Edit file

File name : 99_dreamhost_rules.conf

Content :# removed the following for modsec3 nginx compat (noble 5/20/2022) # 1990001 1990003 1990011 1990024 1990025 1990026 1990028 1990029 1990032 1990033 1990035 1990038 1990040 1990050 1990052 1990054 1990056 1990059 1990062 1990063 1990069 1990073 1990075 1990078 1990084 1990082 #Whitelist IP list SecRule REMOTE_ADDR "@ipMatchFromFile dh_whitelist_ip.data" "id:1000,phase:1,nolog,allow,ctl:ruleEngine=off" # ignored modsecurity_crs_42_comment_spam.conf rules and rules pertaining to php function names SecRuleRemoveById 981137 981138 981139 981140 999010 999011 950923 950020 933150 933210 933120 SecRule REQUEST_URI|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\.\./\.\./\.\./\.\./\.\./\.\." \ "phase:1,capture,t:htmlEntityDecode,t:lowercase,deny,log,auditlog,msg:'Deep directory recursion',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'CRITICAL',id:1980000" SecRule REQUEST_URI|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\./proc/self/environ" \ "phase:1,capture,t:htmlEntityDecode,t:lowercase,deny,log,auditlog,msg:'/proc/self/environ access',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'CRITICAL',id:1980001" SecRule REQUEST_URI|ARGS|ARGS_NAMES "\.\./etc/(?:passwd|shadow)" \ "phase:1,capture,t:htmlEntityDecode,t:lowercase,deny,log,auditlog,msg:'passwd/shadow access',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'CRITICAL',id:'1980002'" # WP sql injection attack plaguing us 2008-11-26 SecRule REQUEST_URI "/index.php" "chain,log,deny,id:1989998,msg:'WP SQLi attack'" SecRule ARGS:cat ".?[0-9]+.UNION.SELECT" ## WP hack 04/17/09 SecRule REQUEST_HEADERS:Cookie "_wp_debugger=" \ "phase:1,log,auditlog,msg:'WP Issue id 1234512345', severity:'CRITICAL',id:'1234512345',tag:'POLICY/WPHACK',msg:'Legacy WordPress cookie vulnerabilitity'" # rl blocking SecRule RESPONSE_BODY ">by eqbal, updated by szalinski<" "phase:4,nolog,auditlog,deny,id:1989999,msg:'Known shell content'" SecRule REQUEST_URI "/audl.php" "chain,id:1990000,phase:1,msg:'Known backdoor'" SecRule ARGS:GO "GO" "setenv:pirated,block,nolog,auditlog" SecRule REQUEST_URI "/auul.php" "chain,id:1990002,phase:1,msg:'Known backdoor'" SecRule ARGS:action "upload" "setenv:pirated,block,nolog,auditlog" # ZenCart 1.3.8 remote code execution attack -- http://www.milw0rm.com/exploits/9004 SecRule REQUEST_URI "/admin/record_company.php/password_forgotten.php" "chain,id:1990004,deny,msg:'ZenCart 1.3.8 RCE'" SecRule REQBODY_PROCESSOR "MULTIPART" "chain" SecRule FILES_NAMES "record_company_image" "chain" SecRule ARGS:action "insert" "chain" SecRule ARGS:record_company_name "0" # This rule prevents the requests made to anything located in a ".sys" folder that's all -- Robert R # One specific attacker is uploading a backdoor and malware into a folder named .sys -- then distribute it via spam # Appears that these attacks may be related to the customer's computer being compromised itself SecRule REQUEST_URI "/\.sys/" "phase:1,setvar:tx.ruleid=1990007,id:1990007,allow,msg:'Known compromise indicator'" # SecRule ID 1990008 removed due to frequent false positives # PHP coded User Agent -- Robert R. SecRule REQUEST_HEADERS:User-Agent "eval\(base64_decode\(" "phase:1,deny,setvar:tx.ruleid=1990012,id:1990012,msg:'Obfuscated PHP eval() in User-Agent'" # directory traversal -- Robert R. SecRule ARGS "^[\.|/]+(proc/|dev/shm/)" "deny,t:normalisePath,setvar:tx.ruleid=1990013,id:1990013,msg:'Directory traversal'" # NULL byte at end of URI -- Robert R. SecRule REQUEST_URI "%00+$" "phase:1,deny,setvar:tx.ruleid=1990014,id:1990014,msg:'NULL byte at end of URI'" # c99 and other shell backdoor, common password -- Robert R. SecRule ARGS_POST:pass "mikjhljiu" "setvar:tx.ruleid=1990017,id:1990017,deny,msg:'Known backdoor/shell credentials'" SecRule REQUEST_COOKIES:dgpass "mikjhljiu" "phase:1,setvar:tx.ruleid=1990018,id:1990018,deny,msg:'Known backdoor/shell credentials'" SecRule REQUEST_HEADERS "mikjhljiu" "phase:1,setvar:tx.ruleid=1990019,id:1990019,deny,msg:'Known backdoor/shell credentials'" # Excessive arguments/cookies/etc... causes hash variable collision DoS -- Robert R. # http://events.ccc.de/congress/2011/Fahrplan/events/4680.en.html SecRule &REQUEST_COOKIES_NAMES "@gt 5000" "pass,log,setvar:tx.ruleid=1990030,id:1990030" SecRule &ARGS "@gt 5000" "pass,log,setvar:tx.ruleid=1990031,id:1990031" # Mr sality backdoor pass SecRule ARGS:ses "mr.sality" "setvar:tx.ruleid=1990036,id:1990036,allow,msg:'Mr. Sality backdoor'" SecRule REQUEST_HEADERS "mr.sality" "phase:1,allow,setvar:tx.ruleid=1990037,id:1990037,msg:'Mr. Sality backdoor'" #China based Spider/Botnet that hammers CGI SecRule REQUEST_HEADERS:User-Agent "^Mozilla.4.0 .compatible. MSIE 6.0. Windows NT 5.1. SV1.$" "phase:1,setvar:tx.ruleid=1990051,id:1990051,nolog,auditlog,deny,msg:'Known faked User-Agent, closely associated with Chinese botnets'" #Joomla Com_JCE Exploit Block SecRule REQUEST_LINE "@contains option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form" "phase:1,id:1990055,log,deny,msg:'Joomla Com_JCE exploit'" #Bash Exploit Mitigation CVE-2014-6271 SecRule REQUEST_HEADERS "^\(\) {" "phase:1,deny,id:1990064,msg:'CVE-2014-6271 - Bash Attack'" SecRule REQUEST_LINE "\(\) {" "phase:1,deny,id:1990065, msg:'CVE-2014-6271 - Bash Attack'" SecRule ARGS_NAMES "^\(\) {" "phase:2,deny,id:1990066 ,msg:'CVE-2014-6271 - Bash Attack'" SecRule ARGS "^\(\) {" "phase:2,deny,id:1990067,msg:'CVE-2014-6271 - Bash Attack'" SecRule FILES_NAMES "^\(\) {" "phase:2,deny,id:1990068,msg:'CVE-2014-6271 - Bash Attack'" #Web Shell Command Blocking SecRule ARGS "@pm urlencode curl_init preg_ wget GLOBALS base64_decode passwd ,amo! ,amo WQGP wqgp curl ../../" "t:base64decode,log,deny,id:1990070,msg:'Common known arguments for backdoor shell present in %{MATCHED_VAR_NAME}'" #RevSlider_Show_Image vulnerablitiy - http://themeforest.net/forums/thread/slider-revolution-plugin-critical-vulnerability-being-exploited/141223 SecRule