The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mod_security rules to prevent spam registrations and comments on wordpress sites

Discussion in 'Security' started by caisc, Feb 7, 2017.

Tags:
  1. caisc

    caisc Well-Known Member

    Joined:
    Oct 5, 2011
    Messages:
    70
    Likes Received:
    2
    Trophy Points:
    58
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi,

    Looking for some working set of Mod_security rules to prevent spam registrations and comments on wordpress sites on cpanel server


    did some search and found following set of rules -
    Code:
    #comments blacklist
    SecAction "id:400000,phase:1,initcol:IP=%{REMOTE_ADDR},pass,nolog"
    SecRule IP: spam "[USER=3202]@gt[/USER] 0" "id:400001,phase:1,chain,drop,msg:'Spam host %{REMOTE_ADDR} already blacklisted'"
    SecRule REQUEST_METHOD "POST" chain
    SecRule REQUEST_URI "\/wp-(comments-post|trackback).php"
    SecRule REQUEST_METHOD "POST" "id:'400010',chain,drop,log,msg:'Spam host detected by zen.spamhaus.org'"
    SecRule REQUEST_URI "\/wp-(comments-post|trackback).php" chain
    SecRule REMOTE_ADDR "@rbl zen.spamhaus.org" "setvar:IP.spam=1,expirevar:IP.spam=604800"
    
    But this does not seem to be working coz not a single IP was blocked, any help from experienced admins is appreciated.

    Thanks
     
    #1 caisc, Feb 7, 2017
    Last edited by a moderator: Feb 7, 2017
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    982
    Likes Received:
    75
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    First off, using zen to block web traffic is a really bad idea. It lists all dynamic IP space (i.e. home user ISP space) on the premise those users should not run SMTP servers, but they do browse the web normally. You will deny many legitimate users with this. You want to use SBL/XBL. Second, using a counter is pretty unnecessary here... just deny the comments is fine in my opinion.

    I'd try this:

    Code:
    # Block POST requests based on Spamhaus sbl-xbl. Don't use zen since it lists dynamic space.
    # Whitelist file too just in case.
    SecRule REQUEST_URI "\/wp-(comments-post|trackback).php" "chain,id:12345,log,t:normalisePath,deny,status:411,msg:'IP on RBL: sbl-xbl.spamhaus.org'"
    SecRule REQUEST_METHOD "POST" "chain"
    SecRule REMOTE_ADDR "!@ipMatchFromFile /usr/local/apache/conf/modsec2/ip_whitelist.txt" "chain"
    SecRule REMOTE_ADDR "@rbl sbl-xbl.spamhaus.org"
    
    Create the file /usr/local/apache/conf/modsec2/ip_whitelist.txt first; you can add IP addresses to it to whitelist them in the event of false positives. It's OK to have it blank.
     
    Infopro likes this.
  3. caisc

    caisc Well-Known Member

    Joined:
    Oct 5, 2011
    Messages:
    70
    Likes Received:
    2
    Trophy Points:
    58
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Thanks quizknows for your suggestions.


    While trying to implement your ruleset, noticed that there is no folder "modsec2" at path /usr/local/apache/conf

    Shall i create this file ip_whitelist.txt at this path /etc/apache2/conf.d/modsec/

    Server runs EA4 with Cloudlinux 7

    Thanks
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    982
    Likes Received:
    75
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    You can create the file anywhere apache can read it, so your proposed path is fine if you update the rule. My path was more appropriate for EA3
     
  5. caisc

    caisc Well-Known Member

    Joined:
    Oct 5, 2011
    Messages:
    70
    Likes Received:
    2
    Trophy Points:
    58
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Got that!

    quizknows are you using these rule-set that you mentioned on any production server? If yes how is the response.

