Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mod_Security rule to mitigate constant GET and POST request attack

Discussion in 'Security' started by caisc, Feb 25, 2017.

Tags:
  1. caisc

    caisc Well-Known Member

    Joined:
    Oct 5, 2011
    Messages:
    70
    Likes Received:
    2
    Trophy Points:
    58
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello,

    Recently I have noticed increased attack on our server using GET and POST request by random IPs.
    Need a working and tested mod_secutiy rule to fix this.

    Request forum members to plz help me to mitigate this sort of attack. We use CSF firewall but as the IPs are contantly changing cant block every IP one by one.

    One sample attack logs are listed below -
    Code:
    59.152.103.169 - - [25/Feb/2017:14:37:17 +0530] "GET /wp-content/uploads/2017/01/admin-ajax.php_-2-148x85.jpg HTTP/1.1" 200 4286 "domain-name.com" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:37:08 +0530] "GET /wp-content/themes/profitmag/fonts/fontawesome-webfont.woff?v=4.2.0 HTTP/1.1" 200 65452 "http://domain-name.com/wp-content/themes/profitmag/css/font-awesome.min.css?ver=4.7.2" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:37:17 +0530] "GET /wp-content/uploads/2017/01/admin-ajax.php_-1-148x85.jpg HTTP/1.1" 200 5552 "domain-name.com" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:37:17 +0530] "GET /wp-content/uploads/2017/01/admin-ajax.php_-148x85.jpg HTTP/1.1" 200 5809 "domain-name.com" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:37:18 +0530] "GET /wp-content/uploads/2017/01/3-148x85.jpg HTTP/1.1" 200 3685 "domain-name.com" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:37:18 +0530] "GET /wp-content/uploads/2017/01/admin-ajax1-100x85.jpg HTTP/1.1" 200 3654 "domain-name.com" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:37:19 +0530] "GET /wp-content/uploads/2017/01/admin-ajax.php_-2-100x85.jpg HTTP/1.1" 200 3215 "domain-name.com" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:37:19 +0530] "GET /wp-content/uploads/2017/01/admin-ajax.php_-1-100x85.jpg HTTP/1.1" 200 4204 "domain-name.com" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:37:20 +0530] "GET /wp-content/uploads/2017/01/admin-ajax.php_-100x85.jpg HTTP/1.1" 200 4006 "domain-name.com" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:37:20 +0530] "GET /wp-content/uploads/2017/01/3-100x85.jpg HTTP/1.1" 200 2904 "domain-name.com" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:37:20 +0530] "GET /wp-content/uploads/2017/01/admin111-174x111.jpg HTTP/1.1" 200 6121 "domain-name.com" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:37:20 +0530] "GET /wp-content/uploads/2017/01/admin-ajax1-174x111.jpg HTTP/1.1" 200 5989 "domain-name.com" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:37:20 +0530] "GET /wp-content/uploads/2017/01/admin-ajax.php_-2-174x111.jpg HTTP/1.1" 200 5678 "domain-name.com" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:37:20 +0530] "GET /wp-content/uploads/2017/01/admin111-272x137.jpg HTTP/1.1" 200 9608 "domain-name.com" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:37:20 +0530] "GET /wp-content/uploads/2017/01/1.gif HTTP/1.1" 200 45129 "domain-name.com" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:37:21 +0530] "GET /wp-content/uploads/2017/01/admin111-193x112.jpg HTTP/1.1" 200 6620 "domain-name.com" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:37:21 +0530] "GET /wp-content/uploads/2017/01/admin-ajax.php_-2-193x112.jpg HTTP/1.1" 200 6150 "domain-name.com" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:37:22 +0530] "GET /wp-content/uploads/2017/01/admin-ajax.php_-1-193x112.jpg HTTP/1.1" 200 8394 "domain-name.com" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:37:22 +0530] "GET /wp-content/themes/profitmag/images/menu-bg.png HTTP/1.1" 200 930 "http://domain-name.com/wp-content/themes/profitmag/style.css?ver=4.7.2" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:37:22 +0530] "GET /wp-content/plugins/gallery-images/assets/images/front_images/arrows/arrows.simple.png HTTP/1.1" 200 1914 "domain-name.com" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:37:22 +0530] "GET /wp-content/plugins/gallery-video/assets/images/arrows/arrows.simple.png HTTP/1.1" 200 1914 "domain-name.com" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:37:22 +0530] "GET /wp-content/plugins/gallery-video/assets/images/admin_images/play.youtube.png HTTP/1.1" 200 1312 "domain-name.com" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:37:22 +0530] "GET /wp-content/plugins/gallery-video/assets/images/admin_images/play.vimeo.png HTTP/1.1" 200 1188 "domain-name.com" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:37:23 +0530] "GET /wp-content/themes/profitmag/css/images/bx_loader.gif HTTP/1.1" 200 7303 "http://domain-name.com/wp-content/themes/profitmag/css/jquery.bxslider.css?ver=4.7.2" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:37:23 +0530] "GET /wp-content/themes/profitmag/images/slider-controls.png HTTP/1.1" 200 1340 "http://domain-name.com/wp-content/themes/profitmag/css/red.css" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:37:20 +0530] "GET /wp-content/uploads/2017/01/20150904092804.bmp HTTP/1.1" 200 570702 "domain-name.com" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:01 +0530] "GET / HTTP/1.1" 200 32647 "-" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:05 +0530] "GET /wp-content/plugins/team-members/css/tmm_custom_style.min.css?ver=4.7.2 HTTP/1.1" 200 961 "domain-name.com" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:05 +0530] "GET /wp-includes/js/wp-emoji-release.min.js?ver=4.7.2 HTTP/1.1" 200 4230 "domain-name.com" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:05 +0530] "GET /wp-content/themes/profitmag/css/jquery.bxslider.css?ver=4.7.2 HTTP/1.1" 200 1205 "domain-name.com" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:05 +0530] "GET /wp-content/themes/profitmag/css/font-awesome.min.css?ver=4.7.2 HTTP/1.1" 200 5045 "domain-name.com" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:05 +0530] "GET /wp-content/themes/profitmag/css/nivo-lightbox.css?ver=4.7.2 HTTP/1.1" 200 1716 "domain-name.com" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:05 +0530] "GET /wp-content/plugins/ultimate-form-builder-lite/css/frontend.css?ver=1.3.1 HTTP/1.1" 200 4261 "domain-name.com" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:05 +0530] "GET /wp-content/plugins/ultimate-form-builder-lite/css/jquery.selectbox.css?ver=1.3.1 HTTP/1.1" 200 649 "domain-name.com" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:05 +0530] "GET /wp-content/themes/profitmag/css/ticker-style.css?ver=4.7.2 HTTP/1.1" 200 701 "domain-name.com" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:05 +0530] "GET /wp-content/themes/profitmag/css/jquery.mCustomScrollbar.css?ver=4.7.2 HTTP/1.1" 200 2034 "domain-name.com" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:05 +0530] "GET /wp-content/themes/profitmag/style.css?ver=4.7.2 HTTP/1.1" 200 8839 "domain-name.com" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:05 +0530] "GET /wp-content/themes/profitmag/css/red.css HTTP/1.1" 200 996 "domain-name.com" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:05 +0530] "GET /wp-content/themes/profitmag/css/responsive.css?ver=4.7.2 HTTP/1.1" 200 2511 "domain-name.com" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:06 +0530] "GET /wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1 HTTP/1.1" 200 4014 "domain-name.com" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:06 +0530] "GET /wp-content/plugins/bsk-pdf-manager/js/bsk_pdf_manager.js?ver=1.6 HTTP/1.1" 200 196 "http://domain-name.com/" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:06 +0530] "GET /wp-includes/js/jquery/jquery.js?ver=1.12.4 HTTP/1.1" 200 33766 "http://domain-name.com/" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:06 +0530] "GET /wp-content/plugins/ultimate-form-builder-lite/js/jquery.selectbox-0.2.min.js?ver=1.3.1 HTTP/1.1" 200 2775 "http://domain-name.com/" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:07 +0530] "GET /wp-content/plugins/ultimate-form-builder-lite/js/frontend.js?ver=1.3.1 HTTP/1.1" 200 995 "http://domain-name.com/" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:07 +0530] "GET /wp-content/themes/profitmag/js/jquery.slicknav.min.js?ver=4.7.2 HTTP/1.1" 200 2093 "http://domain-name.com/" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:07 +0530] "GET /wp-content/themes/profitmag/js/nivo-lightbox.min.js?ver=4.7.2 HTTP/1.1" 200 2211 "http://domain-name.com/" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:07 +0530] "GET /wp-content/themes/profitmag/js/modernizr.min.js?ver=2.6.2 HTTP/1.1" 200 6204 "http://domain-name.com/" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:07 +0530] "GET /wp-content/plugins/gallery-video/assets/js/vimeo.lib.js HTTP/1.1" 200 741 "http://domain-name.com/" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:07 +0530] "GET /wp-content/plugins/gallery-video/assets/js/youtube.lib.js HTTP/1.1" 200 429 "http://domain-name.com/" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:08 +0530] "GET /wp-content/plugins/addthis/css/output.css?ver=4.7.2 HTTP/1.1" 200 716 "http://domain-name.com/" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:08 +0530] "GET /wp-content/plugins/gallery-images/assets/style/gallery-all.css?ver=4.7.2 HTTP/1.1" 200 - "http://domain-name.com/" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:08 +0530] "GET /wp-content/plugins/gallery-images/assets/style/style2-os.css?ver=4.7.2 HTTP/1.1" 200 552 "http://domain-name.com/" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:08 +0530] "GET /wp-content/plugins/gallery-images/assets/style/lightbox.css?ver=4.7.2 