Separate mod_security custom rule per account

Bidi

Well-Known Member
Oct 3, 2012
108
11
68
Romania, Transilvania
cPanel Access Level
DataCenter Provider
Hy guys, i got a nice question and think witch i think will be helpfull for anyone :)

I whant to add one or more mod_security rules to work only for an domain name or cpanel account not the entire server.

Example: I whant to block some countrys, or bad bots agents, or fake trafic but only for a certain domain name or cpanel account.

I dont whant to block the entire trafic from the blocked country to entire server.

Is this posbile in some way ? In cPanel there is Mod Security option but only to disable or enable it not to add custom rull.
 

linux4me2

Well-Known Member
Aug 21, 2015
259
78
78
USA
cPanel Access Level
Root Administrator
If you don't want to go the plugin route, you can also add a selector based on the domain name to your custom ModSecurity rule with something like the following:
Code:
SecRule SERVER_NAME "thedomain\.com$" "t:lowercase,phase:1,chain,id:1,drop,log,msg:'Blocking %{geo.country_code}'"
SecRule REMOTE_ADDR "@geoLookup" chain
SecRule GEO:COUNTRY_CODE "@pm XX YY ZZ"
You need to replace "thedomain.com" with the domain you want the rule to apply to, change the "id" to a unique number for each of your custom rules, and change "XX," "YY," and "ZZ" to the two-character country codes that you want to block. You can use one or more country codes in there. Of course, you'll also need the GeoIP database path set in your ModSecurity configuration.
 

Bidi

Well-Known Member
Oct 3, 2012
108
11
68
Romania, Transilvania
cPanel Access Level
DataCenter Provider
@linux4me2 how about this rule i`m geting errors when i try to make it work for an domain only.

# Block empty User-Agents.
SecRule &;REQUEST_HEADERS:User-Agent "@eq 0" \
"id:'13009',phase:2,t:none,deny,chain,status:406,log,msg:'Fake Agent - Detectat'"
SecRule REMOTE_ADDR "[email protected] xx.xx.0.0/16"

( xx.xx.0.0/16 is the server ip range)
 

linux4me2

Well-Known Member
Aug 21, 2015
259
78
78
USA
cPanel Access Level
Root Administrator
@Bidi, you need to wrap the rule in code tags to make sure what we're looking at is what you're using. You have some extraneous characters in there that don't belong, but I don't know if that's because it's part of the rule you're using, or because it's not in code tags.

I think what you posted should be something like this, but what you'd be telling ModSecurity to do is to block anyone with an empty user agent who is coming from an IP in the specified range, not blocking empty user agents for a specific domain on your server:
Code:
# Block empty User-Agents.
SecRule REQUEST_HEADERS:User-Agent "@eq 0" \
"id:'13009',phase:2,t:none,deny,chain,status:406,log,msg:'Fake Agent - Detectat'"
SecRule REMOTE_ADDR "[email protected] xx.xx.0.0/16"
Maybe I misunderstood what you're trying to block. If you want the rule to apply only to your server, you would use SERVER_ADDR instead of REMOTE_ADDR. You're using an awfully high number for the ID. The range 1-99,999 is reserved for custom rules, but do you really have 13,008 other rules? If this is your first custom rule, you can just use an ID of "1" and number them consecutively as you add new ones.
 

Bidi

Well-Known Member
Oct 3, 2012
108
11
68
Romania, Transilvania
cPanel Access Level
DataCenter Provider
@linux4me2 thank you, the rull i use is for entire server but i dont keep it active 24/24 just in emergency cases when someone plays with fake trafic making on some websites and they get "Resource usage limite...." and the website ies but with this rull no when is on.

The ID i just set it randomly just added a number there :), this is whant i whanted is theat rull to set it only for the domain i whant and i tryed but i get mod_sec errors.

The Remote_ADDR i added my IP rages to skip if the remote_addr is from my range on ips.

Yes the rulle is the way you sayed, block empty user agents not for a spec domain, this is what i try to do is to spec somehow the domain name on witch to apply the rule.

Can you give me a hint ? Or hand please ?

Thank you.
 

linux4me2

Well-Known Member
Aug 21, 2015
259
78
78
USA
cPanel Access Level
Root Administrator
If you just want to block empty user agents for one domain, you can try the following:
Code:
# Block empty User-Agents.
SecRule REQUEST_HEADERS:User-Agent "@eq 0" \
"id:'13009',phase:2,t:none,deny,chain,status:406,log,msg:'Fake Agent - Detectat'"
SecRule SERVER_NAME "thedomain\.com$" "t:lowercase"
Replace "thedomain\.com" with the domain on your server for which you want the rule to take effect.

If that gives you a ModSecurity error, you can post what the error is, and I'll take a look, but you may need to get help from someone who knows more about ModSecurity than I. :)
 

Bidi

Well-Known Member
Oct 3, 2012
108
11
68
Romania, Transilvania
cPanel Access Level
DataCenter Provider
Hy @linux4me2 when i add the rule i get this :)

Not Acceptable
An appropriate representation of the requested resource / could not be found on this server.

Additionally, a 406 Not Acceptable error was encountered while trying to use an ErrorDocument to handle the request.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
Hy, whell is not, when i try to acces the website even myself i get theat error :) it blocks the entire trafic.
Could you verify the specific steps you have taken thus far? For instance, are you using the plugin referenced earlier in this thread?

Thank you.