Facebook
Twitter
We've been using Mod_security for years but the integration into Plesk is a puzzle to us.
I tried to include a rule to block unwanted bots:
In the directory /etc/httpd/conf/modsecurity.d/rules/tortix I've created a file z-custom.conf with:
Include /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/custom.conf
then in /etc/httpd/conf/modsecurity.d/rules/tortix/modsec I've created a custom.conf with:
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile badbots.txt" "id:350001,rev:1,severity:2,log,msg:'BAD BOT - Detected and Blocked. '"
along with a file badbots.txt that contains stuff like Baidu and Yandex
Mod_security logs it fine but the access_log of the sites still give a 200 for these bots.
I checked with a Useragent plugin in my browser and am indeed not blocked but still logged if I set my useragent to a bot name.
For the sake of testing I edited tortix_waf.conf (I know it gets overwritten) to set SecRuleEngine on wich is marked ## at default.
How do I get mod_security to apply my custom rule and actually apply the rule in custom.conf and block the bots in badbots.txt?
example of the log of modsecurity:
--c521c806-H--
Message: Warning. Matched phrase "MJ12bot" at REQUEST_HEADERS:User-Agent. [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/custom.conf"] [line "1"] [id "350001"] [rev "1"] [msg "BAD BOT - Detected and Blocked. "] [severity "CRITICAL"]
Apache-Handler: fcgid-script
Stopwatch: 1464852457789961 427881 (- - -)
Stopwatch2: 1464852457789961 427881; combined=274, p1=2, p2=265, p3=0, p4=0, p5=7, sr=0, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); 201605281556.
Server: Apache
Engine-Mode: "ENABLED"
Example of the acces_log of a site:
51.255.65.78 - - [02/Jun/2016:09:27:12 +0200] "GET /index.php?option=com_content&view=category&id=4&Itemid=43&limitstart=60 HTTP/1.1" 200 6575 "-" "Mozilla/5.0 (compatible; AhrefsBot/5.1; +http://ahrefs.com/robot/)"
Example of error_log of site:
[Thu Jun 02 09:29:29 2016] [error] [client 51.255.65.12] ModSecurity: Warning. Matched phrase "AhrefsBot" at REQUEST_HEADERS:User-Agent. [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/custom.conf"] [line "1"] [id "350001"] [rev "1"] [msg "BAD BOT - Detected and Blocked. "] [severity "CRITICAL"] [hostname "www.xxxxx.nl"] [uri "/index.php/xxxx/images/phocagallery/2"] [unique_id "V0-gWVEEUOEAAHHNb74AAAAN"]
I tried to include a rule to block unwanted bots:
In the directory /etc/httpd/conf/modsecurity.d/rules/tortix I've created a file z-custom.conf with:
Include /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/custom.conf
then in /etc/httpd/conf/modsecurity.d/rules/tortix/modsec I've created a custom.conf with:
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile badbots.txt" "id:350001,rev:1,severity:2,log,msg:'BAD BOT - Detected and Blocked. '"
along with a file badbots.txt that contains stuff like Baidu and Yandex
Mod_security logs it fine but the access_log of the sites still give a 200 for these bots.
I checked with a Useragent plugin in my browser and am indeed not blocked but still logged if I set my useragent to a bot name.
For the sake of testing I edited tortix_waf.conf (I know it gets overwritten) to set SecRuleEngine on wich is marked ## at default.
How do I get mod_security to apply my custom rule and actually apply the rule in custom.conf and block the bots in badbots.txt?
example of the log of modsecurity:
--c521c806-H--
Message: Warning. Matched phrase "MJ12bot" at REQUEST_HEADERS:User-Agent. [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/custom.conf"] [line "1"] [id "350001"] [rev "1"] [msg "BAD BOT - Detected and Blocked. "] [severity "CRITICAL"]
Apache-Handler: fcgid-script
Stopwatch: 1464852457789961 427881 (- - -)
Stopwatch2: 1464852457789961 427881; combined=274, p1=2, p2=265, p3=0, p4=0, p5=7, sr=0, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); 201605281556.
Server: Apache
Engine-Mode: "ENABLED"
Example of the acces_log of a site:
51.255.65.78 - - [02/Jun/2016:09:27:12 +0200] "GET /index.php?option=com_content&view=category&id=4&Itemid=43&limitstart=60 HTTP/1.1" 200 6575 "-" "Mozilla/5.0 (compatible; AhrefsBot/5.1; +http://ahrefs.com/robot/)"
Example of error_log of site:
[Thu Jun 02 09:29:29 2016] [error] [client 51.255.65.12] ModSecurity: Warning. Matched phrase "AhrefsBot" at REQUEST_HEADERS:User-Agent. [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/custom.conf"] [line "1"] [id "350001"] [rev "1"] [msg "BAD BOT - Detected and Blocked. "] [severity "CRITICAL"] [hostname "www.xxxxx.nl"] [uri "/index.php/xxxx/images/phocagallery/2"] [unique_id "V0-gWVEEUOEAAHHNb74AAAAN"]
Last edited:
