Mod security
From TMM Wiki
Jump to navigationJump to searchGeneral Information on modsecurity & modsececurity2
- The ruleset(s) provided by modsecurity/modsececurity2 will affect NATS processes and these rules are enabled by default. These default ruleset(s) need to be disabled so they will not get used.
- Host can create custom rules that only apply for things outside of NATS
- Host's responsibility to ensure that these rules don't affect NATS functions on NATS domain & linkdomains
Example Custom Rules for ModSecurity2
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)
You can create customized rules with modsecurity2, to rate-limit by ip, request vars being sent, etc. These are example rules that will rate-limit requests and prevent bot spam. You can use these rulesets as a reference, but be aware that you are responsible for your configuration and that you should NOT use the default rulesets provided by modsececurity2.
Member Signup Throttling
Rate-limit to 75 requests to signup/signup.php using the same password or email within a 10 minute period.
<Location /signup/signup.php>
# needs to be enabled to read POST data
SecRequestBodyAccess On
# jump to SecMarker if signup[password] variable is not passed in request
SecRule ARGS:signup[password] "^$" "phase:2,id:'981041',t:none,nolog,pass,skipAfter:END_BRUTE_FORCE_PROTECTION_CHECKS1"
# set 'RESOURCE' to value of signup[password] if it is not blank
SecRule ARGS:signup[password] ".*" "phase:2,id:'1',chain,t:none,nolog,pass"
SecAction initcol:RESOURCE=%{ARGS.signup[password]}
# enforce an existing block
SecRule RESOURCE:bf_block "@eq 1" \
"id:2,phase:2,deny,\
msg:'Password \"%{ARGS.signup[password]}\" blocked because of suspected brute-force attack'"
# set or increase count of how many times a signup[password] value was used and have it expire after 600 seconds
SecRule ARGS:signup[password] ".*" "phase:5,id:3,t:none,nolog,pass,setvar:RESOURCE.bf_counter=+1,expirevar:RESOURCE.bf_counter=600"
# check for too many requests for a single signup[password] value and block future requests that contain that value
SecRule RESOURCE:bf_counter "@ge 75" \
"id:4,phase:5,t:none,pass,\
setvar:RESOURCE.bf_block,\
setvar:!RESOURCE.bf_counter,\
expirevar:RESOURCE.bf_block=600"
# jump to this point if signup[password] is not passed in request
SecMarker END_BRUTE_FORCE_PROTECTION_CHECKS1
# jump to SecMarker if signup[password:1:6:16:::password_check] variable is not passed in request
SecRule ARGS:signup[password:1:6:16:::password_check] "^$" "phase:2,id:'981042',t:none,nolog,pass,skipAfter:END_BRUTE_FORCE_PROTECTION_CHECKS2"
# set 'RESOURCE' to value of signup[password:1:6:16:::password_check] if it is not blank
SecRule ARGS:signup[password:1:6:16:::password_check] ".*" "phase:2,id:'5',chain,t:none,nolog,pass"
SecAction initcol:RESOURCE=%{ARGS.signup[password:1:6:16:::password_check]}
# enforce an existing block
SecRule RESOURCE:bf_block "@eq 1" \
"id:6,phase:2,deny,\
msg:'Password \"%{ARGS.signup[password:1:6:16:::password_check]}\" blocked because of suspected brute-force attack'"
