Website Flood and with Wordpress PingBack
Hello buys,
I started to get loots of flood with Agent: Wordpress (PingBack) as i can see this is sompting new i think
And again with the fake / proxys no agent ... flood
The problem is i made some rules in mod_security but it add it to firewall deny list and is some sort of ussles cuz the list gets fully and empty it true rotation but they ar so manny it makes problem to entire server.
What i whant is for this sort of problem not to ban them just deny the traffic.
This is what i use and i dont undestand how or what to change.
On the /etc/apache2/conf.d/modsec/badbots.txt i got the bots name i whant to block like "Wordpress" All i whant is just to deny the traffic and not to add it to csf firewall Thank you.
SecRule &;REQUEST_HEADERS:User-Agent "^$" \
"id:'13006',phase:2,t:none,deny,status:406,log,msg:'Empty Agent - Detectat'"
# Block empty User-Agents.
SecRule &;REQUEST_HEADERS:User-Agent "@eq " \
"id:'13009',phase:2,t:none,deny,chain,status:406,log,msg:'Fake Agent - Detectat'"
# Block empty User-Agents.
SecRule &;REQUEST_HEADERS:User-Agent "@eq 0" \
"id:'13019',phase:2,t:none,deny,chain,status:406,log,msg:'Fake Agent - Detectat'"
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile /etc/apache2/conf.d/modsec/badbots.txt" "id:350001,phase:1,deny,status:406,log,msg:'BAD BOT - Detectat. '"
On the /etc/apache2/conf.d/modsec/badbots.txt i got the bots name i whant to block like "Wordpress" All i whant is just to deny the traffic and not to add it to csf firewall Thank you.
-
To prevent ConfigServer LFD from adding these IPs to the Firewall deny list you must stop Modsecurity from writing 40* errors in the Apache error_log for these rules. To do this is easy. You only have to edit your rules from using "log" to using "nolog". Three of your rules have broken syntax. (there is no &; syntax. use the Ampersand special operator to count) ----- id:'13006' SecRule &;REQUEST_HEADERS:User-Agent "^$" should be... SecRule REQUEST_HEADERS:User-Agent "^$" It checks for an empty value in the User-Agent: header using the default rx operator (regular expression) ----- id:'13009' SecRule &;REQUEST_HEADERS:User-Agent "@eq " \ should be... SecRule REQUEST_HEADERS:User-Agent "@streq ''" \ It checks for an empty value in the User-Agent: header using the streq operator (string equal) ----- id:'13019' SecRule &;REQUEST_HEADERS:User-Agent "@eq 0" \ should be... SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \ It counts the number of User-Agent: headers then uses the eq operator (numerical equal) to see if there are 0 User-Agent: headers 0 -
@fuzzylogic thank you. Dose anyone alse know any more mod_sec rules for this problem ? 0 -
Hi @Bidi I don't know any specifically but I have heard the articles here are helpful for a lot of people: WordPress XML-RPC PingBack Vulnerability Analysis Blocking wordpress pingback with mod_security and fail2ban Thanks! 0 -
Hy, back again now with another problem. Anyone know how can i block this ? With mod_sec ? some rule for size 0 ? 0
Please sign in to leave a comment.
Comments
4 comments