SOLVED mod_security rule not working

jeffschips

Well-Known Member
Jun 5, 2016
204
21
68
new york
cPanel Access Level
Root Administrator
Trying to stop a bad bot from accessing server using mod_security rules. I have the following but it's not working.

SecRule REQUEST_HEADERS:User-Agent "@rx ^(?:Datanyze)$" "msg:'Datanyze blocked',phase:1,log,id:777777,t:none,block,status:403"

the word "Datanyze" is contained in the User Agent string and I can't find a definitive source anywhere that defines if the UA is the entire string, i.e,:

"Mozilla/5.0 (X11; Datanyze; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36"

or if you can use text strings therein as UA.

Thank you.
 

fuzzylogic

Well-Known Member
Nov 8, 2014
154
93
78
cPanel Access Level
Root Administrator
Couple of points.

"@rx ^(?:Datanyze)$"
@rx calls the regex operator. Same happens if you omit an operator.

The regex you are applying to the User-Agent value is...
^(?:Datanyze)$"
This will only match the exact value with exact case...
User-Agent: Datanyze
To match it anywhere is the User-Agent value use the regex...
(?:Datanyze)

Also to match any mix of Case transform to lowercase (t:lowercase) then use the regex...
(?:datanyze)

So final rule looks like this...
Code:
# Datanyze deny rule
SecRule REQUEST_HEADERS:User-Agent "(?:datanyze)" "msg:'Datanyze denied',phase:1,log,id:777779,t:lowercase,block,status:403"
When tested it matches the following request...
Code:
GET / HTTP/2.0
User-Agent: "Mozilla/5.0 (X11; Datanyze; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36"
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Host: domainname.com
Content-Length: 0
 

jeffschips

Well-Known Member
Jun 5, 2016
204
21
68
new york
cPanel Access Level
Root Administrator
Perfect! Works perfectly!

Just as an aside, this started because I noticed that bot accessing my site, yet as I dug deeper today, I've also noticed that it accesses cached webpage and thereby by-passes apache. I'm wondering if there is anything mod_security can do to stop that. Here is an example of the request URL which succeeds in getting the cached webpages:

[04/Apr/2019:17:58:11 -0400] "GET /media/plg_jchoptimize/cache/css/7dfafd723239864098661385b6ef34e9_0.css HTTP/1.1" 200 206413 "-" "Mozilla/5.0 (X11; Datanyze; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36"

Or would the rule suggested also deny such activity: I''m guessing it would because the Datanyze is still in the User agent.
 

fuzzylogic

Well-Known Member
Nov 8, 2014
154
93
78
cPanel Access Level
Root Administrator
noticed that it accesses cached webpage and thereby by-passes apache.
This is a non-issue.
Apache serves this request exactly the same as it might serve a request for index.html or theme.css or any other static file.
It has been cached by a Joomla plugin, but is still a static css file in your website's directory structure.
This request is blocked by this rule very early in the request phase (Phase 1, Request Headers).

This is correct.
Or would the rule suggested also deny such activity: I''m guessing it would because the Datanyze is still in the User agent.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
I've marked this thread as solved.

Thanks!