Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED mod_security rule not working

Discussion in 'Security' started by jeffschips, Apr 8, 2019.

Tags:
  1. jeffschips

    jeffschips Well-Known Member

    Joined:
    Jun 5, 2016
    Messages:
    63
    Likes Received:
    7
    Trophy Points:
    8
    Location:
    new york
    cPanel Access Level:
    Root Administrator
    Trying to stop a bad bot from accessing server using mod_security rules. I have the following but it's not working.

    SecRule REQUEST_HEADERS:User-Agent "@rx ^(?:Datanyze)$" "msg:'Datanyze blocked',phase:1,log,id:777777,t:none,block,status:403"

    the word "Datanyze" is contained in the User Agent string and I can't find a definitive source anywhere that defines if the UA is the entire string, i.e,:

    "Mozilla/5.0 (X11; Datanyze; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36"

    or if you can use text strings therein as UA.

    Thank you.
     
    #1 jeffschips, Apr 8, 2019
  2. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    131
    Likes Received:
    76
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Couple of points.

    "@rx ^(?:Datanyze)$"
    @rx calls the regex operator. Same happens if you omit an operator.

    The regex you are applying to the User-Agent value is...
    ^(?:Datanyze)$"
    This will only match the exact value with exact case...
    User-Agent: Datanyze
    To match it anywhere is the User-Agent value use the regex...
    (?:Datanyze)

    Also to match any mix of Case transform to lowercase (t:lowercase) then use the regex...
    (?:datanyze)

    So final rule looks like this...
    Code:
    # Datanyze deny rule
SecRule REQUEST_HEADERS:User-Agent "(?:datanyze)" "msg:'Datanyze denied',phase:1,log,id:777779,t:lowercase,block,status:403"
    When tested it matches the following request...
    Code:
    GET / HTTP/2.0
User-Agent: "Mozilla/5.0 (X11; Datanyze; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36"
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Host: domainname.com
Content-Length: 0
     
    #2 fuzzylogic, Apr 8, 2019
    cPanelMichael and jeffschips like this.
  3. jeffschips

    jeffschips Well-Known Member

    Joined:
    Jun 5, 2016
    Messages:
    63
    Likes Received:
    7
    Trophy Points:
    8
    Location:
    new york
    cPanel Access Level:
    Root Administrator
    Perfect! Works perfectly!

    Just as an aside, this started because I noticed that bot accessing my site, yet as I dug deeper today, I've also noticed that it accesses cached webpage and thereby by-passes apache. I'm wondering if there is anything mod_security can do to stop that. Here is an example of the request URL which succeeds in getting the cached webpages:

    [04/Apr/2019:17:58:11 -0400] "GET /media/plg_jchoptimize/cache/css/7dfafd723239864098661385b6ef34e9_0.css HTTP/1.1" 200 206413 "-" "Mozilla/5.0 (X11; Datanyze; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36"

    Or would the rule suggested also deny such activity: I''m guessing it would because the Datanyze is still in the User agent.
     
    #3 jeffschips, Apr 8, 2019
  4. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    131
    Likes Received:
    76
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    This is a non-issue.
    Apache serves this request exactly the same as it might serve a request for index.html or theme.css or any other static file.
    It has been cached by a Joomla plugin, but is still a static css file in your website's directory structure.
    This request is blocked by this rule very early in the request phase (Phase 1, Request Headers).

    This is correct.
     
    #4 fuzzylogic, Apr 9, 2019
    cPanelMichael and jeffschips like this.
  5. jeffschips

    jeffschips Well-Known Member

    Joined:
    Jun 5, 2016
    Messages:
    63
    Likes Received:
    7
    Trophy Points:
    8
    Location:
    new york
    cPanel Access Level:
    Root Administrator
    SOLVED.
    Thank you for the understandable and succinct explanation. Much appreciated!
     
    #5 jeffschips, Apr 9, 2019
  6. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,555
    Likes Received:
    2,182
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    I've marked this thread as solved.

    Thanks!
     
    #6 cPanelMichael, Apr 9, 2019
(You must log in or sign up to post here.)
Loading...
Similar Threads - mod_security rule working
  1. orvn

    Disabling several mod_security rules due to 403 response to POST request?

    orvn, Feb 16, 2019, in forum: EasyApache
    Replies:
    6
    Views:
    377
    cPanelMichael
    Feb 22, 2019
  2. doktorrr

    Mod_security geoip rule doesn't work

    doktorrr, Feb 26, 2018, in forum: Security
    Replies:
    9
    Views:
    1,357
    cPanelMichael
    Feb 27, 2018
  3. electric

    Let customers view and whitelist mod_security rules?

    electric, Aug 26, 2017, in forum: Security
    Replies:
    2
    Views:
    834
    cPanelMichael
    Aug 28, 2017
  4. Gareth-AWD

    See which users have mod_security disabled?

    Gareth-AWD, Jun 5, 2019, in forum: Security
    Replies:
    1
    Views:
    182
    cPanelLauren
    Jun 5, 2019
  5. jeffschips

    Mod_Security whitelist

    jeffschips, Apr 16, 2019, in forum: Security
    Replies:
    5
    Views:
    348
    cPanelLauren
    Apr 16, 2019

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice