SecRule SCRIPT_BASENAME “\.php$” “id:999,chain,deny,msg:’%{TIME_YEAR}/%{TIME_MON}/%{TIME_DAY} %{TIME_HOUR}:%{TIME_MIN}:%{TIME_SEC} %{SCRIPT_FILENAME} %{REQUEST_BODY} BLOCKIP= %{REMOTE_ADDR} ‘”

SecRule SCRIPT_UID “^48$” log

SecRule REQUEST_FILENAME “^/phpadmin/” “id:990,noauditlog,allow”

SecRule ARGS “@containsWord select” “id:998,log,pass,t:lowercase”

SecRule ARGS “@containsWord union” “id:997,log,pass,t:lowercase”

SecRule ARGS “@containsWord outfile” “id:996,log,pass,t:lowercase”

SecRule ARGS “@containsWord load_file” “id:995,log,pass,t:lowercase”

#SecRule REQUEST_HEADERS:User-Agent “MJ12bot”    ”id:972,deny,log”

#SecRule REQUEST_HEADERS:User-Agent “bingbot”    ”id:973,deny,log”

SecRule ARGS “login” “id:980,pass,msg:’%{TIME_YEAR}/%{TIME_MON}/%{TIME_DAY} %{TIME_HOUR}:%{TIME_MIN}:%{TIME_SEC} %{SCRIPT_FILENAME} %{REQUEST_BODY} LOGINIP= %{REMOTE_ADDR} ‘”

[modsec-php48]

enabled  = true

filter   = modsec-php48

action   = iptables-multiport[name=modsecPHP48, port="80,443", protocol=tcp]

modsec-php48-whois[name="ModSecBackdoor", dest="xxx@yahoo.com", sender=xxx@vixxxave.vn, sendername="Fail2Ban"]

logpath  = /var/log/httpd/modsec_audit.log

maxretry = 1

findtime = 3600

bantime  = 864000