Slowloris attack protection question

I

inthukha

Well-Known Member
Jul 17, 2013
61
0
6
cPanel Access Level
Root Administrator
Hello,

I have a latest cPanel version installed with latest Easyapache included Mod_Security that come with default EasyApache. I modified the mod_Security and integrated with Atomic rules (Free).

My question is, "Slowloris attack" protection are included within rules OR i need to install Mod_Antiloris To Mitigate SlowLoris DOS Attack ?

I read about slowloris attack at cpanel website where your experts recommended mod_Security option. my question are is this already applied in default rules of EasyApche and Atomic rules that i integrated within mod_Security after removing all of cpanel default mod_Security rules?

Many thanks
 
24x7server

24x7server

Well-Known Member
Apr 17, 2013
1,912
99
78
India
cPanel Access Level
Root Administrator
Twitter
Hello Dear,

I don't think atomic mod_sec rules are having any rule for Slowloris attack protection, I would suggest you to to use Mod_Antiloris for it.

But I found below mod sec rule which can help you out in this case. :

===============================
SecRule RESPONSE_STATUS "@streq 408" "phase:5,t:none,nolog,pass, \ setvar:ip.slow_dos_counter=+1,expirevar:ip.slow_dos_counter=60,id:'1234123456'"
SecRule IP:SLOW_DOS_COUNTER "@gt 5" "phase:1,t:none,log,drop, \ msg:'Client Connection Dropped due to high # of slow DoS alerts',id:'1234123457'"
===============================
 
kdean

kdean

Well-Known Member
Oct 19, 2012
408
82
78
Orlando, FL
cPanel Access Level
Root Administrator
Atomic has in 20_asl_useragents.conf:

Code: 
SecRule REQUEST_HEADERS:User-Agent "mozilla/4\.0 \(compatible; msie 7\.0; windows nt 5\.1; trident/4\.0 ?; \.net clr 1\.1\.4322; \.net clr 2\.0\.503l3; \.net clr 3\.0\.4506\.2152; \.net clr 3\.5\.30729; ?msoffice 12" \
	"phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,id:331136,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Possible slowloris DOS attack tool detected'"
 
jimlongo

jimlongo

Well-Known Member
Mar 20, 2008
289
24
68
Hi,

kdean said:
Cpanel's How To Mitigate Slowloris Attacks
Click to expand...
If I put those rules in a file and include that file in modsec2.user.conf I get the following error

Code: 
Initial configuration generation failed with the following message:

Configuration problem detected on line 4 of file /usr/local/apache/conf/modsec_rules/88_slowloris.conf:	Error parsing actions: Unexpected character at position 29: phase:5,t:none,nolog,pass, \\ setvar:ip.slow_dos_counter=+1,expirevar:ip.slow_dos_counter=60,id:'9999999956'

	--- /usr/local/apache/conf/modsec_rules/88_slowloris.conf ---
	1# added from cPanel recommendation 
	2# http://docs.cpanel.net/twiki/bin/view/EasyApache/Apache/SlowlorisAttacks
	3
	4 ===> SecRule RESPONSE_STATUS "@streq 408" "phase:5,t:none,nolog,pass, \ setvar:ip.slow_dos_counter=+1,expirevar:ip.slow_dos_counter=60,id:'9999999956'" <===
	5SecRule IP:SLOW_DOS_COUNTER "@gt 5" "phase:1,t:none,log,drop, \ msg:'Client Connection Dropped due to high # of slow DoS alerts',id:'9999999957'"
	6
	--- /usr/local/apache/conf/modsec_rules/88_slowloris.conf ---
is this error complaining about the "\" ?
 
I

inthukha

Well-Known Member
Jul 17, 2013
61
0
6
cPanel Access Level
Root Administrator
Thanks you all for the kind answers that helped me.

@kdean, Thanks brother for identification of the rule.

@jimlongo, I suggest, remove all manual cpanel rules and use Atomic free rules. this will really safe time and clients websites too.
 
cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,268
463
jimlongo said:
If I put those rules in a file and include that file in modsec2.user.conf I get the following error

Code: 
Initial configuration generation failed with the following message:

Configuration problem detected on line 4 of file /usr/local/apache/conf/modsec_rules/88_slowloris.conf:	Error parsing actions: Unexpected character at position 29: phase:5,t:none,nolog,pass, \\ setvar:ip.slow_dos_counter=+1,expirevar:ip.slow_dos_counter=60,id:'9999999956'[/QUOTE]

Could you open a support ticket for this issue so we can open an internal case to update our documentation page if necessary?

[URL="http://go.cpanel.net/supportrequest"]Submit A Ticket[/URL]

Please post the ticket number here so we can update this thread with the outcome.

Thank you.
Click to expand...
 
jimlongo

jimlongo

Well-Known Member
Mar 20, 2008
289
24
68
@ cPanelMichael the ticket number is 4306799

@inthuka already installed the free Atomic Rules

Thanks.
 
cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,268
463
jimlongo said:
@ cPanelMichael the ticket number is 4306799
Click to expand...
An internal case has been opened with our documentation team to address the issue with those rules. For reference, the internal case number is 74229.

Thank you.
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
M Mitigating slowloris attack Security 1
N malicious attacks that changed my cpanel password Security 3
000 Apache logs save errors from HACKER ATTACK, but how I can find the DOMAIN/URL attacked? Security 3
S Slowloris and easyapache 4 (no opt mod) Security 1
jimlongo slowloris rule conflict Security 5
Similar threads
Mitigating slowloris attack
malicious attacks that changed my cpanel password
Apache logs save errors from HACKER ATTACK, but how I can find the DOMAIN/URL attacked?
Slowloris and easyapache 4 (no opt mod)
slowloris rule conflict
Top Bottom