SecRule SCRIPT_BASENAME “\.php$” “id:999,chain,deny,msg:’%{TIME_YEAR}/%{TIME_MON}/%{TIME_DAY} %{TIME_HOUR}:%{TIME_MIN}:%{TIME_SEC} %{SCRIPT_FILENAME} %{REQUEST_BODY} BLOCKIP= %{REMOTE_ADDR} ‘”
SecRule SCRIPT_UID “^48$” log
SecRule REQUEST_FILENAME “^/phpadmin/” “id:990,noauditlog,allow”
SecRule ARGS “@containsWord select” “id:998,log,pass,t:lowercase”
SecRule ARGS “@containsWord union” “id:997,log,pass,t:lowercase”
SecRule ARGS “@containsWord outfile” “id:996,log,pass,t:lowercase”
SecRule ARGS “@containsWord load_file” “id:995,log,pass,t:lowercase”
#SecRule REQUEST_HEADERS:User-Agent “MJ12bot” ”id:972,deny,log”
#SecRule REQUEST_HEADERS:User-Agent “bingbot” ”id:973,deny,log”
SecRule ARGS “login” “id:980,pass,msg:’%{TIME_YEAR}/%{TIME_MON}/%{TIME_DAY} %{TIME_HOUR}:%{TIME_MIN}:%{TIME_SEC} %{SCRIPT_FILENAME} %{REQUEST_BODY} LOGINIP= %{REMOTE_ADDR} ‘”
[modsec-php48]
enabled = true
filter = modsec-php48
action = iptables-multiport[name=modsecPHP48, port="80,443", protocol=tcp]
modsec-php48-whois[name="ModSecBackdoor", dest="xxx@yahoo.com", sender=xxx@vixxxave.vn, sendername="Fail2Ban"]
logpath = /var/log/httpd/modsec_audit.log
maxretry = 1
findtime = 3600
bantime = 864000
vi modsec-php48.conf
[INCLUDES]
# Read common prefixes. If any customizations available — read them from
# common.local
before = common.conf
[Definition]
failregex = BLOCKIP= <HOST> “\]
ignoreregex =
vi whois-modsec-php48
actionban = printf %%b “Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
Date: `LC_TIME=C date -u +”%%a, %%d %%h %%Y %%T +0000″`
From: <sendername> <<sender>>
To: <dest>\n
Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
Here is more information about <ip>:\n
`tail -n 1000 /var/log/httpd/modsec_audit.log | grep <ip> | grep BLOCKIP`\n
`/usr/bin/whois <ip> || echo missing whois program`\n
Regards,\n
Fail2Ban” | /usr/sbin/sendmail -f <sender> <dest>