The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

modsec rule for POST /cgi-bin/php

Discussion in 'Security' started by sehh, Dec 20, 2013.

  1. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    Has anyone made a modsecurity rule to block requests of this type?

    POST /cgi-bin/php
    POST /cgi-bin/php5
    POST /cgi-bin/php-cgi
    POST /cgi-bin/php.cgi
    POST /cgi-bin/php4

    I'm looking for one already made please.

    Thank you.
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Here you go:

    Code:
     
    SecRule REQUEST_URI "/cgi-bin/php(4|5|-cgi|\.cgi)?" "deny,chain,status:500,id:3927835,msg:'cgi-bin POST'"
    SecRule REQUEST_METHOD "POST" 
    
     
  3. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    Thank you! :)
     
  4. Archmactrix

    Archmactrix Well-Known Member

    Joined:
    Jan 20, 2012
    Messages:
    132
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Thank you!

    I wish I could stop those requests completely or make it so that they stopped within milliseconds after only few requests, instead of within few seconds.
     
  5. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    I'm using a final rule, which calls a small C program that adds the IP address to the iptables firewall. So the very first request will block the IP permanently. Have you tried something like that?

    Here is my rule:

    Code:
    # Ban IP address on status 406 or 501
    SecRule RESPONSE_STATUS "^406$" "phase:5,nolog,allow,exec:/opt/blacklist-webclient/blacklist-webclient,id:1234123475"
    SecRule RESPONSE_STATUS "^501$" "phase:5,nolog,allow,exec:/opt/blacklist-webclient/blacklist-webclient,id:1234123476"
    
     
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    I usually just use CSF with LF_MODSEC enabled with a trigger of 3 to 5 hits. I like the idea of calling a custom script, but normally the bots make at least a few requests, so I just let CSF take care of the blocking.

    Now that I made this rule, I'm seeing a ton of these scans too, so I started using it on my own servers.
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page