modsec rule for POST /cgi-bin/php

sehh

• December 20, 2013 04:19

Has anyone made a modsecurity rule to block requests of this type? POST /cgi-bin/php POST /cgi-bin/php5 POST /cgi-bin/php-cgi POST /cgi-bin/php.cgi POST /cgi-bin/php4 I'm looking for one already made please. Thank you.

• 

  quizknows

  • December 20, 2013 19:56

  Here you go: SecRule REQUEST_URI "/cgi-bin/php(4|5|-cgi|\.cgi)?" "deny,chain,status:500,id:3927835,msg:'cgi-bin POST'" SecRule REQUEST_METHOD "POST"
  

  0
• 

  sehh

  • December 20, 2013 21:14

  Thank you! :)

  0
• 

  Archmactrix

  • December 21, 2013 14:41

  Thank you! I wish I could stop those requests completely or make it so that they stopped within milliseconds after only few requests, instead of within few seconds.

  0
• 

  sehh

  • December 21, 2013 15:49

  I'm using a final rule, which calls a small C program that adds the IP address to the iptables firewall. So the very first request will block the IP permanently. Have you tried something like that? Here is my rule: # Ban IP address on status 406 or 501 SecRule RESPONSE_STATUS "^406$" "phase:5,nolog,allow,exec:/opt/blacklist-webclient/blacklist-webclient,id:1234123475" SecRule RESPONSE_STATUS "^501$" "phase:5,nolog,allow,exec:/opt/blacklist-webclient/blacklist-webclient,id:1234123476"
  

  0
• 

  quizknows

  • December 21, 2013 20:37

  I usually just use CSF with LF_MODSEC enabled with a trigger of 3 to 5 hits. I like the idea of calling a custom script, but normally the bots make at least a few requests, so I just let CSF take care of the blocking. Now that I made this rule, I'm seeing a ton of these scans too, so I started using it on my own servers.

  0
• 

  cPanelMichael

  • December 23, 2013 12:27

  Hello :) Thank you for sharing a solution. I am marking this thread as [Resolved] but continued discussion is welcome if necessary.

  0

Please sign in to leave a comment.