The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Slowloris attack protection question

Discussion in 'Security' started by inthukha, Jul 27, 2013.

  1. inthukha

    inthukha Well-Known Member

    Joined:
    Jul 17, 2013
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hello,

    I have a latest cPanel version installed with latest Easyapache included Mod_Security that come with default EasyApache. I modified the mod_Security and integrated with Atomic rules (Free).

    My question is, "Slowloris attack" protection are included within rules OR i need to install Mod_Antiloris To Mitigate SlowLoris DOS Attack ?

    I read about slowloris attack at cpanel website where your experts recommended mod_Security option. my question are is this already applied in default rules of EasyApche and Atomic rules that i integrated within mod_Security after removing all of cpanel default mod_Security rules?

    Many thanks
     
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello Dear,

    I don't think atomic mod_sec rules are having any rule for Slowloris attack protection, I would suggest you to to use Mod_Antiloris for it.

    But I found below mod sec rule which can help you out in this case. :

    ===============================
    SecRule RESPONSE_STATUS "@streq 408" "phase:5,t:none,nolog,pass, \ setvar:ip.slow_dos_counter=+1,expirevar:ip.slow_dos_counter=60,id:'1234123456'"
    SecRule IP:SLOW_DOS_COUNTER "@gt 5" "phase:1,t:none,log,drop, \ msg:'Client Connection Dropped due to high # of slow DoS alerts',id:'1234123457'"
    ===============================
     
  3. kdean

    kdean Well-Known Member

    Joined:
    Oct 19, 2012
    Messages:
    262
    Likes Received:
    12
    Trophy Points:
    18
    Location:
    Orlando, FL
    cPanel Access Level:
    Root Administrator
    Atomic has in 20_asl_useragents.conf:

    Code:
    SecRule REQUEST_HEADERS:User-Agent "mozilla/4\.0 \(compatible; msie 7\.0; windows nt 5\.1; trident/4\.0 ?; \.net clr 1\.1\.4322; \.net clr 2\.0\.503l3; \.net clr 3\.0\.4506\.2152; \.net clr 3\.5\.30729; ?msoffice 12" \
    	"phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,id:331136,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Possible slowloris DOS attack tool detected'"
     
  4. kdean

    kdean Well-Known Member

    Joined:
    Oct 19, 2012
    Messages:
    262
    Likes Received:
    12
    Trophy Points:
    18
    Location:
    Orlando, FL
    cPanel Access Level:
    Root Administrator
  5. jimlongo

    jimlongo Well-Known Member

    Joined:
    Mar 20, 2008
    Messages:
    145
    Likes Received:
    2
    Trophy Points:
    18
    Hi,

    If I put those rules in a file and include that file in modsec2.user.conf I get the following error

    Code:
    Initial configuration generation failed with the following message:
    
    Configuration problem detected on line 4 of file /usr/local/apache/conf/modsec_rules/88_slowloris.conf:	Error parsing actions: Unexpected character at position 29: phase:5,t:none,nolog,pass, \\ setvar:ip.slow_dos_counter=+1,expirevar:ip.slow_dos_counter=60,id:'9999999956'
    
    	--- /usr/local/apache/conf/modsec_rules/88_slowloris.conf ---
    	1# added from cPanel recommendation 
    	2# http://docs.cpanel.net/twiki/bin/view/EasyApache/Apache/SlowlorisAttacks
    	3
    	4 ===> SecRule RESPONSE_STATUS "@streq 408" "phase:5,t:none,nolog,pass, \ setvar:ip.slow_dos_counter=+1,expirevar:ip.slow_dos_counter=60,id:'9999999956'" <===
    	5SecRule IP:SLOW_DOS_COUNTER "@gt 5" "phase:1,t:none,log,drop, \ msg:'Client Connection Dropped due to high # of slow DoS alerts',id:'9999999957'"
    	6
    	--- /usr/local/apache/conf/modsec_rules/88_slowloris.conf ---
    
    is this error complaining about the "\" ?
     
  6. inthukha

    inthukha Well-Known Member

    Joined:
    Jul 17, 2013
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Thanks you all for the kind answers that helped me.

    @kdean, Thanks brother for identification of the rule.

    @jimlongo, I suggest, remove all manual cpanel rules and use Atomic free rules. this will really safe time and clients websites too.
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
     
  8. jimlongo

    jimlongo Well-Known Member

    Joined:
    Mar 20, 2008
    Messages:
    145
    Likes Received:
    2
    Trophy Points:
    18
    @ cPanelMichael the ticket number is 4306799

    @inthuka already installed the free Atomic Rules

    Thanks.
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    An internal case has been opened with our documentation team to address the issue with those rules. For reference, the internal case number is 74229.

    Thank you.
     
Loading...

Share This Page