SOLVED mod_security rule not working

jeffschips · Apr 8, 2019

Trying to stop a bad bot from accessing server using mod_security rules. I have the following but it's not working.

SecRule REQUEST_HEADERS:User-Agent "@rx ^(?:Datanyze)$" "msg:'Datanyze blocked',phase:1,log,id:777777,t:none,block,status:403"

the word "Datanyze" is contained in the User Agent string and I can't find a definitive source anywhere that defines if the UA is the entire string, i.e,:

"Mozilla/5.0 (X11; Datanyze; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36"

or if you can use text strings therein as UA.

Thank you.

fuzzylogic · Apr 8, 2019

Couple of points.

"@rx ^(?:Datanyze)$"
@rx calls the regex operator. Same happens if you omit an operator.

The regex you are applying to the User-Agent value is...
^(?:Datanyze)$"
This will only match the exact value with exact case...
User-Agent: Datanyze
To match it anywhere is the User-Agent value use the regex...
(?:Datanyze)

Also to match any mix of Case transform to lowercase (t:lowercase) then use the regex...
(?:datanyze)

So final rule looks like this...

Code:

# Datanyze deny rule
SecRule REQUEST_HEADERS:User-Agent "(?:datanyze)" "msg:'Datanyze denied',phase:1,log,id:777779,t:lowercase,block,status:403"

When tested it matches the following request...

Code:

GET / HTTP/2.0
User-Agent: "Mozilla/5.0 (X11; Datanyze; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36"
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Host: domainname.com
Content-Length: 0

jeffschips · Apr 8, 2019

Perfect! Works perfectly!

Just as an aside, this started because I noticed that bot accessing my site, yet as I dug deeper today, I've also noticed that it accesses cached webpage and thereby by-passes apache. I'm wondering if there is anything mod_security can do to stop that. Here is an example of the request URL which succeeds in getting the cached webpages:

[04/Apr/2019:17:58:11 -0400] "GET /media/plg_jchoptimize/cache/css/7dfafd723239864098661385b6ef34e9_0.css HTTP/1.1" 200 206413 "-" "Mozilla/5.0 (X11; Datanyze; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36"

Or would the rule suggested also deny such activity: I''m guessing it would because the Datanyze is still in the User agent.

fuzzylogic · Apr 9, 2019

jeffschips said:
noticed that it accesses cached webpage and thereby by-passes apache.

This is a non-issue.
Apache serves this request exactly the same as it might serve a request for index.html or theme.css or any other static file.
It has been cached by a Joomla plugin, but is still a static css file in your website's directory structure.
This request is blocked by this rule very early in the request phase (Phase 1, Request Headers).

This is correct.

jeffschips said:
Or would the rule suggested also deny such activity: I''m guessing it would because the Datanyze is still in the User agent.

jeffschips · Apr 9, 2019

SOLVED.
Thank you for the understandable and succinct explanation. Much appreciated!

cPanelMichael · Apr 9, 2019

I've marked this thread as solved.

Thanks!

Thread starter	Similar threads	Forum	Replies	Date
C	Mod_Security rules for Joomla login failures	Security	2	Apr 4, 2022
V	Centos 8 - mod_security v3 not working custom rules	Security	7	Nov 7, 2020
D	Mod_security geoip rule doesn't work	Security	9	Feb 26, 2018
E	Let customers view and whitelist mod_security rules?	Security	2	Aug 26, 2017
	Mod_Security rule to mitigate constant GET and POST request attack	Security	6	Feb 25, 2017

Search

Search

SOLVED mod_security rule not working

jeffschips

Well-Known Member

fuzzylogic

Well-Known Member

jeffschips

Well-Known Member

fuzzylogic

Well-Known Member

jeffschips

Well-Known Member

cPanelMichael

Administrator