# set or increase count of how many times a signup[password:1:6:16:::password_check] value was used and have it expire after 600 seconds
SecRule ARGS:signup[password:1:6:16:::password_check] ".*" "phase:5,id:7,t:urlDecode,nolog,pass,setvar:RESOURCE.bf_counter=+1,expirevar:RESOURCE.bf_counter=600"
# check for too many requests for a single signup[password:1:6:16:::password_check] value and block future requests that contain that value
SecRule RESOURCE:bf_counter "@ge 75" \
"id:8,phase:5,t:none,pass,\
setvar:RESOURCE.bf_block,\
setvar:!RESOURCE.bf_counter,\
expirevar:RESOURCE.bf_block=600"
# jump to this point if signup[password:1:6:16:::password_check] is not passed in request
SecMarker END_BRUTE_FORCE_PROTECTION_CHECKS2
# jump to SecMarker if signup[email] variable is not passed in request
SecRule ARGS:signup[email] "^$" "phase:2,id:'981043',t:none,nolog,pass,skipAfter:END_BRUTE_FORCE_PROTECTION_CHECKS3"
# set 'RESOURCE' to value of signup[email] if it is not blank
SecRule ARGS:signup[email] ".*" "phase:2,id:'9',chain,t:none,nolog,pass"
SecAction initcol:RESOURCE=%{ARGS.signup[email]}
# enforce an existing block
SecRule RESOURCE:bf_block "@eq 1" \
"id:10,phase:2,deny,\
msg:'Email \"%{ARGS.signup[email]}\" blocked because of suspected brute-force attack'"
# set or increase count of how many times a signup[email] value was used and have it expire after 600 seconds
SecRule ARGS:signup[email] ".*" "phase:5,id:11,t:none,nolog,pass,setvar:RESOURCE.bf_counter=+1,expirevar:RESOURCE.bf_counter=600"
# check for too many requests for a single signup[email] value and block future requests that contain that value
SecRule RESOURCE:bf_counter "@ge 75" \
"id:12,phase:5,t:none,pass,\
setvar:RESOURCE.bf_block,\
setvar:!RESOURCE.bf_counter,\
expirevar:RESOURCE.bf_block=600"
# jump to this point if signup[email] is not passed in request
SecMarker END_BRUTE_FORCE_PROTECTION_CHECKS3
# jump to SecMarker if signup[email:1:1:128:::email_check] variable is not passed in request
SecRule ARGS:signup[email:1:1:128:::email_check] "^$" "phase:2,id:'981044',t:none,nolog,pass,skipAfter:END_BRUTE_FORCE_PROTECTION_CHECKS4"
# set 'RESOURCE' to value of signup[email:1:1:128:::email_check] if it is not blank
SecRule ARGS:signup[email:1:1:128:::email_check] ".*" "phase:2,id:'13',chain,t:none,nolog,pass"
SecAction initcol:RESOURCE=%{ARGS.signup[email:1:1:128:::email_check]}
# enforce an existing block
SecRule RESOURCE:bf_block "@eq 1" \
"id:14,phase:2,deny,\
msg:'Email \"%{ARGS.signup[email:1:1:128:::email_check]}\" blocked because of suspected brute-force attack'"
# set or increase count of how many times a signup[email:1:1:128:::email_check] value was used and have it expire after 600 seconds
SecRule ARGS:signup[email:1:1:128:::email_check] ".*" "phase:5,id:15,t:none,nolog,pass,setvar:RESOURCE.bf_counter=+1,expirevar:RESOURCE.bf_counter=600"
# check for too many requests for a single signup[email:1:1:128:::email_check] and block future requests that contain that value
SecRule RESOURCE:bf_counter "@ge 75" \
"id:16,phase:5,t:none,pass,\
setvar:RESOURCE.bf_block,\
setvar:!RESOURCE.bf_counter,\
expirevar:RESOURCE.bf_block=600"
# jump to this point if signup[email:1:1:128:::email_check] is not passed in request
SecMarker END_BRUTE_FORCE_PROTECTION_CHECKS4
