Slowloris attack protection question

inthukha

Well-Known Member
Jul 17, 2013
61
0
6
cPanel Access Level
Root Administrator
Hello,

I have a latest cPanel version installed with latest Easyapache included Mod_Security that come with default EasyApache. I modified the mod_Security and integrated with Atomic rules (Free).

My question is, "Slowloris attack" protection are included within rules OR i need to install Mod_Antiloris To Mitigate SlowLoris DOS Attack ?

I read about slowloris attack at cpanel website where your experts recommended mod_Security option. my question are is this already applied in default rules of EasyApche and Atomic rules that i integrated within mod_Security after removing all of cpanel default mod_Security rules?

Many thanks
 

24x7server

Well-Known Member
Apr 17, 2013
1,911
96
78
India
cPanel Access Level
Root Administrator
Twitter
Hello Dear,

I don't think atomic mod_sec rules are having any rule for Slowloris attack protection, I would suggest you to to use Mod_Antiloris for it.

But I found below mod sec rule which can help you out in this case. :

===============================
SecRule RESPONSE_STATUS "@streq 408" "phase:5,t:none,nolog,pass, \ setvar:ip.slow_dos_counter=+1,expirevar:ip.slow_dos_counter=60,id:'1234123456'"
SecRule IP:SLOW_DOS_COUNTER "@gt 5" "phase:1,t:none,log,drop, \ msg:'Client Connection Dropped due to high # of slow DoS alerts',id:'1234123457'"
===============================
 

kdean

Well-Known Member
Oct 19, 2012
365
56
78
Orlando, FL
cPanel Access Level
Root Administrator
Atomic has in 20_asl_useragents.conf:

Code:
SecRule REQUEST_HEADERS:User-Agent "mozilla/4\.0 \(compatible; msie 7\.0; windows nt 5\.1; trident/4\.0 ?; \.net clr 1\.1\.4322; \.net clr 2\.0\.503l3; \.net clr 3\.0\.4506\.2152; \.net clr 3\.5\.30729; ?msoffice 12" \
	"phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,id:331136,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Possible slowloris DOS attack tool detected'"
 

jimlongo

Well-Known Member
Mar 20, 2008
242
20
68
Hi,

If I put those rules in a file and include that file in modsec2.user.conf I get the following error

Code:
Initial configuration generation failed with the following message:

Configuration problem detected on line 4 of file /usr/local/apache/conf/modsec_rules/88_slowloris.conf:	Error parsing actions: Unexpected character at position 29: phase:5,t:none,nolog,pass, \\ setvar:ip.slow_dos_counter=+1,expirevar:ip.slow_dos_counter=60,id:'9999999956'

	--- /usr/local/apache/conf/modsec_rules/88_slowloris.conf ---
	1# added from cPanel recommendation 
	2# http://docs.cpanel.net/twiki/bin/view/EasyApache/Apache/SlowlorisAttacks
	3
	4 ===> SecRule RESPONSE_STATUS "@streq 408" "phase:5,t:none,nolog,pass, \ setvar:ip.slow_dos_counter=+1,expirevar:ip.slow_dos_counter=60,id:'9999999956'" <===
	5SecRule IP:SLOW_DOS_COUNTER "@gt 5" "phase:1,t:none,log,drop, \ msg:'Client Connection Dropped due to high # of slow DoS alerts',id:'9999999957'"
	6
	--- /usr/local/apache/conf/modsec_rules/88_slowloris.conf ---
is this error complaining about the "\" ?
 

inthukha

Well-Known Member
Jul 17, 2013
61
0
6
cPanel Access Level
Root Administrator
Thanks you all for the kind answers that helped me.

@kdean, Thanks brother for identification of the rule.

@jimlongo, I suggest, remove all manual cpanel rules and use Atomic free rules. this will really safe time and clients websites too.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
If I put those rules in a file and include that file in modsec2.user.conf I get the following error

Code:
Initial configuration generation failed with the following message:

Configuration problem detected on line 4 of file /usr/local/apache/conf/modsec_rules/88_slowloris.conf:	Error parsing actions: Unexpected character at position 29: phase:5,t:none,nolog,pass, \\ setvar:ip.slow_dos_counter=+1,expirevar:ip.slow_dos_counter=60,id:'9999999956'[/QUOTE]

Could you open a support ticket for this issue so we can open an internal case to update our documentation page if necessary?

[URL="http://go.cpanel.net/supportrequest"]Submit A Ticket[/URL]

Please post the ticket number here so we can update this thread with the outcome.

Thank you.
 

jimlongo

Well-Known Member
Mar 20, 2008
242
20
68
@ cPanelMichael the ticket number is 4306799

@inthuka already installed the free Atomic Rules

Thanks.