• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Mod_security integration

D

Dutchie

New Pleskian
We've been using Mod_security for years but the integration into Plesk is a puzzle to us.

I tried to include a rule to block unwanted bots:

In the directory /etc/httpd/conf/modsecurity.d/rules/tortix I've created a file z-custom.conf with:
Include /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/custom.conf

then in /etc/httpd/conf/modsecurity.d/rules/tortix/modsec I've created a custom.conf with:
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile badbots.txt" "id:350001,rev:1,severity:2,log,msg:'BAD BOT - Detected and Blocked. '"

along with a file badbots.txt that contains stuff like Baidu and Yandex

Mod_security logs it fine but the access_log of the sites still give a 200 for these bots.
I checked with a Useragent plugin in my browser and am indeed not blocked but still logged if I set my useragent to a bot name.

For the sake of testing I edited tortix_waf.conf (I know it gets overwritten) to set SecRuleEngine on wich is marked ## at default.

How do I get mod_security to apply my custom rule and actually apply the rule in custom.conf and block the bots in badbots.txt?

example of the log of modsecurity:

--c521c806-H--
Message: Warning. Matched phrase "MJ12bot" at REQUEST_HEADERS:User-Agent. [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/custom.conf"] [line "1"] [id "350001"] [rev "1"] [msg "BAD BOT - Detected and Blocked. "] [severity "CRITICAL"]
Apache-Handler: fcgid-script
Stopwatch: 1464852457789961 427881 (- - -)
Stopwatch2: 1464852457789961 427881; combined=274, p1=2, p2=265, p3=0, p4=0, p5=7, sr=0, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); 201605281556.
Server: Apache
Engine-Mode: "ENABLED"

Example of the acces_log of a site:

51.255.65.78 - - [02/Jun/2016:09:27:12 +0200] "GET /index.php?option=com_content&view=category&id=4&Itemid=43&limitstart=60 HTTP/1.1" 200 6575 "-" "Mozilla/5.0 (compatible; AhrefsBot/5.1; +http://ahrefs.com/robot/)"

Example of error_log of site:

[Thu Jun 02 09:29:29 2016] [error] [client 51.255.65.12] ModSecurity: Warning. Matched phrase "AhrefsBot" at REQUEST_HEADERS:User-Agent. [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/custom.conf"] [line "1"] [id "350001"] [rev "1"] [msg "BAD BOT - Detected and Blocked. "] [severity "CRITICAL"] [hostname "www.xxxxx.nl"] [uri "/index.php/xxxx/images/phocagallery/2"] [unique_id "V0-gWVEEUOEAAHHNb74AAAAN"]
 
Last edited:
If anyone should wonder, I solved it by placing a file badbots.conf in: /etc/httpd/conf/modsecurity.d/rules/tortix

Containing for instance:

SecRule REQUEST_HEADERS:User-Agent "AhrefsBot" \
"id:'300002',phase:2,t:none,log,deny,msg:'Ahrefs bot'"

This works like a charm.
 
You must log in or register to reply here.

Similar threads

brother4
Question Custom rules for Mod Seruity 3.0 Nginx - WordPress protection
Replies
2
Views
239
brother4
brother4
L
Resolved ModSecurity: Access denied with code 403 (phase 2). Match of "contains /wp-json/yoast/"
Replies
7
Views
370
loman
L
WebHostingAce
Resolved Apache fails to (re)start with Atomic ModSecurity
Replies
8
Views
2K
WebHostingAce
WebHostingAce
F
Issue SQLmap attack detected (ID: 218500) on blank page
Replies
3
Views
700
Bitpalast
Bitpalast
T
Question Fail2ban trying to setup a rule to ban ai bots
Replies
4
Views
952
Bitpalast
Bitpalast
Back
Top