Skip to main content

Mod_Security rule to mitigate constant GET and POST request attack

Comments

6 comments

  • caisc
    Here is another instance -
    94.102.60.76 - - [25/Feb/2017:12:24:21 +0530] "GET /wp-json/wp/v2/posts/ HTTP/1.0" 301 - "-" "-" 94.102.60.76 - - [25/Feb/2017:12:24:22 +0530] "GET /wp-json/wp/v2/posts/ HTTP/1.0" 200 212703 "-" "-" 94.102.60.76 - - [25/Feb/2017:12:24:28 +0530] "POST /wp-json/wp/v2/posts/1076 HTTP/1.0" 301 - "-" "-" 94.102.60.76 - - [25/Feb/2017:12:24:29 +0530] "GET /wp-json/wp/v2/posts/1076/ HTTP/1.0" 200 212703 "-" "-" 94.102.60.76 - - [25/Feb/2017:12:24:31 +0530] "GET /sh.html HTTP/1.0" 301 - "-" "-" 94.102.60.76 - - [25/Feb/2017:12:24:31 +0530] "GET /sh.html/ HTTP/1.0" 200 212703 "-" "-" 94.102.60.76 - - [25/Feb/2017:12:24:32 +0530] "POST /wp-json/wp/v2/posts/1076 HTTP/1.0" 301 - "-" "-" 94.102.60.76 - - [25/Feb/2017:12:24:32 +0530] "GET /wp-json/wp/v2/posts/1076/ HTTP/1.0" 200 212703 "-" "-" 94.102.60.76 - - [25/Feb/2017:12:24:33 +0530] "GET /sh.html HTTP/1.0" 301 - "-" "-" 94.102.60.76 - - [25/Feb/2017:12:24:33 +0530] "GET /sh.html/ HTTP/1.0" 200 212703 "-" "-"
    0
  • cPanelMichael
    Hello, You may find the following thread helpful, as it also relates to WordPress: SOLVED - Distributed wordpress attacks/scans Thank you.
    0
  • quizknows
    2nd case: You can deny requests that have both no UA and no referer. This is generally safe (I use it in production) but keep in mind you may have to whitelist this rule for some 3rd party services that are coded lazily like if you use a 3rd party monitoring service.
    #Deny any HTTP request where both the user agent and referring URL are blank (except localhost due to WHM server status) SecRule &HTTP_REFERER "@eq 0" "deny,status:411,id:187945988,chain,msg:'No UA, No referer'" SecRule &HTTP_User-Agent "@eq 0" "chain" SecRule REMOTE_ADDR "!@ipMatch 127.0.0.1"
    1st case I would try blocking the user agent if you are absolutely sure that traffic is bad, but this tule could block legitimate users and I would not leave this one in place permanently
    SecRule HTTP_User-Agent "cyberfox" "deny,id:2892758,t:lowercase"
    0
  • caisc
    Thanks quizknows
    #Deny any HTTP request where both the user agent and referring URL are blank (except localhost due to WHM server status) SecRule &HTTP_REFERER "@eq 0" "deny,status:411,id:187945988,chain,msg:'No UA, No referer'" SecRule &HTTP_User-Agent "@eq 0" "chain" SecRule REMOTE_ADDR "!@ipMatch 127.0.0.1"
    I have added above rule to mod_sec rule list, will let you know with feedback in few days.
    0
  • caisc
    @quizknows Immediately after adding the rule got this in mod_sec log - 2017-03-03 19:48:11 domain.com 23.227.x.x 411 Request: GET /utility/tasks?notrigger=1&key=23a78621&pid=1386626928 Action Description: Access denied with code 411 (phase 2). Justification: Match of "ipMatch 127.0.0.1" against "REMOTE_ADDR" required. Here 23.227.x.x is my server primary shared IP, looks like false positive, how to fix this? Domlog entry is - 23.227.x.x - - [03/Mar/2017:19:54:47 +0530] "GET /utility/tasks?notrigger=1&key=23a78621&pid=1113355893 HTTP/1.1" 411 60 "-" "-" few more domlog entry - 23.227.x.x - - [03/Mar/2017:20:04:36 +0530] "GET /public/album_photo/01/0001_36a7.png?c=64bf HTTP/1.0" 404 148728 "-" "-" 23.227.x.x - - [03/Mar/2017:20:04:36 +0530] "GET /public/album_photo/21/0021_b687.png?c=b7fa HTTP/1.0" 404 148728 "-" "-" 23.227.x.x - - [03/Mar/2017:20:04:37 +0530] "GET /public/album_photo/21/0021_b687.png?c=b7fa HTTP/1.0" 404 148728 "-" "-" 23.227.x.x - - [03/Mar/2017:20:04:37 +0530] "GET /public/album_photo/22/0022_cfa6.png?c=0678 HTTP/1.0" 404 148728 "-" "-" 23.227.x.x - - [03/Mar/2017:20:04:37 +0530] "GET /public/album_photo/21/0021_b687.png?c=b7fa HTTP/1.0" 404 148728 "-" "-" 23.227.x.x - - [03/Mar/2017:20:04:37 +0530] "GET /public/album_photo/21/0021_b687.png?c=b7fa HTTP/1.0" 404 148728 "-" "-" 23.227.x.x - - [03/Mar/2017:20:04:38 +0530] "GET /public/album_photo/21/0021_b687.png?c=b7fa HTTP/1.0" 404 148728 "-" "-" 23.227.x.x - - [03/Mar/2017:20:04:38 +0530] "GET /public/album_photo/21/0021_b687.png?c=b7fa HTTP/1.0" 404 148728 "-" "-" 23.227.x.x - - [03/Mar/2017:20:04:38 +0530] "GET /public/album_photo/22/0022_cfa6.png?c=0678 HTTP/1.0" 404 148728 "-" "-"
    0
  • quizknows
    If you need to exclude your main server IP from the rule, it's simply another chain condition like this:
    #Deny any HTTP request where both the user agent and referring URL are blank (except localhost due to WHM server status) SecRule &HTTP_REFERER "@eq 0" "deny,status:411,id:187945988,chain,msg:'No UA, No referer'" SecRule &HTTP_User-Agent "@eq 0" "chain" SecRule REMOTE_ADDR "!@ipMatch 127.0.0.1" "chain" SecRule REMOTE_ADDR "!@ipMatch 23.227.1.1"
    This is just one way to do it, you could also make a file with whitelisted IP addresses like this:
    #Deny any HTTP request where both the user agent and referring URL are blank (except localhost due to WHM server status) SecRule &HTTP_REFERER "@eq 0" "deny,status:411,id:187945988,chain,msg:'No UA, No referer'" SecRule &HTTP_User-Agent "@eq 0" "chain" SecRule REMOTE_ADDR "!@ipMatchFromFile /usr/local/apache/conf/modsec2/ip_whitelist.txt"
    In the file /usr/local/apache/conf/modsec2/ip_whitelist.txt it would contain one IP per line like:
    127.0.0.1 23.227.1.1
    You can put the file ip_whitelist.txt where ever you want, this path is just suggested for EA3. If you use EA4 you could put it in a different location as long as the rule is updated for the path of the file.
    0

Please sign in to leave a comment.