Skip to main content

Separate mod_security custom rule per account

Bidi
Hy guys, i got a nice question and think witch i think will be helpfull for anyone :) I whant to add one or more mod_security rules to work only for an domain name or cpanel account not the entire server. Example: I whant to block some countrys, or bad bots agents, or fake trafic but only for a certain domain name or cpanel account. I dont whant to block the entire trafic from the blocked country to entire server. Is this posbile in some way ? In cPanel there is Mod Security option but only to disable or enable it not to add custom rull.

Comments

11 comments

Date Votes
  • cPanelMichael
    Hello @Bidi, The following ConfigServer plugin is popular for this purpose: ConfigServer ModSecurity Control (cmc) Thanks!
    0
  • linux4me2
    If you don't want to go the plugin route, you can also add a selector based on the domain name to your custom ModSecurity rule with something like the following:
    SecRule SERVER_NAME "thedomain\.com$" "t:lowercase,phase:1,chain,id:1,drop,log,msg:'Blocking %{geo.country_code}'" SecRule REMOTE_ADDR "@geoLookup" chain SecRule GEO:COUNTRY_CODE "@pm XX YY ZZ"
    You need to replace "thedomain.com" with the domain you want the rule to apply to, change the "id" to a unique number for each of your custom rules, and change "XX," "YY," and "ZZ" to the two-character country codes that you want to block. You can use one or more country codes in there. Of course, you'll also need the GeoIP database path set in your ModSecurity configuration.
    0
  • Bidi
    Lovely :D i think i will try boath of them :D to se witch one is more handy for us.
    0
  • Bidi
    @linux4me2 how about this rule i`m geting errors when i try to make it work for an domain only. # Block empty User-Agents. SecRule &;REQUEST_HEADERS:User-Agent "@eq 0" \ "id:'13009',phase:2,t:none,deny,chain,status:406,log,msg:'Fake Agent - Detectat'" SecRule REMOTE_ADDR "!@ipMatch xx.xx.0.0/16" ( xx.xx.0.0/16 is the server ip range)
    0
  • linux4me2
    @Bidi, you need to wrap the rule in code tags to make sure what we're looking at is what you're using. You have some extraneous characters in there that don't belong, but I don't know if that's because it's part of the rule you're using, or because it's not in code tags. I think what you posted should be something like this, but what you'd be telling ModSecurity to do is to block anyone with an empty user agent who is coming from an IP in the specified range, not blocking empty user agents for a specific domain on your server:
    # Block empty User-Agents. SecRule REQUEST_HEADERS:User-Agent "@eq 0" \ "id:'13009',phase:2,t:none,deny,chain,status:406,log,msg:'Fake Agent - Detectat'" SecRule REMOTE_ADDR "!@ipMatch xx.xx.0.0/16"
    Maybe I misunderstood what you're trying to block. If you want the rule to apply only to your server, you would use SERVER_ADDR instead of REMOTE_ADDR. You're using an awfully high number for the ID. The range 1-99,999 is reserved for custom rules, but do you really have 13,008 other rules? If this is your first custom rule, you can just use an ID of "1" and number them consecutively as you add new ones.
    0
  • Bidi
    @linux4me2 thank you, the rull i use is for entire server but i dont keep it active 24/24 just in emergency cases when someone plays with fake trafic making on some websites and they get "Resource usage limite...." and the website ies but with this rull no when is on. The ID i just set it randomly just added a number there :), this is whant i whanted is theat rull to set it only for the domain i whant and i tryed but i get mod_sec errors. The Remote_ADDR i added my IP rages to skip if the remote_addr is from my range on ips. Yes the rulle is the way you sayed, block empty user agents not for a spec domain, this is what i try to do is to spec somehow the domain name on witch to apply the rule. Can you give me a hint ? Or hand please ? Thank you.
    0
  • linux4me2
    If you just want to block empty user agents for one domain, you can try the following:
    # Block empty User-Agents. SecRule REQUEST_HEADERS:User-Agent "@eq 0" \ "id:'13009',phase:2,t:none,deny,chain,status:406,log,msg:'Fake Agent - Detectat'" SecRule SERVER_NAME "thedomain\.com$" "t:lowercase"
    Replace "thedomain\.com" with the domain on your server for which you want the rule to take effect. If that gives you a ModSecurity error, you can post what the error is, and I'll take a look, but you may need to get help from someone who knows more about ModSecurity than I. :)
    0
  • Bidi
    Hy @linux4me2 when i add the rule i get this :) Not Acceptable An appropriate representation of the requested resource / could not be found on this server. Additionally, a 406 Not Acceptable error was encountered while trying to use an ErrorDocument to handle the request.
    0
  • linux4me2
    Looks like it's working.
    0
  • Bidi
    Hy, whell is not, when i try to acces the website even myself i get theat error :) it blocks the entire trafic.
    0
  • cPanelMichael
    Hy, whell is not, when i try to acces the website even myself i get theat error :) it blocks the entire trafic.

    Could you verify the specific steps you have taken thus far? For instance, are you using the plugin referenced earlier in this thread? Thank you.
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post