• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Question Custom rules for Mod Seruity 3.0 Nginx - WordPress protection

brother4

brother4

Basic Pleskian
Server operating system version
Ubuntu 22.04
Plesk version and microupdate number
Plesk Obsidian 18.0.64 Web Host Edition
Hey!
I would like to block an IP if any of the following URLs are accessed three times. Essentially, if a bot tries to access these files multiple times, it should be automatically blocked:
  • /wp-content/plugins/index.php
  • /admin/function.php
  • /wp-admin/user/network.php
  • /wp-content/plugins/core-plugin/include.php
Below is the code I came up with. I want to confirm if this setup will work correctly for Plesk with NGINX v3.0 and ModSecurity (Comodo) and if this implementation makes sense. Specifically, I'd like to know if this approach effectively logs the attempt and then silently drops the connection, eventually leading to IP blocking after repeated suspicious requests. I don't want to give any specific status codes back to the client to avoid tipping off attackers.

Code: 
# Custom rule to monitor and block IP addresses for specific file requests
SecRule REQUEST_URI "@streq /wp-content/plugins/index.php" \
    "id:20001,phase:2,log,drop,msg:'Suspicious access detected to /wp-content/plugins/index.php',t:none,tag:'security',setvar:'ip.block_counter=+1',expirevar:'ip.block_counter=3600'"

SecRule REQUEST_URI "@streq /admin/function.php" \
    "id:20002,phase:2,log,drop,msg:'Suspicious access detected to /admin/function.php',t:none,tag:'security',setvar:'ip.block_counter=+1',expirevar:'ip.block_counter=3600'"

SecRule REQUEST_URI "@streq /wp-admin/user/network.php" \
    "id:20003,phase:2,log,drop,msg:'Suspicious access detected to /wp-admin/user/network.php',t:none,tag:'security',setvar:'ip.block_counter=+1',expirevar:'ip.block_counter=3600'"

SecRule REQUEST_URI "@streq /wp-content/plugins/core-plugin/include.php" \
    "id:20004,phase:2,log,drop,msg:'Suspicious access detected to /wp-content/plugins/core-plugin/include.php',t:none,tag:'security',setvar:'ip.block_counter=+1',expirevar:'ip.block_counter=3600'"

# Rule to automatically block an IP after multiple suspicious access attempts
SecRule IP:block_counter "@ge 3" \
    "id:20005,phase:1,log,drop,msg:'IP blocked due to multiple suspicious requests',t:none,setvar:'ip.block=1',expirevar:'ip.block=86400'"

  1. Will this setup work correctly with Plesk NGINX v3.0 and ModSecurity (Comodo Ruleset)?
  2. Does the use of drop (instead of deny) ensure that attackers do not receive any hints about why their connection was blocked?
  3. Is there anything I need to adjust or be aware of for this configuration to work smoothly in Plesk with NGINX as the web server?
Thank you!
 
Unfortunately I don't know the exact answers to your three questions as I don't have much experience with custom ModSecurity rules. However if your objective is to ban/block any IP address which tries to access any of the URL's, you could also create a custom fail2ban filter and jail to accomplish that. Which I think is probably a bit more straight forward as it function independently from Nginx or Apache and any ModSecurity ruleset you're using,
 
@Kaspar Unfortunately, for a few days now, thousands of such bots have been sending corresponding requests to the web urls within a few hours, which places a heavy load on the CPU. These requests are contained in each of these bot IPs. And are apparently not recognized by the previous Fail2Ban rules or ModSecurity filters (Comodo).

The plan was to include this in the custom instructions in the Plesk backend in the Mod Secuirty settings (/admin/web-app-firewall/settings)
 
You must log in or register to reply here.

Similar threads

I
Issue Modsecurity stops working every night
Replies
13
Views
7K
ivanes82
I
S
Issue Need Help Whitelisting GTM Noscript in Comodo WAF Rule 214540 on Plesk
Replies
0
Views
179
SquanchIt
S
L
Resolved ModSecurity: Access denied with code 403 (phase 2). Match of "contains /wp-json/yoast/"
Replies
7
Views
9K
loman
L
S
Resolved Geo blocking for subscriptions / domains ?
Replies
8
Views
3K
shopuser
S
S
Question Can modsecurity be used to exclude bot agents ?
Replies
1
Views
2K
A_SH
A_SH
Back
Top