) to prevent/decrease the memory load? I think is possible to block the requests by referer or by querystring (because are always the same), but what rules should I use?

    Example of logs here:

    Please note that my website force https in all pages, so the mod_security rules should block the requests on https
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Apr 11, 2011
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
  3. quizknows

    quizknows Well-Known Member

    Oct 20, 2009
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    DataCenter Provider
    There are plenty of ways to block.

    If you want to block based on the referrer, use something like this:

    SecRule HTTP_REFERER "" "deny,id:18476"

    If you want to deny based on the URL attribute, this should work instead:

    SecRule REQUEST_URI "/app/script/tag.php\?a=" "deny,id:18477"

    Blocking on QUERY_STRING is easy too :)

    SecRule QUERY_STRING "a=ZicX9v" "deny,id:18478"

    You can probably block in phase 1 as well, just by changing the "deny,id:#####" to "deny,phase:1,id:#####"

    The best way to eliminate load is to use a non-common response status like 411, and make a /home/.htaccess file with "errordocument 411 default" in it. This will make any responses to blocked requests just serve a very small flat text errordoc. I would use (for example) this rule to accomplish it:

    SecRule QUERY_STRING "a=ZicX9v" "deny,id:18478,phase:1,status:411"

Share This Page