SetEnvIf Request_URI "^/(online-tools/js-compress/?|cgi-bin/search.php|cgi-bin/java.cgi|wp-admin/.*|test/)" MODSEC_ENABLE=Off #SetEnvIfNoCase Remote_Addr ^208.113.134.190$ MODSEC_ENABLE=Off SecFilterEngine On SecFilterCheckURLEncoding On SecFilterCheckUnicodeEncoding Off SecFilterScanPOST On SecAuditEngine RelevantOnly SecAuditLog /home/askapache/sites/askapache.com/logs/modsec_audit.log SecFilterDebugLog /home/askapache/sites/askapache.com/logs/modsec_debug.log SecFilterDebugLevel 1 SecAuditLogRelevantStatus "^(?:1|2(?!00)|5|4(?!04))" SecFilterDefaultAction "deny,log,auditlog,severity:2,status:403" SecFilterSelective REQUEST_URI "^/test/?" "severity:1,allow,log,auditlog" #Enforce proper HTTP requests SecFilterSelective SERVER_PROTOCOL "!^HTTP/(0.9|1.0|1.1)$" "id:340000,rev:1,severity:1,msg:'Bad HTTP Protocol'" # Only accept request encodings we know how to handle SecFilterSelective REQUEST_METHOD "!^(GET|HEAD|POST)$" "chain,id:340001,rev:1,severity:2,msg:'Restricted HTTP function'" SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)" #Generic rule for allowed characters, adjust for your site before activating #SecFilterSelective REQUEST_URI "!^[a-zA-Z0-9.+_/-?=&%#]+$" "chain,id:390002,rev:1,severity:2,msg:'Restricted HTTP character set'" #SecFilterSelective REQUEST_URI "!^/(openid|wp-admin|wp-includes|wp-content|wp-login.php)" # Require Content-Length to be provided with every POST request SecFilterSelective REQUEST_METHOD "^POST$" "chain,id:340003,rev:1,severity:2,msg:'Content Length not provided with POST'" SecFilterSelective HTTP_Content-Length "^$" # Don't accept transfer encodings we know we don't handle # (and you don't need it anyway) SecFilterSelective HTTP_Transfer-Encoding "!^$" "id:340004,rev:1,severity:2,msg:'Dis-allowed Transfer Encoding'" #HTTP response splitting generic sigs SecFilter "Content-Length:.*Content-Type:.*Content-Type:" "id:340005,rev:1,severity:2,msg:'HTTP response splitting'" #HTTP response splitting generic sigs SecFilter "Content-Length:" "chain,id:340006,rev:1,severity:2,msg:'HTTP response splitting'" SecFilter "Content-Type:" #catch smuggling attacks SecFilter "^(GET|POST).*Host:.*^(GET|POST)" "id:300012,rev:1,severity:2,msg:'catch smuggling attacks'" #XSS insertion into Content-Type SecFilterSelective THE_REQUEST "Content-Type:.*(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript:)" "id:300002,rev:1,severity:2,msg:'XSS attack in Content-type header'" #Code injection via content length SecFilterSelective HTTP_Content-Length ";(system|passthru|exec)(" "id:330003,rev:1,severity:2,msg:'Code Injection in Content-Length header'" #Don't accept chunked encodings modsecurity can not look at these, so this is a hole that can bypass your rules, the rule before this one should cover this, but hey paranoia is cheap SecFilterSelective HTTP_Transfer-Encoding "chunked" "id:300003,rev:1,severity:2,msg:'Chunked Transfer Encoding denied'" ##generic recursion signatures SecFilterSelective REQUEST_URI "../../" "id:300004,rev:2,severity:2,msg:'Generic Path Recursion1 denied'" SecFilterSelective THE_REQUEST ".|./.|./.|" "id:300005,rev:1,severity:2,msg:'Generic Path Recursion2 denied'" SecFilterSelective THE_REQUEST ".../" "id:300006,rev:1,severity:2,msg:'Bogus Path denied'" #Generic PHP exploit signatures SecFilterSelective REQUEST_URI ".*(script|about|applet|activex|chrome)[[:space:]]*>" #XSS in referrer and UA headers SecFilterSelective HTTP_REFERER|HTTP_USER_AGENT "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" "msg:'XSS3'" #HTTP header PHP code injection attacks SecFilterSelective HTTP_CLIENT_IP|HTTP_USER_AGENT|HTTP_Referer "(]expression[s]*(" "msg:'cross-site1'" #cross site scripting attempt STYLE + EXPRESSION SecFilterSelective THE_REQUEST "[s]*expression[s]*([^}]}[s]*" "msg:'cross-site1'" # cross site scripting attempt using XML SecFilterSelective THE_REQUEST "SCRIPT" "msg:'cross-site1'" #cross site scripting attempt executing hidden Javascript SecFilterSelective THE_REQUEST "eval[s]*([s]*[^.].innerHTML[s]*)" "msg:'cross-site1'" #cross site scripting attempt executing hidden Javascript SecFilterSelective THE_REQUEST "window.execScript[s]*(" "msg:'cross-site1'" #cross site scripting attempt to execute Javascript code SecFilterSelective THE_REQUEST "/(((URL|SRC|HREF|LOWSRC)[s]*=)|(url[s]*[(]))[s]*['"]*javascript[:]" "msg:'cross-site1'" #cross site scripting stealth attempt to execute Javascript code #may false alarm for some language sets SecFilterSelective REQUEST_URI "!(/index.php?module=Blocks&type=admin&func=update|/index.php?go=.*&edit=)" "chain,msg:'cross-site1'" SecFilter "(((URL|SRC|HREF|LOWSRC)[s]*=)|(url[s]*[(]))[s]*['"]*[x09x0ax0bx0cx0d]*j[x09x0ax0bx0cx0d]*a[x09x0ax0bx0cx0d]*v[x09x0ax0bx0cx0d]*a[x09x0ax0bx0cx0d]*s[x09x0ax0bx0cx0d]*c[x09x0ax0bx0cx0d]*r[x09x0ax0bx0cx0d]*i[x09x0ax0bx0cx0d]*p[x09x0ax0bx0cx0d]*t[x09x0ax0bx0cx0d]*[:]" #cross site scripting HTML Image tag set to javascript attempt SecFilterSelective THE_REQUEST "img src=javascript" "msg:'cross-site1'" #Fake image file shell attacvk SecFilterSelective HTTP_Content-Type "image/.*" "msg:'image shell 1'" SecFilterSelective POST_PAYLOAD "chr(" "msg:'image shell2'" #bogus graphics file SecFilterSelective HTTP_Content-Disposition ".php" "chain,msg:'bogus graphics'" SecFilterSelective HTTP_Content-Type "(image/gif|image/jpg|image/png|image/bmp)" #--------------------------------------------- # reject keywords that appear in POST or GET #============================================= SecFilterSignatureAction "nolog,noauditlog,deny,severity:3,status:400" # fail for empty comment fields SecFilterSelective "ARG_comment_post_ID" "^$" "id:50300,msg:'WORDPRESS SPAM MISSING comment_post_ID'" SecFilterSelective "ARG_comment_post_ID" "!^[0-9]{1,6}$" "id:50301,msg:'WORDPRESS SPAM BAD comment_post_ID'" #SecFilterSelective "comment_post_DI" "^$" "id:50310,msg:'WORDPRESS SPAM MISSING comment_post_DI'" #SecFilterSelective "comment_post_DI" "!^[0-9]{1,2}$" "id:50311,msg:'WORDPRESS SPAM MISSING comment_post_DI'" #SecFilterSelective "ARG_submit" "^Submit.Comment$" "msg:'bad submit comment value'" SecFilterSelective ARGS "00bp.com|360.yahoo|987mb.com|Ambien|American airline" "id:50010,msg:'SPAM 10' SecFilterSelective ARGS "Ativan|Caresoprodol|Darvocet|Ephedra|Ephedrine" "id:50011,msg:'SPAM 11' #SecFilterSelective ARGS "Gambling|Lexapro|Tramadol|Venlafaxine|.info" "id:50012,msg:'SPAM 12' SecFilterSelective ARGS "[URL=|abgood|acura|acyclovir|adderall" "id:50013,msg:'SPAM 13' SecFilterSelective ARGS "adipex|alcohol|alprazolam|amateur|amrit" "id:50014,msg:'SPAM 14' SecFilterSelective ARGS "anal sex|analfinder|angelina jolie|asshole|axspace.com" "id:50015,msg:'SPAM 15' SecFilterSelective ARGS "baccarat|bankrupt|bikini|biotic|black jack" "id:50016,msg:'SPAM 16' SecFilterSelective ARGS "blackjack|blog.360|brutality|buddhism|butalbital" "id:50017,msg:'SPAM 17' SecFilterSelective ARGS "cadillac|canalis|card credit|card stud|carisoprodol" "id:50018,msg:'SPAM 18' SecFilterSelective ARGS "carmen|cash advance|cash credit|casino|catch.com" "id:50019,msg:'SPAM 19' SecFilterSelective ARGS "celebrex|celexa|cellulite|cheap|cheerleader" "id:50020,msg:'SPAM 20' SecFilterSelective ARGS "chevrolet|child abuse|cialis|cigarette|cipro" "id:50021,msg:'SPAM 21' SecFilterSelective ARGS "citroen|claritin|cleavage|clomid|codeine" "id:50022,msg:'SPAM 22' SecFilterSelective ARGS "consulting23|craps online|credit card|credit debt|crestor" "id:50023,msg:'SPAM 23' SecFilterSelective ARGS "dealership|debt free|desnudas|diazepam|dick" "id:50024,msg:'SPAM 24' SecFilterSelective ARGS "dildo|drugstore|earrings|endometrioma|endowment" "id:50025,msg:'SPAM 25' SecFilterSelective ARGS "erotic|estrogen|fioricet|francaise|freehost.com" "id:50026,msg:'SPAM 26' SecFilterSelective ARGS "freehostia|freemb.com|fuck|geocities.com|hacking myspace" "id:50027,msg:'SPAM 27' SecFilterSelective ARGS "holdem|honda|hotels|hydrocodone|hypnotic" "id:50028,msg:'SPAM 28' SecFilterSelective ARGS "hyundai|implants|incest|instant approval|insurance" "id:50029,msg:'SPAM 29' SecFilterSelective ARGS "interracial|jaguar|jenny movie|johanson|kasino" "id:50030,msg:'SPAM 30' SecFilterSelective ARGS "lesbian|levitra|lipitor|loan|lolita" "id:50031,msg:'SPAM 31' SecFilterSelective ARGS "lorazepam|lorcet|lyrics|madamic|majorette" "id:50032,msg:'SPAM 32' SecFilterSelective ARGS "malaria|mastercar|masturbate|masturbation|maturewomen" "id:50033,msg:'SPAM 33' SecFilterSelective ARGS "mazda|medication|medicine|megsfree5.com|mercedes" "id:50034,msg:'SPAM 34' SecFilterSelective ARGS "meridia|metformin|mitsubishi|mortgage|myspace profile" "id:50035,msg:'SPAM 35' SecFilterSelective ARGS "naked|neocool|nexium|nimire.com|nissan" "id:50036,msg:'SPAM 36' SecFilterSelective ARGS "nokia|nude|nudism|nymph|open toe" "id:50037,msg:'SPAM 37' SecFilterSelective ARGS "oprodol|orgasm|oxycodone|oxycontin|packages" "id:50038,msg:'SPAM 38' SecFilterSelective ARGS "painrelief|pantyhose|paxil|payday|penis" "id:50039,msg:'SPAM 39' SecFilterSelective ARGS "percocet|pharmacy|phentermine|phetermine|phpbb_root" "id:50040,msg:'SPAM 40' SecFilterSelective ARGS "pictaboo|pictorial|pills|pissing|play craps" "id:50041,msg:'SPAM 41' SecFilterSelective ARGS "playgirl|pocker web|poker|pontiac|poquer" "id:50042,msg:'SPAM 42' SecFilterSelective ARGS "porn|pounder|prescription|preteen|prevacid" "id:50043,msg:'SPAM 43' SecFilterSelective ARGS "price1|prilosec|propecia|proza|prozac" "id:50044,msg:'SPAM 44' SecFilterSelective ARGS "puddled|pussy|refinance|rentals|replica" "id:50045,msg:'SPAM 45' SecFilterSelective ARGS "ringtones|roulette|screensaver|seduced|sexual" "id:50046,msg:'SPAM 46' SecFilterSelective ARGS "sexy|shemale|shiloh|singulair|site-host" "id:50047,msg:'SPAM 47' SecFilterSelective ARGS "slot machine|slot maschine|slots machine|solpip.com|soma" "id:50048,msg:'SPAM 48' SecFilterSelective ARGS "sperm|starlets|supplier|suzuki|tadalafil" "id:50049,msg:'SPAM 49' SecFilterSelective ARGS "toyota|tylenol|ultram|valium|viagra" "id:50050,msg:'SPAM 50' SecFilterSelective ARGS "vigora|vioxx|wallpaper|warez|webcam" "id:50051,msg:'SPAM 51' SecFilterSelective ARGS "webpages.com|wellbutrin|whitesluts|wholesale|whore" "id:50052,msg:'SPAM 52' SecFilterSelective ARGS "windshield|xanax|xenical|y lohan|yourgirls" "id:50053,msg:'SPAM 53' SecFilterSelective ARGS "youtube.com|zantac|sex offenders|hotgay|Zoloft|celtic women" "id:50054,msg:'SPAM 54' SecFilterSelective ARGS "dollhouse|freehot|kardashian|oralsex" "id:50055,msg:'SPAM 54'