ARGS_GET "wp-config.php" "phase:1,id:1990071,log,deny,msg:'wp-config.php Local File Inclusion Attempt'" #Base64 encoded Spammer Command block SecRule ARGS:passes "a:0:{}" "t:base64decode,log,deny,id:1990072,msg:'base64-encoded spammer command'" #WordPress 2.2 xmlrpc.php SQLi blocks incompatable with Jetpack in WP 4.X+ SecRuleRemoveById 2004654 2004655 2004656 2004657 2004658 2004659 #WordPress DOM XSS SecRule REQUEST_LINE "/genericons/example.html" "phase:1,deny,log,id:1990077,msg:'WP DOM XSS'" #bots searching for low-hanging fruit in backup config files SecRule REQUEST_URI "^/(?:wp-)?config(?:uration)?\.(?:php|bac?k|off|ori?g)" "phase:1,id:1990079,deny,msg:'Bot searching for config file'" #SQLMap and Massscan Default User-Agent Block SecRule REQUEST_HEADERS:User-Agent "@pm sqlmap masscan" "phase:1,t:lowercase,deny,id:1990087,log,msg:'Block Scans by SQLMap & Masscan UA'" #WordPress scan by abdullkarem SecRule QUERY_STRING "abdullkarem" "phase:1,deny,id:1990088,log,msg:'WordPress Exploit Scan'" #Obfuscated SQLi Injection SecRule ARGS "0x4142433134355a5136324457514146504f4959434644" "phase:1,deny,id:1990089,log,msg:'Obfuscated SQLi'" #Blind SQLi using sleep() and benchmark() SecRule ARGS_NAMES|ARGS "(?i:(sleep\((\s*?)(\d*?)(\s*?)\)|benchmark\((.*?)\,(.*?)\)))" "phase:1,id:'1990090',t:urlDecodeUni,deny,msg:'Detects blind sqli tests using sleep() or benchmark().'" #Block hex encoded ARGS used for SQLi SecRule ARGS_NAMES|ARGS "(?i:(?:\A|[^\d])0x[a-f\d]{3,}[a-f\d]*)+" "phase:1,id:'1990091',t:urlDecodeUni,deny,msg:'SQL Hex Encoding Identified'" #WP 4.7-4.7.1 REST API Content Injection - https://www.exploit-db.com/exploits/41223/ # This catches GET and urlencoded-POST parameters SecRule REQUEST_URI "@rx wp/v2/[\w_-]+/\d+" "phase:2,id:'1990092',log,deny,msg:'Block WordPress API Content Injection',chain" SecRule ARGS:id "!@rx ^\d+$" "t:none" # This catches JSON POST parameters SecRule REQUEST_URI "@rx wp/v2/[\w_-]+/\d+" "phase:1,id:'1990093',log,deny,msg:'Block WordPress API Content Injection',chain" SecRule REQUEST_HEADERS:Content-Type "application/json" "t:none,t:lowercase,ctl:requestBodyProcessor=JSON,chain" SecRule ARGS:id "!@rx ^\d+$" "t:none" #User-Agent Blocks - Joomla/WP Exploit/Spam Bots SecRule REQUEST_HEADERS:User-Agent "^Mozilla/5.0 \(X11; U; Linux i686; en-US\) U2/1.0.0 UCBrowser/9.3.1.344$" "phase:1,id:1990094,log,auditlog,deny,msg:'Malicious Bot UA'" SecRule REQUEST_HEADERS:User-Agent "^Mozilla/5.0 \(X11; Linux x86_64\) AppleWebKit/537.36 \(KHTML, like Gecko\) Chrome/31.0.1650.48 Safari/537.36$" "phase:1,id:1990095,log,auditlog,deny,msg:'Malicious Bot UA'" SecRule REQUEST_HEADERS:User-Agent "^Mozilla/5.0 \(X11; Linux x86_64; rv:29.0\) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26$" "phase:1,id:1990096,log,auditlog,deny,msg:'Malicious Bot UA'" SecRule REQUEST_HEADERS:User-Agent "^Mozilla/5.0 \(X11; Ubuntu; Linux i686; rv:24.0\) Gecko/20100101 Firefox/24.0$" "phase:1,id:1990097,log,auditlog,deny,msg:'Malicious Bot