The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Separate mod_security custom rule per account

Discussion in 'Security' started by Bidi, Nov 10, 2016.

Tags:
  1. Bidi

    Bidi Well-Known Member

    Joined:
    Oct 3, 2012
    Messages:
    57
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Romania, Transilvania
    cPanel Access Level:
    DataCenter Provider
    Hy guys, i got a nice question and think witch i think will be helpfull for anyone :)

    I whant to add one or more mod_security rules to work only for an domain name or cpanel account not the entire server.

    Example: I whant to block some countrys, or bad bots agents, or fake trafic but only for a certain domain name or cpanel account.

    I dont whant to block the entire trafic from the blocked country to entire server.

    Is this posbile in some way ? In cPanel there is Mod Security option but only to disable or enable it not to add custom rull.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    linux4me2 likes this.
  3. linux4me2

    linux4me2 Well-Known Member

    Joined:
    Aug 21, 2015
    Messages:
    149
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    If you don't want to go the plugin route, you can also add a selector based on the domain name to your custom ModSecurity rule with something like the following:
    Code:
    SecRule SERVER_NAME "thedomain\.com$" "t:lowercase,phase:1,chain,id:1,drop,log,msg:'Blocking %{geo.country_code}'"
    SecRule REMOTE_ADDR "@geoLookup" chain
    SecRule GEO:COUNTRY_CODE "@pm XX YY ZZ"
    
    You need to replace "thedomain.com" with the domain you want the rule to apply to, change the "id" to a unique number for each of your custom rules, and change "XX," "YY," and "ZZ" to the two-character country codes that you want to block. You can use one or more country codes in there. Of course, you'll also need the GeoIP database path set in your ModSecurity configuration.
     
  4. Bidi

    Bidi Well-Known Member

    Joined:
    Oct 3, 2012
    Messages:
    57
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Romania, Transilvania
    cPanel Access Level:
    DataCenter Provider
    Lovely :D i think i will try boath of them :D to se witch one is more handy for us.
     
    cPanelMichael likes this.
  5. Bidi

    Bidi Well-Known Member

    Joined:
    Oct 3, 2012
    Messages:
    57
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Romania, Transilvania
    cPanel Access Level:
    DataCenter Provider
    @linux4me2 how about this rule i`m geting errors when i try to make it work for an domain only.

    # Block empty User-Agents.
    SecRule &;REQUEST_HEADERS:User-Agent "@eq 0" \
    "id:'13009',phase:2,t:none,deny,chain,status:406,log,msg:'Fake Agent - Detectat'"
    SecRule REMOTE_ADDR "!@ipMatch xx.xx.0.0/16"

    ( xx.xx.0.0/16 is the server ip range)
     
  6. linux4me2

    linux4me2 Well-Known Member

    Joined:
    Aug 21, 2015
    Messages:
    149
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    @Bidi, you need to wrap the rule in code tags to make sure what we're looking at is what you're using. You have some extraneous characters in there that don't belong, but I don't know if that's because it's part of the rule you're using, or because it's not in code tags.

    I think what you posted should be something like this, but what you'd be telling ModSecurity to do is to block anyone with an empty user agent who is coming from an IP in the specified range, not blocking empty user agents for a specific domain on your server:
    Code:
    # Block empty User-Agents.
    SecRule REQUEST_HEADERS:User-Agent "@eq 0" \
    "id:'13009',phase:2,t:none,deny,chain,status:406,log,msg:'Fake Agent - Detectat'"
    SecRule REMOTE_ADDR "!@ipMatch xx.xx.0.0/16"
    
    Maybe I misunderstood what you're trying to block. If you want the rule to apply only to your server, you would use SERVER_ADDR instead of REMOTE_ADDR. You're using an awfully high number for the ID. The range 1-99,999 is reserved for custom rules, but do you really have 13,008 other rules? If this is your first custom rule, you can just use an ID of "1" and number them consecutively as you add new ones.
     
  7. Bidi

    Bidi Well-Known Member

    Joined:
    Oct 3, 2012
    Messages:
    57
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Romania, Transilvania
    cPanel Access Level:
    DataCenter Provider
    @linux4me2 thank you, the rull i use is for entire server but i dont keep it active 24/24 just in emergency cases when someone plays with fake trafic making on some websites and they get "Resource usage limite...." and the website ies but with this rull no when is on.

    The ID i just set it randomly just added a number there :), this is whant i whanted is theat rull to set it only for the domain i whant and i tryed but i get mod_sec errors.

    The Remote_ADDR i added my IP rages to skip if the remote_addr is from my range on ips.

    Yes the rulle is the way you sayed, block empty user agents not for a spec domain, this is what i try to do is to spec somehow the domain name on witch to apply the rule.

    Can you give me a hint ? Or hand please ?

    Thank you.
     
  8. linux4me2

    linux4me2 Well-Known Member

    Joined:
    Aug 21, 2015
    Messages:
    149
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    If you just want to block empty user agents for one domain, you can try the following:
    Code:
    # Block empty User-Agents.
    SecRule REQUEST_HEADERS:User-Agent "@eq 0" \
    "id:'13009',phase:2,t:none,deny,chain,status:406,log,msg:'Fake Agent - Detectat'"
    SecRule SERVER_NAME "thedomain\.com$" "t:lowercase"
    
    Replace "thedomain\.com" with the domain on your server for which you want the rule to take effect.

    If that gives you a ModSecurity error, you can post what the error is, and I'll take a look, but you may need to get help from someone who knows more about ModSecurity than I. :)
     
  9. Bidi

    Bidi Well-Known Member

    Joined:
    Oct 3, 2012
    Messages:
    57
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Romania, Transilvania
    cPanel Access Level:
    DataCenter Provider
    Hy @linux4me2 when i add the rule i get this :)

    Not Acceptable
    An appropriate representation of the requested resource / could not be found on this server.

    Additionally, a 406 Not Acceptable error was encountered while trying to use an ErrorDocument to handle the request.
     
  10. linux4me2

    linux4me2 Well-Known Member

    Joined:
    Aug 21, 2015
    Messages:
    149
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Looks like it's working.
     
  11. Bidi

    Bidi Well-Known Member

    Joined:
    Oct 3, 2012
    Messages:
    57
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Romania, Transilvania
    cPanel Access Level:
    DataCenter Provider
    Hy, whell is not, when i try to acces the website even myself i get theat error :) it blocks the entire trafic.
     
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Could you verify the specific steps you have taken thus far? For instance, are you using the plugin referenced earlier in this thread?

    Thank you.
     
Loading...

Share This Page