    Thanks
     
  6. mariusfv

    mariusfv Member

    Joined:
    Mar 24, 2013
    Messages:
    22
    Likes Received:
    4
    Trophy Points:
    3
    Location:
    Romania
    cPanel Access Level:
    Root Administrator
    Try a smart approach:

    1. Install CSF firewall on your server(if you already haven't done this).
    2. Activate firewall and Check Server Security.
    3. Go to CSF -> lfd Blocklist and activate(uncomment, remove: #) from HONEYPOT, CIARMY, TOR, OPENBL and other spam/hack database IP's of your choice.
    Remember that some projects are listed on Modsecurity too(HONEYPOT) via API.
    It is not recommended to activate all -> your server will need a lot of memory(RAM).
    Modsecurity works together with CSF!

    In that way your server will block hundreds of thousands or even millions of spammers/hackers IP's before touch your server.
     
    Droidism20011, caisc and Infopro like this.
  7. caisc

    caisc Well-Known Member

    Joined:
    Oct 5, 2011
    Messages:
    70
    Likes Received:
    2
    Trophy Points:
    58
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hey mariusfv!

    Many thanks for the suggestion, using CSF since very long but completely missed this feature,
    as of now enabled following -
    Code:
    STOPFORUMSPAM|86400|0|http://www.stopforumspam.com/downloads/listed_ip_1.zip
    HONEYPOT|86400|0|http://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1
    
    Do you recommend any other BL to be enabled? primary issue to deal is exploit upload and forum/comment spam

    Thanks
     
    #7 caisc, Feb 9, 2017
    Last edited by a moderator: Feb 9, 2017
  8. mariusfv

    mariusfv Member

    Joined:
    Mar 24, 2013
    Messages:
    22
    Likes Received:
    4
    Trophy Points:
    3
    Location:
    Romania
    cPanel Access Level:
    Root Administrator
    HONEYPOT in the last days appear to be in maintenance mode!
    I use HONEYPOT since 2007 if I remember correctly, now I use TOR and OPENBL too.
    For WordPress protection I recommend you to install the WordPress plugin WordFence and a good captcha, I recommend recaptcha by Google, to stop robots post on your websites.
     
  9. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    982
    Likes Received:
    75
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    I use them for wp-login.php and xmlrpc.php, but not for comment pages. It works well for wp-login. I may actually try the rule I gave you on my own sites now :)
     
  10. caisc

    caisc Well-Known Member

    Joined:
    Oct 5, 2011
    Messages:
    70
    Likes Received:
    2
    Trophy Points:
    58
    Location:
    India
    cPanel Access Level:
    Root Administrator
    When there are 300+ wp sites on server its not possible to ask every end user to install proper plugins, as an admin you know this pain :)

    actually I wanted to know each BL specialize in some area or they are all general, like
    HONEYPOT for spammers
    OPENBL for email spammers etc etc


    Also how does CSF again downloads the updated ip list and at what frequency? will I have to restart CSF for this everytime.

    Also thanks quizknows, do update me with your results.
     
  11. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    982
    Likes Received:
    75
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    What CSF will do is count modsecurity failures by IP. if one IP trips too many warnings as set with LF_MODSEC in csf.conf it will block the IP automatically. You only need to restart CSF/LFD the first time you enable LF_MODSEC.
     
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,204
    Likes Received:
    1,296
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
  13. caisc

    caisc Well-Known Member

    Joined:
    Oct 5, 2011
    Messages:
    70
    Likes Received:
    2
    Trophy Points:
    58
    Location:
    India
    cPanel Access Level:
    Root Administrator
    For wp-login brute force and xmlrpc requests I also use modsec rules they work fine.

    After enabling STOPFORUMSPAM and OPENBL in CSF LFD blocklist I have noticed approx 7-10% lower load on server.
    Although because of these 2 blocklist approx 11k IP were added in iptables blocklist, this eats up some resources.

    Benefit is that because of reduced spam activity mysql server gets slightly more time to serve genuine requests.
     
    #13 caisc, Feb 10, 2017
    Last edited: Feb 10, 2017
Loading...

Share This Page