</Location>
Plus script Throttling
Rate-limit the *plus scripts (as well as approved,upgraded,duplicate, and submit scripts) to 75 requests from the same ip address within a 10 minute period
<LocationMatch "/signup/(upgradeplus|approved|upgraded|upsellplus|packageplus|tokenplus|cancelplus|duplicate|verifyplus|signupplus|submit).php">
SecAction initcol:IP=%{REMOTE_ADDR},pass,nolog,id:21
# enforce an existing block
SecRule IP:bf_block "@eq 1" \
"id:22,phase:2,deny,\
msg:'IP \"%{REMOTE_ADDR}\" is being throttled'"
SecRule REMOTE_ADDR ".*" "phase:5,id:23,t:none,nolog,pass,setvar:IP.bf_counter=+1,expirevar:IP.bf_counter=600"
SecRule IP:bf_counter "@ge 75" \
"id:24,phase:5,t:none,pass,\
setvar:IP.bf_block,\
setvar:!IP.bf_counter,\
expirevar:IP.bf_block=600"
SecMarker END_BRUTE_FORCE_PROTECTION_CHECKS5
</LocationMatch>
Affiliate Login Throttling
Rate-limit affiliate login attempts to 100, but also dynamically increase rate-limiting to 5 if there are more than 1000 login attempts within a 5 minute period
#Bruteforce checking for affiliate login
#Block ip if X amount of hits to internal.php containing user and pass params
<Location /internal.php>
# needs to be enabled to read POST data
SecRequestBodyAccess On
# jump to SecMarker if user variable is not passed in request
SecRule &ARGS:user "@eq 0" "phase:2,id:'30',t:none,nolog,pass,skipAfter:END_BRUTE_FORCE_PROTECTION_CHECKS6"
SecRule ARGS:user "^$" "phase:2,id:'31',t:none,nolog,pass,skipAfter:END_BRUTE_FORCE_PROTECTION_CHECKS6"
# jump to SecMarker if pass variable is not passed in request
SecRule &ARGS:pass "@eq 0" "phase:2,id:'32',t:none,nolog,pass,skipAfter:END_BRUTE_FORCE_PROTECTION_CHECKS6"
SecRule ARGS:pass "^$" "phase:2,id:'33',t:none,nolog,pass,skipAfter:END_BRUTE_FORCE_PROTECTION_CHECKS6"
SecAction initcol:IP=%{REMOTE_ADDR},pass,nolog,id:34
# enforce an existing block
SecRule IP:bf_block "@eq 1" \
"id:35,phase:2,deny,msg:'IP \"%{REMOTE_ADDR}\" is being throttled, too many affiliate login attempts'"
# check if we're getting a ton of login attempts
SecAction initcol:RESOURCE=%{REQUEST_FILENAME},pass,nolog,id:39
SecRule REQUEST_FILENAME ".*" "phase:5,id:41,t:none,nolog,pass,setvar:RESOURCE.bf_counter=+1,expirevar:RESOURCE.bf_counter=300"
SecRule REMOTE_ADDR ".*" "phase:5,id:36,t:none,nolog,pass,setvar:IP.bf_counter=+1,expirevar:IP.bf_counter=300"
# increase throttling if we're under attack
# start throttling after 5 requests
SecRule RESOURCE:bf_block "@eq 1" "id:38,phase:5,chain,msg:'too many login attempts occuring, increase throttling',t:none"
SecRule IP:bf_counter "@ge 5" "t:none,\
setvar:IP.bf_block,\
setvar:!IP.bf_counter,\
expirevar:IP.bf_block=300"
# increase throttling if more than 1000 login attempts total
SecRule RESOURCE:bf_counter "@ge 1000" \
"id:40,phase:5,t:none,pass,\
setvar:RESOURCE.bf_block,\
setvar:!RESOURCE.bf_counter,\
expirevar:RESOURCE.bf_block=300"
# throttle ip after 100 requests
SecRule IP:bf_counter "@ge 100" \
"id:37,phase:5,t:none,pass,\
setvar:IP.bf_block,\
setvar:!IP.bf_counter,\
expirevar:IP.bf_block=300"
# jump to this point if user or pass is not passed in request
SecMarker END_BRUTE_FORCE_PROTECTION_CHECKS6
</Location>
-->
