Mod_security rules to prevent spam registrations and comments on wordpress sites

caisc

Well-Known Member
Oct 5, 2011
73
2
58
India
cPanel Access Level
Root Administrator
Hi,

Looking for some working set of Mod_security rules to prevent spam registrations and comments on wordpress sites on cpanel server


did some search and found following set of rules -
Code:
#comments blacklist
SecAction "id:400000,phase:1,initcol:IP=%{REMOTE_ADDR},pass,nolog"
SecRule IP: spam "[USER=3202]@gt[/USER] 0" "id:400001,phase:1,chain,drop,msg:'Spam host %{REMOTE_ADDR} already blacklisted'"
SecRule REQUEST_METHOD "POST" chain
SecRule REQUEST_URI "\/wp-(comments-post|trackback).php"
SecRule REQUEST_METHOD "POST" "id:'400010',chain,drop,log,msg:'Spam host detected by zen.spamhaus.org'"
SecRule REQUEST_URI "\/wp-(comments-post|trackback).php" chain
SecRule REMOTE_ADDR "@rbl zen.spamhaus.org" "setvar:IP.spam=1,expirevar:IP.spam=604800"
But this does not seem to be working coz not a single IP was blocked, any help from experienced admins is appreciated.

Thanks
 
Last edited by a moderator:

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
First off, using zen to block web traffic is a really bad idea. It lists all dynamic IP space (i.e. home user ISP space) on the premise those users should not run SMTP servers, but they do browse the web normally. You will deny many legitimate users with this. You want to use SBL/XBL. Second, using a counter is pretty unnecessary here... just deny the comments is fine in my opinion.

I'd try this:

Code:
# Block POST requests based on Spamhaus sbl-xbl. Don't use zen since it lists dynamic space.
# Whitelist file too just in case.
SecRule REQUEST_URI "\/wp-(comments-post|trackback).php" "chain,id:12345,log,t:normalisePath,deny,status:411,msg:'IP on RBL: sbl-xbl.spamhaus.org'"
SecRule REQUEST_METHOD "POST" "chain"
SecRule REMOTE_ADDR "[email protected] /usr/local/apache/conf/modsec2/ip_whitelist.txt" "chain"
SecRule REMOTE_ADDR "@rbl sbl-xbl.spamhaus.org"
Create the file /usr/local/apache/conf/modsec2/ip_whitelist.txt first; you can add IP addresses to it to whitelist them in the event of false positives. It's OK to have it blank.
 
  • Like
Reactions: Infopro

caisc

Well-Known Member
Oct 5, 2011
73
2
58
India
cPanel Access Level
Root Administrator
Thanks quizknows for your suggestions.


While trying to implement your ruleset, noticed that there is no folder "modsec2" at path /usr/local/apache/conf

Shall i create this file ip_whitelist.txt at this path /etc/apache2/conf.d/modsec/

Server runs EA4 with Cloudlinux 7

Thanks
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
You can create the file anywhere apache can read it, so your proposed path is fine if you update the rule. My path was more appropriate for EA3
 

caisc

Well-Known Member
Oct 5, 2011
73
2
58
India
cPanel Access Level
Root Administrator
Got that!

quizknows are you using these rule-set that you mentioned on any production server? If yes how is the response.

Thanks
 

mariusfv

Active Member
Mar 24, 2013
39
7
133
Romania
cPanel Access Level
Root Administrator
Try a smart approach:

1. Install CSF firewall on your server(if you already haven't done this).
2. Activate firewall and Check Server Security.
3. Go to CSF -> lfd Blocklist and activate(uncomment, remove: #) from HONEYPOT, CIARMY, TOR, OPENBL and other spam/hack database IP's of your choice.
Remember that some projects are listed on Modsecurity too(HONEYPOT) via API.
It is not recommended to activate all -> your server will need a lot of memory(RAM).
Modsecurity works together with CSF!

In that way your server will block hundreds of thousands or even millions of spammers/hackers IP's before touch your server.
 

caisc

Well-Known Member
Oct 5, 2011
73
2
58
India
cPanel Access Level
Root Administrator
Hey mariusfv!

Many thanks for the suggestion, using CSF since very long but completely missed this feature,
as of now enabled following -
Code:
STOPFORUMSPAM|86400|0|http://www.stopforumspam.com/downloads/listed_ip_1.zip
HONEYPOT|86400|0|http://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1
Do you recommend any other BL to be enabled? primary issue to deal is exploit upload and forum/comment spam

Thanks
 
Last edited by a moderator:

mariusfv

Active Member
Mar 24, 2013
39
7
133
Romania
cPanel Access Level
Root Administrator
HONEYPOT in the last days appear to be in maintenance mode!
I use HONEYPOT since 2007 if I remember correctly, now I use TOR and OPENBL too.
For WordPress protection I recommend you to install the WordPress plugin WordFence and a good captcha, I recommend recaptcha by Google, to stop robots post on your websites.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Got that!

quizknows are you using these rule-set that you mentioned on any production server? If yes how is the response.

Thanks
I use them for wp-login.php and xmlrpc.php, but not for comment pages. It works well for wp-login. I may actually try the rule I gave you on my own sites now :)
 

caisc

Well-Known Member
Oct 5, 2011
73
2
58
India
cPanel Access Level
Root Administrator
HONEYPOT in the last days appear to be in maintenance mode!
I use HONEYPOT since 2007 if I remember correctly, now I use TOR and OPENBL too.
For WordPress protection I recommend you to install the WordPress plugin WordFence and a good captcha, I recommend recaptcha by Google, to stop robots post on your websites.
When there are 300+ wp sites on server its not possible to ask every end user to install proper plugins, as an admin you know this pain :)

actually I wanted to know each BL specialize in some area or they are all general, like
HONEYPOT for spammers
OPENBL for email spammers etc etc


Also how does CSF again downloads the updated ip list and at what frequency? will I have to restart CSF for this everytime.

Also thanks quizknows, do update me with your results.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
What CSF will do is count modsecurity failures by IP. if one IP trips too many warnings as set with LF_MODSEC in csf.conf it will block the IP automatically. You only need to restart CSF/LFD the first time you enable LF_MODSEC.
 

caisc

Well-Known Member
Oct 5, 2011
73
2
58
India
cPanel Access Level
Root Administrator
For wp-login brute force and xmlrpc requests I also use modsec rules they work fine.

After enabling STOPFORUMSPAM and OPENBL in CSF LFD blocklist I have noticed approx 7-10% lower load on server.
Although because of these 2 blocklist approx 11k IP were added in iptables blocklist, this eats up some resources.

Benefit is that because of reduced spam activity mysql server gets slightly more time to serve genuine requests.
 
Last edited: