Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Website Flood and with Wordpress PingBack

Discussion in 'Security' started by Bidi, Jul 5, 2018.

  1. Bidi

    Bidi Well-Known Member

    Joined:
    Oct 3, 2012
    Messages:
    71
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Romania, Transilvania
    cPanel Access Level:
    DataCenter Provider
    Hello buys,

    I started to get loots of flood with Agent: Wordpress (PingBack) as i can see this is sompting new i think
    And again with the fake / proxys no agent ... flood

    The problem is i made some rules in mod_security but it add it to firewall deny list and is some sort of ussles cuz the list gets fully and empty it true rotation but they ar so manny it makes problem to entire server.

    What i whant is for this sort of problem not to ban them just deny the traffic.

    This is what i use and i dont undestand how or what to change.

    Code:
     SecRule &;REQUEST_HEADERS:User-Agent "^$" \
    "id:'13006',phase:2,t:none,deny,status:406,log,msg:'Empty Agent - Detectat'" 

    Code:
    # Block empty User-Agents.
    SecRule &;REQUEST_HEADERS:User-Agent "@eq " \
    "id:'13009',phase:2,t:none,deny,chain,status:406,log,msg:'Fake Agent - Detectat'" 
    Code:
    # Block empty User-Agents.
    SecRule &;REQUEST_HEADERS:User-Agent "@eq 0" \
    "id:'13019',phase:2,t:none,deny,chain,status:406,log,msg:'Fake Agent - Detectat'" 
    Code:
    SecRule REQUEST_HEADERS:User-Agent "@pmFromFile /etc/apache2/conf.d/modsec/badbots.txt" "id:350001,phase:1,deny,status:406,log,msg:'BAD BOT - Detectat. '"
    On the /etc/apache2/conf.d/modsec/badbots.txt i got the bots name i whant to block like "Wordpress"

    All i whant is just to deny the traffic and not to add it to csf firewall

    Thank you.
     

    Attached Files:

  2. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    92
    Likes Received:
    50
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    To prevent ConfigServer LFD from adding these IPs to the Firewall deny list you must stop Modsecurity from writing 40* errors in the Apache error_log for these rules.

    To do this is easy. You only have to edit your rules from using "log" to using "nolog".

    Three of your rules have broken syntax.
    (there is no &; syntax. use the Ampersand special operator to count)
    -----
    id:'13006'
    SecRule &;REQUEST_HEADERS:User-Agent "^$"
    should be...
    SecRule REQUEST_HEADERS:User-Agent "^$"
    It checks for an empty value in the User-Agent: header using the default rx operator (regular expression)
    -----
    id:'13009'
    SecRule &;REQUEST_HEADERS:User-Agent "@eq " \
    should be...
    SecRule REQUEST_HEADERS:User-Agent "@streq ''" \
    It checks for an empty value in the User-Agent: header using the streq operator (string equal)
    -----
    id:'13019'
    SecRule &;REQUEST_HEADERS:User-Agent "@eq 0" \
    should be...
    SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
    It counts the number of User-Agent: headers then uses the eq operator (numerical equal) to see if there are 0 User-Agent: headers
     
  3. Bidi

    Bidi Well-Known Member

    Joined:
    Oct 3, 2012
    Messages:
    71
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Romania, Transilvania
    cPanel Access Level:
    DataCenter Provider
    @fuzzylogic thank you.

    Dose anyone alse know any more mod_sec rules for this problem ?
     
  4. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    2,748
    Likes Received:
    187
    Trophy Points:
    143
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Bidi likes this.
  5. Bidi

    Bidi Well-Known Member

    Joined:
    Oct 3, 2012
    Messages:
    71
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Romania, Transilvania
    cPanel Access Level:
    DataCenter Provider
    Hy, back again now with another problem.

    Anyone know how can i block this ? With mod_sec ? some rule for size 0 ?
     

    Attached Files:

Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice