The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

mod_security rules

Discussion in 'Security' started by Jimmyftw, Jan 25, 2006.

  1. Jimmyftw

    Jimmyftw Active Member

    Joined:
    Jan 18, 2006
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    Is there any way to create rules in mod_security that will block an IP from the server completely if they are found to be accessing a certain address or access it more than once?
     
  2. celliott

    celliott Well-Known Member

    Joined:
    Jan 2, 2006
    Messages:
    460
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    United Kingdom
    Why not just ban the IP on your firewall?
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Indeed, that's not what mod_security is for. As celliott says, use your iptables firewall (if you're using linux) or block using the standard apache allow/deny directives in httpd.conf.
     
  4. sh4ka

    sh4ka Well-Known Member

    Joined:
    May 12, 2005
    Messages:
    442
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    US
    cPanel Access Level:
    DataCenter Provider
    It would be great to make some rule to communicate an "x" attacker IP (when mod security already detected apache is being attacked) with the firewall rules to automatically block those bad guys... Does anyone know how to do this with for example APF?

    thkz!
     
  5. Jimmyftw

    Jimmyftw Active Member

    Joined:
    Jan 18, 2006
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    I was just curious if it could be made to block an IP via iptables. Blocking them manually is typically a fruitless effort as most are using proxies which change everyday, but if I can identify certain rules to block an IP after one or two attempts it could stop their scan of a bunch of other address on the server at the time.
     
  6. xisn

    xisn Well-Known Member

    Joined:
    Dec 4, 2004
    Messages:
    128
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Add it into APF.. Works great for us...
     
  7. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    LOL! ROFL! Sorry about the laughing .... there is sort of an inside joke related
    to your comment but I will do my best to try to explain:

    Our hosting service developed a new technology that allows us to see backwards
    through any proxy server or even a chain of proxy servers back to the real IP
    effectively rendering all anonymous / privacy type services totally useless.

    It's pretty funny to watch bad users try to beat our bans. Most give up quickly
    but we had one guy keep trying for 3 weeks before he finally gave up while
    we just sat back and enjoyed the show. :)
     
  8. sh4ka

    sh4ka Well-Known Member

    Joined:
    May 12, 2005
    Messages:
    442
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    US
    cPanel Access Level:
    DataCenter Provider
    How did you did it ?? please tell us :D

     
  9. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    huh??? how??
     
  10. celliott

    celliott Well-Known Member

    Joined:
    Jan 2, 2006
    Messages:
    460
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    United Kingdom
    If you have APF installed on your system you should know the basic commands to make proper use of it.

    Go into ssh as root and type "apf -d xx.xx.xxx.x.xx" without quotes obviously. replace xx.xx etc with the IP or Host you wish to ban. This will add the entry into Iptables. You should then reload apf by running /usr/local/sbin/apf -s
     
  11. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    I think he meant how did user Spiral implement his anti-proxy technology. :D
     
  12. sh4ka

    sh4ka Well-Known Member

    Joined:
    May 12, 2005
    Messages:
    442
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    US
    cPanel Access Level:
    DataCenter Provider
    Of course I know this, :S
    Like the other guy said... It would be great to communicate and ban from APF automatically an offending IP taked from mod security logs, i mean, automatically :)

    Anyone have some ideas about how can be done?

    thkz!
     
  13. richy

    richy Well-Known Member

    Joined:
    Jun 30, 2003
    Messages:
    276
    Likes Received:
    1
    Trophy Points:
    16
    If you use BFD (from RFXNetworks - like APF), you can then add a rule to scan the Apache logs and if a certain string appears more than a certain amount, it can auto-add the IP add to the firewall blocklist (I've configued BFD to scan my exim_rejectlog for "Mail delivery failed due to listing in RBL ...." style messages and auto-blacklist after 5 mails: the amount of processing my server has to do scanning email has slumped! Wouldn't recommend this way for a shared hosting environment though as it's a bit too "paranoid").
     
  14. sh4ka

    sh4ka Well-Known Member

    Joined:
    May 12, 2005
    Messages:
    442
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    US
    cPanel Access Level:
    DataCenter Provider
    Can you give us details about how did you configure it, maybe an example rule ?

    thkz!
     
  15. budway

    budway Well-Known Member

    Joined:
    Apr 16, 2003
    Messages:
    186
    Likes Received:
    0
    Trophy Points:
    16
    That would not work well since WHM + mod-sec uses a db to store audit_log after a while.

    I'm looking to implement this I have seen more than 5 violations per sec on in my logs.
     
Loading...

Share This Page