Slowloris attack protection question

inthukha

Well-Known Member
Jul 17, 2013
61
0
6
cPanel Access Level
Root Administrator
Hello,

I have a latest cPanel version installed with latest Easyapache included Mod_Security that come with default EasyApache. I modified the mod_Security and integrated with Atomic rules (Free).

My question is, "Slowloris attack" protection are included within rules OR i need to install Mod_Antiloris To Mitigate SlowLoris DOS Attack ?

I read about slowloris attack at cpanel website where your experts recommended mod_Security option. my question are is this already applied in default rules of EasyApche and Atomic rules that i integrated within mod_Security after removing all of cpanel default mod_Security rules?

Many thanks
 

24x7server

Well-Known Member
Apr 17, 2013
1,911
96
78
India
cPanel Access Level
Root Administrator
Twitter
Hello Dear,

I don't think atomic mod_sec rules are having any rule for Slowloris attack protection, I would suggest you to to use Mod_Antiloris for it.

But I found below mod sec rule which can help you out in this case. :

===============================
SecRule RESPONSE_STATUS "@streq 408" "phase:5,t:none,nolog,pass, \ setvar:ip.slow_dos_counter=+1,expirevar:ip.slow_dos_counter=60,id:'1234123456'"
SecRule IP:SLOW_DOS_COUNTER "@gt 5" "phase:1,t:none,log,drop, \ msg:'Client Connection Dropped due to high # of slow DoS alerts',id:'1234123457'"
===============================
 

kdean

Well-Known Member
Oct 19, 2012
377
65
78
Orlando, FL
cPanel Access Level
Root Administrator
Atomic has in 20_asl_useragents.conf:

Code:
SecRule REQUEST_HEADERS:User-Agent "mozilla/4\.0 \(compatible; msie 7\.0; windows nt 5\.1; trident/4\.0 ?; \.net clr 1\.1\.4322; \.net clr 2\.0\.503l3; \.net clr 3\.0\.4506\.2152; \.net clr 3\.5\.30729; ?msoffice 12" \
	"phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,id:331136,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Possible slowloris DOS attack tool detected'"
 

jimlongo

Well-Known Member
Mar 20, 2008
253
21
68
Hi,

If I put those rules in a file and include that file in modsec2.user.conf I get the following error

Code:
Initial configuration generation failed with the following message:

Configuration problem detected on line 4 of file /usr/local/apache/conf/modsec_rules/88_slowloris.conf:	Error parsing actions: Unexpected character at position 29: phase:5,t:none,nolog,pass, \\ setvar:ip.slow_dos_counter=+1,expirevar:ip.slow_dos_counter=60,id:'9999999956'

	--- /usr/local/apache/conf/modsec_rules/88_slowloris.conf ---
	1# added from cPanel recommendation 
	2# http://docs.cpanel.net/twiki/bin/view/EasyApache/Apache/SlowlorisAttacks
	3
	4 ===> SecRule RESPONSE_STATUS "@streq 408" "phase:5,t:none,nolog,pass, \ setvar:ip.slow_dos_counter=+1,expirevar:ip.slow_dos_counter=60,id:'9999999956'" <===
	5SecRule IP:SLOW_DOS_COUNTER "@gt 5" "phase:1,t:none,log,drop, \ msg:'Client Connection Dropped due to high # of slow DoS alerts',id:'9999999957'"
	6
	--- /usr/local/apache/conf/modsec_rules/88_slowloris.conf ---
is this error complaining about the "\" ?
 

inthukha

Well-Known Member
Jul 17, 2013
61
0
6
cPanel Access Level
Root Administrator
Thanks you all for the kind answers that helped me.

@kdean, Thanks brother for identification of the rule.

@jimlongo, I suggest, remove all manual cpanel rules and use Atomic free rules. this will really safe time and clients websites too.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
If I put those rules in a file and include that file in modsec2.user.conf I get the following error

Code:
Initial configuration generation failed with the following message:

Configuration problem detected on line 4 of file /usr/local/apache/conf/modsec_rules/88_slowloris.conf:	Error parsing actions: Unexpected character at position 29: phase:5,t:none,nolog,pass, \\ setvar:ip.slow_dos_counter=+1,expirevar:ip.slow_dos_counter=60,id:'9999999956'[/QUOTE]

Could you open a support ticket for this issue so we can open an internal case to update our documentation page if necessary?

[URL="http://go.cpanel.net/supportrequest"]Submit A Ticket[/URL]

Please post the ticket number here so we can update this thread with the outcome.

Thank you.
 

jimlongo

Well-Known Member
Mar 20, 2008
253
21
68
@ cPanelMichael the ticket number is 4306799

@inthuka already installed the free Atomic Rules

Thanks.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
@ cPanelMichael the ticket number is 4306799
An internal case has been opened with our documentation team to address the issue with those rules. For reference, the internal case number is 74229.

Thank you.