0

ModSecurity Rules

Posted on by tfmm

So, I work for a website hosting company, and often come across certain things overloading HTTP servers that can be resolved with ModSecurity Rules, I’ll be posting these as I make them for all to use.

Please note, these are not guaranteed, and may, in some instances, block legitimate traffic, so use with discretion.

Also, depending on what rule sets you are using, you may need to adjust the rule IDs for the HTTP server to start properly.

Here’s the first batch of rules:

Block POSTS to xmlrpc.php:

SecRule REQUEST_URI "xmlrpc.php" "id:20000045,chain”
SecRule REQUEST_METHOD "POST" "chain"
SecRule &HTTP_REFERER "@eq 0"

Block POSTs to “/” for a single website:

SecRule SERVER_NAME "DOMAIN-GOES-HERE.com" "id:210000068,chain"
SecRule REQUEST_METHOD "POST" "chain"
SecRule REQUEST_URI "/" "chain"
SecRule &HTTP_REFERER "@eq 0"

Block HEAD requests from the commonly malicious “Typhoeus” bot:

SecRule REQUEST_METHOD "HEAD" "deny,status:411,id:210000069,chain,msg:'Blocking bad Typhoeus UA'"
SecRule HTTP_User-Agent "Typhoeus"

 
Block the commonly malicious MJ12bot:

SecRule HTTP_User-Agent "MJ12bot" "deny,status:411,id:210000070,msg:'Blocking MJ12Bot'"

tfmm

More Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.