UA'" SecRule REQUEST_HEADERS:User-Agent "^Mozilla/5.0 \(Windows NT 6.1; WOW64; rv:40.0\) Gecko/20100101 Firefox/40.1$" "phase:1,id:1990098,log,auditlog,deny,msg:'Malicious Bot UA'" #WordPress Python User-Agent wp-login.php brute force mitigation SecRule REQUEST_HEADERS:User-Agent "python-requests/2.18.4" "phase:1,id:1990101,log,auditlog,chain,deny,msg:'Malicious Bot UA'" SecRule REQUEST_URI "/wp-login.php" #User-Agent Block - WP Attacks SecRule REQUEST_HEADERS:User-Agent "^Mozilla/5.0 \(Macintosh; U; Intel Mac OS X 10.6; fr; rv:1.9.2.8\) Gecko/20100722 Firefox/3.6.8$" "phase:1,id:1990102,log,auditlog,deny,msg:'Malicious Bot UA'" #User-Agent Block - WP Attacks SecRule REQUEST_HEADERS:User-Agent "^Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36$" "phase:1,id:1990104,log,auditlog,deny,msg:'Malicious Bot UA'" SecRule REQUEST_HEADERS:User-Agent "^Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0$" "phase:1,id:1990105,log,auditlog,deny,msg:'Malicious Bot UA'" #User-Agent Block - Javascript SecRule REQUEST_HEADERS:User-Agent "^><script type=text/javascript src=" "phase:1,id:1990106,log,auditlog,deny,msg:'Javascript include in UA'" # blocks from EAP on 05/01/2020 WP Attacks SecRule REQUEST_HEADERS:User-Agent "^Mozilla$" "phase:1,id:1990107,log,auditlog,deny,msg:'Bot UA - Mozilla'" SecRule REQUEST_URI "php.suspected$" "phase:1,id:1990108,deny,log,auditlog,msg:'WP exploit pack files'" # Unique Accept-Language header in DDOS Script - TRASH FLOOD BY SERPICO SecRule REQUEST_HEADERS:Accept-Language "^en-US,en;q=0.9,he-IL;q=0.8,he;q=0.7,fr;q=0.6$" "phase:1,id:1990109,log,deny,msg:'DDOS - TRASH FLOOD BY SERPICO'" #DDOS vs. load-scripts.php in WordPress SecRule ARGS "@contains eutil,common,wp-a11y,sack,quicktag,colorpicker,editor,wp-fullscreen-stu,wp-ajax-response,wp-api-request,wp-pointer,autosave,heartbeat,wp-auth-check,wp-lists,prototype,scriptaculous-root,scriptaculous-builder" "chain,phase:2,id:1990110,log,deny,msg:'DDOS load-scripts.php'" SecRule REQUEST_URI "/load-scripts.php" # blocking outdated Apple UA that was only used for scraping wp-config files SecRule REQUEST_HEADERS:User-Agent "^Mozilla\/5.0 \(iPhone\; CPU iPhone OS 6_1_2 like Mac OS X\)" "phase:1,id:1990112,log,auditlog,deny,msg:'Outdated Apple UA - scraping wp-config files'" #WordPress File Manager Plug-in Exploit https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/ SecRule REQUEST_URI "@contains /connector.minimal.php" "phase:1,id:'1990113',log,deny,msg:'Block WordPress File Manager Exploit'" #IDBTE4M CoDE87 User agent for attack tools SecRule REQUEST_HEADERS:User-Agent "IDBTE4M CODE87" "phase:1,id:1990114,log,auditlog,deny,msg:'Malicious Bot UA: IDBTE4M'" # block log4j crawling SecRule REQUEST_HEADERS:User-Agent "^jndi:ldap$" "phase:1,id:1990115,log,auditlog,deny,msg:'Log4j2 exploit crawling'" #Block keywords in Mailer scripts used for spam SecRule RESPONSE_BODY "@pmFromFile spam-mailer.data" "phase:4,nolog,auditlog,deny,id:1990116,msg:'Mailer spam script'"

Save