Website Flood and with Wordpress PingBack

Bidi

Well-Known Member
Oct 3, 2012
107
10
68
Romania, Transilvania
cPanel Access Level
DataCenter Provider
Hello buys,

I started to get loots of flood with Agent: Wordpress (PingBack) as i can see this is sompting new i think
And again with the fake / proxys no agent ... flood

The problem is i made some rules in mod_security but it add it to firewall deny list and is some sort of ussles cuz the list gets fully and empty it true rotation but they ar so manny it makes problem to entire server.

What i whant is for this sort of problem not to ban them just deny the traffic.

This is what i use and i dont undestand how or what to change.

Code:
 SecRule &;REQUEST_HEADERS:User-Agent "^$" \
"id:'13006',phase:2,t:none,deny,status:406,log,msg:'Empty Agent - Detectat'"

Code:
# Block empty User-Agents.
SecRule &;REQUEST_HEADERS:User-Agent "@eq " \
"id:'13009',phase:2,t:none,deny,chain,status:406,log,msg:'Fake Agent - Detectat'"
Code:
# Block empty User-Agents.
SecRule &;REQUEST_HEADERS:User-Agent "@eq 0" \
"id:'13019',phase:2,t:none,deny,chain,status:406,log,msg:'Fake Agent - Detectat'"
Code:
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile /etc/apache2/conf.d/modsec/badbots.txt" "id:350001,phase:1,deny,status:406,log,msg:'BAD BOT - Detectat. '"
On the /etc/apache2/conf.d/modsec/badbots.txt i got the bots name i whant to block like "Wordpress"

All i whant is just to deny the traffic and not to add it to csf firewall

Thank you.
 

Attachments

fuzzylogic

Well-Known Member
Nov 8, 2014
153
93
78
cPanel Access Level
Root Administrator
To prevent ConfigServer LFD from adding these IPs to the Firewall deny list you must stop Modsecurity from writing 40* errors in the Apache error_log for these rules.

To do this is easy. You only have to edit your rules from using "log" to using "nolog".

Three of your rules have broken syntax.
(there is no &; syntax. use the Ampersand special operator to count)
-----
id:'13006'
SecRule &;REQUEST_HEADERS:User-Agent "^$"
should be...
SecRule REQUEST_HEADERS:User-Agent "^$"
It checks for an empty value in the User-Agent: header using the default rx operator (regular expression)
-----
id:'13009'
SecRule &;REQUEST_HEADERS:User-Agent "@eq " \
should be...
SecRule REQUEST_HEADERS:User-Agent "@streq ''" \
It checks for an empty value in the User-Agent: header using the streq operator (string equal)
-----
id:'13019'
SecRule &;REQUEST_HEADERS:User-Agent "@eq 0" \
should be...
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
It counts the number of User-Agent: headers then uses the eq operator (numerical equal) to see if there are 0 User-Agent: headers
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,263
313
Houston
  • Like
Reactions: Bidi