Here you go:
Code:
SecRule REQUEST_URI "/cgi-bin/php(4|5|-cgi|\.cgi)?" "deny,chain,status:500,id:3927835,msg:'cgi-bin POST'"
SecRule REQUEST_METHOD "POST"Thank you!
I wish I could stop those requests completely or make it so that they stopped within milliseconds after only few requests, instead of within few seconds.
I wish I could stop those requests completely or make it so that they stopped within milliseconds after only few requests, instead of within few seconds.
I'm using a final rule, which calls a small C program that adds the IP address to the iptables firewall. So the very first request will block the IP permanently. Have you tried something like that?
Here is my rule:
Here is my rule:
Code:
# Ban IP address on status 406 or 501
SecRule RESPONSE_STATUS "^406$" "phase:5,nolog,allow,exec:/opt/blacklist-webclient/blacklist-webclient,id:1234123475"
SecRule RESPONSE_STATUS "^501$" "phase:5,nolog,allow,exec:/opt/blacklist-webclient/blacklist-webclient,id:1234123476"I usually just use CSF with LF_MODSEC enabled with a trigger of 3 to 5 hits. I like the idea of calling a custom script, but normally the bots make at least a few requests, so I just let CSF take care of the blocking.
Now that I made this rule, I'm seeing a ton of these scans too, so I started using it on my own servers.
Now that I made this rule, I'm seeing a ton of these scans too, so I started using it on my own servers.
Hello 
Thank you for sharing a solution. I am marking this thread as [Resolved] but continued discussion is welcome if necessary.
Thank you for sharing a solution. I am marking this thread as [Resolved] but continued discussion is welcome if necessary.
