• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Mod_security integration

Dutchie

New Pleskian
We've been using Mod_security for years but the integration into Plesk is a puzzle to us.

I tried to include a rule to block unwanted bots:

In the directory /etc/httpd/conf/modsecurity.d/rules/tortix I've created a file z-custom.conf with:
Include /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/custom.conf

then in /etc/httpd/conf/modsecurity.d/rules/tortix/modsec I've created a custom.conf with:
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile badbots.txt" "id:350001,rev:1,severity:2,log,msg:'BAD BOT - Detected and Blocked. '"

along with a file badbots.txt that contains stuff like Baidu and Yandex

Mod_security logs it fine but the access_log of the sites still give a 200 for these bots.
I checked with a Useragent plugin in my browser and am indeed not blocked but still logged if I set my useragent to a bot name.

For the sake of testing I edited tortix_waf.conf (I know it gets overwritten) to set SecRuleEngine on wich is marked ## at default.

How do I get mod_security to apply my custom rule and actually apply the rule in custom.conf and block the bots in badbots.txt?

example of the log of modsecurity:

--c521c806-H--
Message: Warning. Matched phrase "MJ12bot" at REQUEST_HEADERS:User-Agent. [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/custom.conf"] [line "1"] [id "350001"] [rev "1"] [msg "BAD BOT - Detected and Blocked. "] [severity "CRITICAL"]
Apache-Handler: fcgid-script
Stopwatch: 1464852457789961 427881 (- - -)
Stopwatch2: 1464852457789961 427881; combined=274, p1=2, p2=265, p3=0, p4=0, p5=7, sr=0, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); 201605281556.
Server: Apache
Engine-Mode: "ENABLED"

Example of the acces_log of a site:

51.255.65.78 - - [02/Jun/2016:09:27:12 +0200] "GET /index.php?option=com_content&view=category&id=4&Itemid=43&limitstart=60 HTTP/1.1" 200 6575 "-" "Mozilla/5.0 (compatible; AhrefsBot/5.1; +http://ahrefs.com/robot/)"

Example of error_log of site:

[Thu Jun 02 09:29:29 2016] [error] [client 51.255.65.12] ModSecurity: Warning. Matched phrase "AhrefsBot" at REQUEST_HEADERS:User-Agent. [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/custom.conf"] [line "1"] [id "350001"] [rev "1"] [msg "BAD BOT - Detected and Blocked. "] [severity "CRITICAL"] [hostname "www.xxxxx.nl"] [uri "/index.php/xxxx/images/phocagallery/2"] [unique_id "V0-gWVEEUOEAAHHNb74AAAAN"]
 
Last edited:
If anyone should wonder, I solved it by placing a file badbots.conf in: /etc/httpd/conf/modsecurity.d/rules/tortix

Containing for instance:

SecRule REQUEST_HEADERS:User-Agent "AhrefsBot" \
"id:'300002',phase:2,t:none,log,deny,msg:'Ahrefs bot'"

This works like a charm.
 
Back
Top