HTTP/1.1" 200 1034 "http://domain-name.com/" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:08 +0530] "GET /wp-content/plugins/gallery-images/assets/style/css/font-awesome.css?ver=4.7.2 HTTP/1.1" 200 5061 "http://domain-name.com/" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:08 +0530] "GET /wp-content/plugins/gallery-images/assets/style/colorbox-1.css?ver=4.7.2 HTTP/1.1" 200 1000 "http://domain-name.com/" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:08 +0530] "GET /wp-content/plugins/gallery-video/assets/style/style2-os.css?ver=4.7.2 HTTP/1.1" 200 552 "http://domain-name.com/" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:09 +0530] "GET /wp-content/plugins/gallery-video/assets/style/colorbox-1.css?ver=4.7.2 HTTP/1.1" 200 1008 "http://domain-name.com/" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:09 +0530] "GET /wp-content/themes/profitmag/js/jquery.bxslider.js?ver=4.7.2 HTTP/1.1" 200 12013 "http://domain-name.com/" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:09 +0530] "GET /wp-content/themes/profitmag/js/jquery.ticker.js?ver=4.7.2 HTTP/1.1" 200 4437 "http://domain-name.com/" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:09 +0530] "GET /wp-content/themes/profitmag/js/jquery.mCustomScrollbar.min.js?ver=1.0.0 HTTP/1.1" 200 5881 "http://domain-name.com/" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:09 +0530] "GET /wp-content/themes/profitmag/js/jquery.mousewheel.min.js?ver=2.0.19 HTTP/1.1" 200 1259 "http://domain-name.com/" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:09 +0530] "GET /wp-content/themes/profitmag/js/navigation.js?ver=20120206 HTTP/1.1" 200 402 "http://domain-name.com/" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:09 +0530] "GET /wp-content/themes/profitmag/js/custom.js?ver=1.0 HTTP/1.1" 200 599 "http://domain-name.com/" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:10 +0530] "GET /wp-includes/js/wp-embed.min.js?ver=4.7.2 HTTP/1.1" 200 751 "http://domain-name.com/" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:10 +0530] "GET /wp-content/plugins/gallery-images/assets/js/jquery.colorbox.js?ver=1.0.0 HTTP/1.1" 200 9505 "http://domain-name.com/" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:10 +0530] "GET /wp-content/plugins/gallery-images/assets/js/jquery.hugeitmicro.min.js?ver=1.0.0 HTTP/1.1" 200 5066 "http://domain-name.com/" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:10 +0530] "GET /wp-content/plugins/gallery-images/assets/js/view-slider.js?ver=1.0.0 HTTP/1.1" 200 - "http://domain-name.com/" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:10 +0530] "GET /wp-content/plugins/gallery-images/assets/js/custom.js?ver=1.0.0 HTTP/1.1" 200 2749 "http://domain-name.com/" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:10 +0530] "GET /wp-content/plugins/gallery-video/assets/js/jquery.colorbox.js?ver=1.0.0 HTTP/1.1" 200 9562 "http://domain-name.com/" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:11 +0530] "GET /wp-content/plugins/gallery-video/assets/js/jquery.hugeitmicro.min.js?ver=1.0.0 HTTP/1.1" 200 5083 "http://domain-name.com/" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:11 +0530] "GET /wp-content/plugins/gallery-video/assets/js/view-slider.js?ver=1.0.0 HTTP/1.1" 200 2 "http://domain-name.com/" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:42:11 +0530] "GET /wp-content/plugins/gallery-video/assets/js/custom.js?ver=1.0.0 HTTP/1.1" 200 657 "http://domain-name.com/" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:43:25 +0530] "GET /wp-content/uploads/2017/01/admin-ajax.php_-1.jpg HTTP/1.1" 200 42557 "http://domain-name.com/" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:43:25 +0530] "GET /wp-content/uploads/2017/01/admin-ajax1.jpg HTTP/1.1" 200 21307 "http://domain-name.com/" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:43:25 +0530] "GET /wp-content/uploads/2017/01/logo.jpg HTTP/1.1" 200 29040 "http://domain-name.com/" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:43:25 +0530] "GET /wp-content/uploads/2017/01/admin-ajax.php_-2.jpg HTTP/1.1" 200 26459 "http://domain-name.com/" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:43:25 +0530] "GET /wp-content/uploads/2017/01/admin111.jpg HTTP/1.1" 200 30822 "http://domain-name.com/" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:43:25 +0530] "GET /wp-content/uploads/2017/01/admin111-240x172.jpg HTTP/1.1" 200 9830 "http://domain-name.com/" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:43:25 +0530] "GET /wp-content/uploads/2017/01/admin-ajax1-240x172.jpg HTTP/1.1" 200 9661 "http://domain-name.com/" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
    59.152.103.169 - - [25/Feb/2017:14:43:26 +0530] "GET /wp-content/uploads/2017/01/admin-ajax.php_.jpg HTTP/1.1" 200 36445 "http://domain-name.com/" "Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0 Cyberfox/51.0.2"
     
