modsec rule for POST /cgi-bin/php

sehh

Well-Known Member
Feb 11, 2006
579
5
168
Europe
Has anyone made a modsecurity rule to block requests of this type?

POST /cgi-bin/php
POST /cgi-bin/php5
POST /cgi-bin/php-cgi
POST /cgi-bin/php.cgi
POST /cgi-bin/php4

I'm looking for one already made please.

Thank you.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Here you go:

Code:
SecRule REQUEST_URI "/cgi-bin/php(4|5|-cgi|\.cgi)?" "deny,chain,status:500,id:3927835,msg:'cgi-bin POST'"
SecRule REQUEST_METHOD "POST"
 

Archmactrix

Well-Known Member
Jan 20, 2012
138
2
68
cPanel Access Level
Root Administrator
Thank you!

I wish I could stop those requests completely or make it so that they stopped within milliseconds after only few requests, instead of within few seconds.
 

sehh

Well-Known Member
Feb 11, 2006
579
5
168
Europe
I'm using a final rule, which calls a small C program that adds the IP address to the iptables firewall. So the very first request will block the IP permanently. Have you tried something like that?

Here is my rule:

Code:
# Ban IP address on status 406 or 501
SecRule RESPONSE_STATUS "^406$" "phase:5,nolog,allow,exec:/opt/blacklist-webclient/blacklist-webclient,id:1234123475"
SecRule RESPONSE_STATUS "^501$" "phase:5,nolog,allow,exec:/opt/blacklist-webclient/blacklist-webclient,id:1234123476"
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
I usually just use CSF with LF_MODSEC enabled with a trigger of 3 to 5 hits. I like the idea of calling a custom script, but normally the bots make at least a few requests, so I just let CSF take care of the blocking.

Now that I made this rule, I'm seeing a ton of these scans too, so I started using it on my own servers.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
Hello :)

Thank you for sharing a solution. I am marking this thread as [Resolved] but continued discussion is welcome if necessary.