block userAgent on server, with mod_security?

upsforum

• November 26, 2013 02:27

What is best solution for block specific userAgent on all websites of server? I have any client that use joomla with old versions insicure, for example this vulnerability: POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1" 200 10 "-" "BOT/0.1 (BOT for JCE)" what is best solution for block it on all accounts of server?

• 

  Deehem

  • November 26, 2013 07:44

  Instead of using modsec to achieve this, you could use bad-bot-blocker in a global .htaccess file. An example of b-b-b can be found here.

  0
• 

  upsforum

  • November 26, 2013 08:03

  can I post this also in Apache Configuration -> Include Editor -> Post VirtualHost Include right? thank you

  0
• 

  upsforum

  • November 26, 2013 08:17

  I added in /home/.htaccess but get a internal server error

  0
• 

  Deehem

  • November 26, 2013 09:57

  Do you have the correct permissions on that file? What does the apache error_log file say? 644 should suffice for /home/.htaccess :)

  0
• 

  upsforum

  • November 26, 2013 20:32

  I removed ips and now work fine, thank you

  0
• 

  quizknows

  • November 26, 2013 21:05

  These are the rules I use for that attack: #Joomla com_jce exploit SecRule HTTP_User-Agent "BOT for JCE" "deny,status:500,id:5000218,msg:'Joomla com_jce code exec'" #Joomla com_jce exploit SecRule REQUEST_URI "/images/stories/.+\.php" "deny,status:500,id:5000219,msg:'Joomla com_jce code exec'"
  The first blocks the user agent. That exploit puts PHP files into site.com/images/stories/something.php if it is successful, so the 2nd rule blocks access to those in case they change user agent. Even with the .htaccess or this first rule, you should still use the 2nd rule. Changing user agents is very simple.

  0

Please sign in to leave a comment.