    #1 caisc, Feb 25, 2017
    Last edited by a moderator: Feb 25, 2017
  2. caisc

    caisc Well-Known Member

    Joined:
    Oct 5, 2011
    Messages:
    70
    Likes Received:
    2
    Trophy Points:
    58
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Here is another instance -
    Code:
    94.102.60.76 - - [25/Feb/2017:12:24:21 +0530] "GET /wp-json/wp/v2/posts/ HTTP/1.0" 301 - "-" "-"
    94.102.60.76 - - [25/Feb/2017:12:24:22 +0530] "GET /wp-json/wp/v2/posts/ HTTP/1.0" 200 212703 "-" "-"
    94.102.60.76 - - [25/Feb/2017:12:24:28 +0530] "POST /wp-json/wp/v2/posts/1076 HTTP/1.0" 301 - "-" "-"
    94.102.60.76 - - [25/Feb/2017:12:24:29 +0530] "GET /wp-json/wp/v2/posts/1076/ HTTP/1.0" 200 212703 "-" "-"
    94.102.60.76 - - [25/Feb/2017:12:24:31 +0530] "GET /sh.html HTTP/1.0" 301 - "-" "-"
    94.102.60.76 - - [25/Feb/2017:12:24:31 +0530] "GET /sh.html/ HTTP/1.0" 200 212703 "-" "-"
    94.102.60.76 - - [25/Feb/2017:12:24:32 +0530] "POST /wp-json/wp/v2/posts/1076 HTTP/1.0" 301 - "-" "-"
    94.102.60.76 - - [25/Feb/2017:12:24:32 +0530] "GET /wp-json/wp/v2/posts/1076/ HTTP/1.0" 200 212703 "-" "-"
    94.102.60.76 - - [25/Feb/2017:12:24:33 +0530] "GET /sh.html HTTP/1.0" 301 - "-" "-"
    94.102.60.76 - - [25/Feb/2017:12:24:33 +0530] "GET /sh.html/ HTTP/1.0" 200 212703 "-" "-"
    
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,424
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    986
    Likes Received:
    76
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    2nd case: You can deny requests that have both no UA and no referer. This is generally safe (I use it in production) but keep in mind you may have to whitelist this rule for some 3rd party services that are coded lazily like if you use a 3rd party monitoring service.

    Code:
    #Deny any HTTP request where both the user agent and referring URL are blank (except localhost due to WHM server status)
    SecRule &HTTP_REFERER "@eq 0" "deny,status:411,id:187945988,chain,msg:'No UA, No referer'"
    SecRule &HTTP_User-Agent "@eq 0" "chain"
    SecRule REMOTE_ADDR "!@ipMatch 127.0.0.1"
    
    1st case I would try blocking the user agent if you are absolutely sure that traffic is bad, but this tule could block legitimate users and I would not leave this one in place permanently

    Code:
    SecRule HTTP_User-Agent "cyberfox" "deny,id:2892758,t:lowercase"
    
     
    caisc and cPanelMichael like this.
  5. caisc

    caisc Well-Known Member

    Joined:
    Oct 5, 2011
    Messages:
    70
    Likes Received:
    2
    Trophy Points:
    58
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Thanks quizknows

    Code:
    #Deny any HTTP request where both the user agent and referring URL are blank (except localhost due to WHM server status)
    SecRule &HTTP_REFERER "@eq 0" "deny,status:411,id:187945988,chain,msg:'No UA, No referer'"
    SecRule &HTTP_User-Agent "@eq 0" "chain"
    SecRule REMOTE_ADDR "!@ipMatch 127.0.0.1"
    
    I have added above rule to mod_sec rule list, will let you know with feedback in few days.
     
  6. caisc

    caisc Well-Known Member

    Joined:
    Oct 5, 2011
    Messages:
    70
    Likes Received:
    2
    Trophy Points:
    58
    Location:
    India
    cPanel Access Level:
    Root Administrator
    @quizknows

    Immediately after adding the rule got this in mod_sec log -

    2017-03-03 19:48:11 domain.com 23.227.x.x 411
    Request: GET /utility/tasks?notrigger=1&key=23a78621&pid=1386626928
    Action Description: Access denied with code 411 (phase 2).
    Justification: Match of "ipMatch 127.0.0.1" against "REMOTE_ADDR" required.

    Here 23.227.x.x is my server primary shared IP, looks like false positive, how to fix this?

    Domlog entry is -
    23.227.x.x - - [03/Mar/2017:19:54:47 +0530] "GET /utility/tasks?notrigger=1&key=23a78621&pid=1113355893 HTTP/1.1" 411 60 "-" "-"

    few more domlog entry -
    23.227.x.x - - [03/Mar/2017:20:04:36 +0530] "GET /public/album_photo/01/0001_36a7.png?c=64bf HTTP/1.0" 404 148728 "-" "-"
    23.227.x.x - - [03/Mar/2017:20:04:36 +0530] "GET /public/album_photo/21/0021_b687.png?c=b7fa HTTP/1.0" 404 148728 "-" "-"
    23.227.x.x - - [03/Mar/2017:20:04:37 +0530] "GET /public/album_photo/21/0021_b687.png?c=b7fa HTTP/1.0" 404 148728 "-" "-"
    23.227.x.x - - [03/Mar/2017:20:04:37 +0530] "GET /public/album_photo/22/0022_cfa6.png?c=0678 HTTP/1.0" 404 148728 "-" "-"
    23.227.x.x - - [03/Mar/2017:20:04:37 +0530] "GET /public/album_photo/21/0021_b687.png?c=b7fa HTTP/1.0" 404 148728 "-" "-"
    23.227.x.x - - [03/Mar/2017:20:04:37 +0530] "GET /public/album_photo/21/0021_b687.png?c=b7fa HTTP/1.0" 404 148728 "-" "-"
    23.227.x.x - - [03/Mar/2017:20:04:38 +0530] "GET /public/album_photo/21/0021_b687.png?c=b7fa HTTP/1.0" 404 148728 "-" "-"
    23.227.x.x - - [03/Mar/2017:20:04:38 +0530] "GET /public/album_photo/21/0021_b687.png?c=b7fa HTTP/1.0" 404 148728 "-" "-"
    23.227.x.x - - [03/Mar/2017:20:04:38 +0530] "GET /public/album_photo/22/0022_cfa6.png?c=0678 HTTP/1.0" 404 148728 "-" "-"
     
    #6 caisc, Mar 3, 2017
    Last edited: Mar 3, 2017
  7. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    986
    Likes Received:
    76
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    If you need to exclude your main server IP from the rule, it's simply another chain condition like this:

    Code:
    #Deny any HTTP request where both the user agent and referring URL are blank (except localhost due to WHM server status)
    SecRule &HTTP_REFERER "@eq 0" "deny,status:411,id:187945988,chain,msg:'No UA, No referer'"
    SecRule &HTTP_User-Agent "@eq 0" "chain"
    SecRule REMOTE_ADDR "!@ipMatch 127.0.0.1" "chain"
    SecRule REMOTE_ADDR "!@ipMatch 23.227.1.1"
    
    This is just one way to do it, you could also make a file with whitelisted IP addresses like this:

    Code:
    #Deny any HTTP request where both the user agent and referring URL are blank (except localhost due to WHM server status)
    SecRule &HTTP_REFERER "@eq 0" "deny,status:411,id:187945988,chain,msg:'No UA, No referer'"
    SecRule &HTTP_User-Agent "@eq 0" "chain"
    SecRule REMOTE_ADDR "!@ipMatchFromFile /usr/local/apache/conf/modsec2/ip_whitelist.txt"
    
    In the file /usr/local/apache/conf/modsec2/ip_whitelist.txt it would contain one IP per line like:

    Code:
    127.0.0.1
    23.227.1.1
    
    You can put the file ip_whitelist.txt where ever you want, this path is just suggested for EA3. If you use EA4 you could put it in a different location as long as the rule is updated for the path of the file.
     
    cPanelMichael likes this.
Loading...

Share This Page