Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

modsec rule for POST /cgi-bin/php

Discussion in 'Security' started by sehh, Dec 20, 2013.

  1. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    168
    Location:
    Europe
    Has anyone made a modsecurity rule to block requests of this type?

    POST /cgi-bin/php
    POST /cgi-bin/php5
    POST /cgi-bin/php-cgi
    POST /cgi-bin/php.cgi
    POST /cgi-bin/php4

    I'm looking for one already made please.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,010
    Likes Received:
    87
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    Here you go:

    Code:
     
    SecRule REQUEST_URI "/cgi-bin/php(4|5|-cgi|\.cgi)?" "deny,chain,status:500,id:3927835,msg:'cgi-bin POST'"
    SecRule REQUEST_METHOD "POST" 
    
     
  3. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    168
    Location:
    Europe
    Thank you! :)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. Archmactrix

    Archmactrix Well-Known Member

    Joined:
    Jan 20, 2012
    Messages:
    138
    Likes Received:
    2
    Trophy Points:
    68
    cPanel Access Level:
    Root Administrator
    Thank you!

    I wish I could stop those requests completely or make it so that they stopped within milliseconds after only few requests, instead of within few seconds.
     
  5. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    168
    Location:
    Europe
    I'm using a final rule, which calls a small C program that adds the IP address to the iptables firewall. So the very first request will block the IP permanently. Have you tried something like that?

    Here is my rule:

    Code:
    # Ban IP address on status 406 or 501
    SecRule RESPONSE_STATUS "^406$" "phase:5,nolog,allow,exec:/opt/blacklist-webclient/blacklist-webclient,id:1234123475"
    SecRule RESPONSE_STATUS "^501$" "phase:5,nolog,allow,exec:/opt/blacklist-webclient/blacklist-webclient,id:1234123476"
    
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,010
    Likes Received:
    87
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    I usually just use CSF with LF_MODSEC enabled with a trigger of 3 to 5 hits. I like the idea of calling a custom script, but normally the bots make at least a few requests, so I just let CSF take care of the blocking.

    Now that I made this rule, I'm seeing a ton of these scans too, so I started using it on my own servers.
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,660
    Likes Received:
    1,787
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello :)

    Thank you for sharing a solution. I am marking this thread as [Resolved] but continued discussion is welcome if necessary.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice