Gecko [ fernandoquevedodop.com ]

Name	Size	Permission
10_modsecurity_crs_10_config.c...	36.14 KB	-rw-r--r--
999_dreamhost_request_limits.c...	5.18 KB	-rw-r--r--
99_dreamhost_rules.conf	14 KB	-rw-r--r--
99_modsec-crs-setup.conf	31.99 KB	-rw-r--r--
REQUEST-00-LOCAL-WHITELIST.con...	8.83 KB	-rw-r--r--
REQUEST-901-INITIALIZATION.con...	14.37 KB	-rw-r--r--
REQUEST-903.9001-DRUPAL-EXCLUS...	13.24 KB	-rw-r--r--
REQUEST-903.9002-WORDPRESS-EXC...	25.21 KB	-rw-r--r--
REQUEST-903.9003-NEXTCLOUD-EXC...	10.39 KB	-rw-r--r--
REQUEST-903.9004-DOKUWIKI-EXCL...	7.64 KB	-rw-r--r--
REQUEST-905-COMMON-EXCEPTIONS....	1.61 KB	-rw-r--r--
REQUEST-911-METHOD-ENFORCEMENT...	2.91 KB	-rw-r--r--
REQUEST-913-SCANNER-DETECTION....	3.54 KB	-rw-r--r--
REQUEST-920-PROTOCOL-ENFORCEME...	62.98 KB	-rw-r--r--
REQUEST-921-PROTOCOL-ATTACK.co...	20.54 KB	-rw-r--r--
REQUEST-930-APPLICATION-ATTACK...	7.94 KB	-rw-r--r--
REQUEST-931-APPLICATION-ATTACK...	8.72 KB	-rw-r--r--
REQUEST-933-APPLICATION-ATTACK...	32.12 KB	-rw-r--r--
REQUEST-934-APPLICATION-ATTACK...	3.83 KB	-rw-r--r--
REQUEST-942-APPLICATION-ATTACK...	94.3 KB	-rw-r--r--
REQUEST-943-APPLICATION-ATTACK...	5.5 KB	-rw-r--r--
REQUEST-944-APPLICATION-ATTACK...	21.99 KB	-rw-r--r--
REQUEST-949-BLOCKING-EVALUATIO...	7.98 KB	-rw-r--r--
RESPONSE-999-EXCLUSION-RULES-A...	4.03 KB	-rw-r--r--
WPtoolUA.data	318 B	-rw-r--r--
cachefly.ips.data	166 B	-rw-r--r--
crawlers-user-agents.data	786 B	-rw-r--r--
dh_whitelist_ip.data	0 B	-rw-r--r--
fastly.ips.data	189 B	-rw-r--r--
incapsula.ips.data	110 B	-rw-r--r--
java-classes.data	1.78 KB	-rw-r--r--
java-code-leakages.data	264 B	-rw-r--r--
java-errors.data	240 B	-rw-r--r--
lfi-os-files.data	11.44 KB	-rw-r--r--
maxcdn.ips.data	623 B	-rw-r--r--
mod_sec.conf	2.03 KB	-rw-r--r--
modsecurity_46_slr_et_joomla.d...	1.69 KB	-rw-r--r--
modsecurity_46_slr_et_wordpres...	1.69 KB	-rw-r--r--
php-config-directives.data	12.43 KB	-rw-r--r--
php-errors.data	74.21 KB	-rw-r--r--
php-function-names-933150.data	3.33 KB	-rw-r--r--
php-function-names-933151.data	37.21 KB	-rw-r--r--
php-variables.data	610 B	-rw-r--r--
restricted-files.data	3.97 KB	-rw-r--r--
restricted-upload.data	2.45 KB	-rw-r--r--
scanners-headers.data	216 B	-rw-r--r--
scanners-urls.data	418 B	-rw-r--r--
scanners-user-agents.data	1.9 KB	-rw-r--r--
scripting-user-agents.data	717 B	-rw-r--r--
sig_inspect.lua	66.56 KB	-rw-r--r--
spam-mailer.data	84 B	-rw-r--r--
sql-errors.data	4.27 KB	-rw-r--r--
staminus.ips.data	228 B	-rw-r--r--
unix-shell.data	7.65 KB	-rw-r--r--
windows-powershell-commands.da...	7.05 KB	-rw-r--r--

Code Editor : 99_dreamhost_rules.conf

# removed the following for modsec3 nginx compat (noble 5/20/2022)
# 1990001 1990003 1990011 1990024 1990025 1990026 1990028 1990029 1990032 1990033 1990035 1990038 1990040 1990050 1990052 1990054 1990056 1990059 1990062 1990063 1990069 1990073 1990075 1990078 1990084 1990082

#Whitelist IP list
SecRule REMOTE_ADDR "@ipMatchFromFile dh_whitelist_ip.data" "id:1000,phase:1,nolog,allow,ctl:ruleEngine=off"

# ignored modsecurity_crs_42_comment_spam.conf rules and rules pertaining to php function names
SecRuleRemoveById 981137 981138 981139 981140 999010 999011 950923 950020 933150 933210 933120

SecRule REQUEST_URI|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\.\./\.\./\.\./\.\./\.\./\.\." \
	"phase:1,capture,t:htmlEntityDecode,t:lowercase,deny,log,auditlog,msg:'Deep directory recursion',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'CRITICAL',id:1980000"
SecRule REQUEST_URI|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\./proc/self/environ" \
	"phase:1,capture,t:htmlEntityDecode,t:lowercase,deny,log,auditlog,msg:'/proc/self/environ access',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'CRITICAL',id:1980001"
SecRule REQUEST_URI|ARGS|ARGS_NAMES "\.\./etc/(?:passwd|shadow)" \
	"phase:1,capture,t:htmlEntityDecode,t:lowercase,deny,log,auditlog,msg:'passwd/shadow access',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'CRITICAL',id:'1980002'"

# WP sql injection attack plaguing us 2008-11-26
SecRule REQUEST_URI "/index.php" "chain,log,deny,id:1989998,msg:'WP SQLi attack'"
	SecRule ARGS:cat ".?[0-9]+.UNION.SELECT"

## WP hack 04/17/09
SecRule REQUEST_HEADERS:Cookie "_wp_debugger=" \
	"phase:1,log,auditlog,msg:'WP Issue id 1234512345', severity:'CRITICAL',id:'1234512345',tag:'POLICY/WPHACK',msg:'Legacy WordPress cookie vulnerabilitity'"

# rl blocking
SecRule RESPONSE_BODY ">by eqbal, updated by szalinski<" "phase:4,nolog,auditlog,deny,id:1989999,msg:'Known shell content'"
SecRule REQUEST_URI "/audl.php" "chain,id:1990000,phase:1,msg:'Known backdoor'"
	SecRule ARGS:GO "GO" "setenv:pirated,block,nolog,auditlog"
SecRule REQUEST_URI "/auul.php" "chain,id:1990002,phase:1,msg:'Known backdoor'"
	SecRule ARGS:action "upload" "setenv:pirated,block,nolog,auditlog"

# ZenCart 1.3.8 remote code execution attack -- http://www.milw0rm.com/exploits/9004
SecRule REQUEST_URI "/admin/record_company.php/password_forgotten.php" "chain,id:1990004,deny,msg:'ZenCart 1.3.8 RCE'"
	SecRule REQBODY_PROCESSOR "MULTIPART" "chain"
		SecRule FILES_NAMES "record_company_image" "chain"
			SecRule ARGS:action "insert" "chain"
				SecRule ARGS:record_company_name "0"

# This rule prevents the requests made to anything located in a ".sys" folder that's all -- Robert R
# One specific attacker is uploading a backdoor and malware into a folder named .sys -- then distribute it via spam
# Appears that these attacks may be related to the customer's computer being compromised itself
SecRule REQUEST_URI "/\.sys/" "phase:1,setvar:tx.ruleid=1990007,id:1990007,allow,msg:'Known compromise indicator'"

# SecRule ID 1990008 removed due to frequent false positives

# PHP coded User Agent -- Robert R.
SecRule REQUEST_HEADERS:User-Agent "eval\(base64_decode\(" "phase:1,deny,setvar:tx.ruleid=1990012,id:1990012,msg:'Obfuscated PHP eval() in User-Agent'"

# directory traversal -- Robert R.
SecRule ARGS "^[\.|/]+(proc/|dev/shm/)" "deny,t:normalisePath,setvar:tx.ruleid=1990013,id:1990013,msg:'Directory traversal'"

# NULL byte at end of URI -- Robert R.
SecRule REQUEST_URI "%00+$" "phase:1,deny,setvar:tx.ruleid=1990014,id:1990014,msg:'NULL byte at end of URI'"

# c99 and other shell backdoor, common password -- Robert R.
SecRule ARGS_POST:pass "mikjhljiu" "setvar:tx.ruleid=1990017,id:1990017,deny,msg:'Known backdoor/shell credentials'"

SecRule REQUEST_COOKIES:dgpass "mikjhljiu" "phase:1,setvar:tx.ruleid=1990018,id:1990018,deny,msg:'Known backdoor/shell credentials'"

SecRule REQUEST_HEADERS "mikjhljiu" "phase:1,setvar:tx.ruleid=1990019,id:1990019,deny,msg:'Known backdoor/shell credentials'"

# Excessive arguments/cookies/etc... causes hash variable collision DoS -- Robert R.
# http://events.ccc.de/congress/2011/Fahrplan/events/4680.en.html
SecRule &REQUEST_COOKIES_NAMES "@gt 5000" "pass,log,setvar:tx.ruleid=1990030,id:1990030"
SecRule &ARGS "@gt 5000" "pass,log,setvar:tx.ruleid=1990031,id:1990031"

# Mr sality backdoor pass
SecRule ARGS:ses "mr.sality" "setvar:tx.ruleid=1990036,id:1990036,allow,msg:'Mr. Sality backdoor'"
SecRule REQUEST_HEADERS "mr.sality" "phase:1,allow,setvar:tx.ruleid=1990037,id:1990037,msg:'Mr. Sality backdoor'"

#China based Spider/Botnet that hammers CGI
SecRule REQUEST_HEADERS:User-Agent "^Mozilla.4.0 .compatible. MSIE 6.0. Windows NT 5.1. SV1.$" "phase:1,setvar:tx.ruleid=1990051,id:1990051,nolog,auditlog,deny,msg:'Known faked User-Agent, closely associated with Chinese botnets'"

#Joomla Com_JCE Exploit Block
SecRule REQUEST_LINE "@contains option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form" "phase:1,id:1990055,log,deny,msg:'Joomla Com_JCE exploit'"

#Bash Exploit Mitigation CVE-2014-6271
SecRule REQUEST_HEADERS "^ {" "phase:1,deny,id:1990064,msg:'CVE-2014-6271 - Bash Attack'"
SecRule REQUEST_LINE " {" "phase:1,deny,id:1990065, msg:'CVE-2014-6271 - Bash Attack'"
SecRule ARGS_NAMES "^ {" "phase:2,deny,id:1990066 ,msg:'CVE-2014-6271 - Bash Attack'"
SecRule ARGS "^ {" "phase:2,deny,id:1990067,msg:'CVE-2014-6271 - Bash Attack'"
SecRule FILES_NAMES "^ {"  "phase:2,deny,id:1990068,msg:'CVE-2014-6271  - Bash Attack'"

#Web Shell Command Blocking
SecRule ARGS "@pm urlencode curl_init preg_ wget GLOBALS base64_decode passwd ,amo! ,amo WQGP wqgp curl ../../" "t:base64decode,log,deny,id:1990070,msg:'Common known arguments for backdoor shell present in %{MATCHED_VAR_NAME}'"

#RevSlider_Show_Image vulnerablitiy - http://themeforest.net/forums/thread/slider-revolution-plugin-critical-vulnerability-being-exploited/141223
SecRule ARGS_GET "wp-config.php" "phase:1,id:1990071,log,deny,msg:'wp-config.php Local File Inclusion Attempt'"

#Base64 encoded Spammer Command block
SecRule ARGS:passes "a:0:{}" "t:base64decode,log,deny,id:1990072,msg:'base64-encoded spammer command'"

#WordPress 2.2 xmlrpc.php SQLi blocks incompatable with Jetpack in WP 4.X+
SecRuleRemoveById 2004654 2004655 2004656 2004657 2004658 2004659

#WordPress DOM XSS
SecRule REQUEST_LINE "/genericons/example.html" "phase:1,deny,log,id:1990077,msg:'WP DOM XSS'"

#bots searching for low-hanging fruit in backup config files
SecRule REQUEST_URI "^/(?:wp-)?config(?:uration)?\.(?:php|bac?k|off|ori?g)" "phase:1,id:1990079,deny,msg:'Bot searching for config file'"

#SQLMap and Massscan Default User-Agent Block
SecRule REQUEST_HEADERS:User-Agent "@pm sqlmap masscan" "phase:1,t:lowercase,deny,id:1990087,log,msg:'Block Scans by SQLMap & Masscan UA'"

#WordPress scan by abdullkarem
SecRule QUERY_STRING "abdullkarem" "phase:1,deny,id:1990088,log,msg:'WordPress Exploit Scan'"

#Obfuscated SQLi Injection
SecRule ARGS "0x4142433134355a5136324457514146504f4959434644" "phase:1,deny,id:1990089,log,msg:'Obfuscated SQLi'"

#Blind SQLi using sleep() and benchmark()
SecRule ARGS_NAMES|ARGS "(?i:(sleep$(\s*?)(\d*?)(\s*?)$|benchmark$(.*?)\,(.*?)$))" "phase:1,id:'1990090',t:urlDecodeUni,deny,msg:'Detects blind sqli tests using sleep() or benchmark().'"

#Block hex encoded ARGS used for SQLi
SecRule ARGS_NAMES|ARGS "(?i:(?:\A|[^\d])0x[a-f\d]{3,}[a-f\d]*)+" "phase:1,id:'1990091',t:urlDecodeUni,deny,msg:'SQL Hex Encoding Identified'"

#WP 4.7-4.7.1 REST API Content Injection - https://www.exploit-db.com/exploits/41223/
# This catches GET and urlencoded-POST parameters
SecRule REQUEST_URI "@rx wp/v2/[\w_-]+/\d+" "phase:2,id:'1990092',log,deny,msg:'Block WordPress API Content Injection',chain"
	SecRule ARGS:id "!@rx ^\d+$" "t:none"
# This catches JSON POST parameters
SecRule REQUEST_URI "@rx wp/v2/[\w_-]+/\d+" "phase:1,id:'1990093',log,deny,msg:'Block WordPress API Content Injection',chain"
	SecRule REQUEST_HEADERS:Content-Type "application/json" "t:none,t:lowercase,ctl:requestBodyProcessor=JSON,chain"
		SecRule ARGS:id "!@rx ^\d+$" "t:none"

#User-Agent Blocks - Joomla/WP Exploit/Spam Bots
SecRule REQUEST_HEADERS:User-Agent "^Mozilla/5.0 $X11; U; Linux i686; en-US$ U2/1.0.0 UCBrowser/9.3.1.344$" "phase:1,id:1990094,log,auditlog,deny,msg:'Malicious Bot UA'"
SecRule REQUEST_HEADERS:User-Agent "^Mozilla/5.0 $X11; Linux x86_64$ AppleWebKit/537.36 $KHTML, like Gecko$ Chrome/31.0.1650.48 Safari/537.36$" "phase:1,id:1990095,log,auditlog,deny,msg:'Malicious Bot UA'"
SecRule REQUEST_HEADERS:User-Agent "^Mozilla/5.0 $X11; Linux x86_64; rv:29.0$ Gecko/20100101 Firefox/29.0 SeaMonkey/2.26$" "phase:1,id:1990096,log,auditlog,deny,msg:'Malicious Bot UA'"
SecRule REQUEST_HEADERS:User-Agent "^Mozilla/5.0 $X11; Ubuntu; Linux i686; rv:24.0$ Gecko/20100101 Firefox/24.0$" "phase:1,id:1990097,log,auditlog,deny,msg:'Malicious Bot UA'"
SecRule REQUEST_HEADERS:User-Agent "^Mozilla/5.0 $Windows NT 6.1; WOW64; rv:40.0$ Gecko/20100101 Firefox/40.1$" "phase:1,id:1990098,log,auditlog,deny,msg:'Malicious Bot UA'"

#WordPress Python User-Agent wp-login.php brute force mitigation
SecRule REQUEST_HEADERS:User-Agent "python-requests/2.18.4" "phase:1,id:1990101,log,auditlog,chain,deny,msg:'Malicious Bot UA'"
	SecRule REQUEST_URI "/wp-login.php"

#User-Agent Block - WP Attacks
SecRule REQUEST_HEADERS:User-Agent "^Mozilla/5.0 $Macintosh; U; Intel Mac OS X 10.6; fr; rv:1.9.2.8$ Gecko/20100722 Firefox/3.6.8$" "phase:1,id:1990102,log,auditlog,deny,msg:'Malicious Bot UA'"

#User-Agent Block - WP Attacks
SecRule REQUEST_HEADERS:User-Agent "^Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36$" "phase:1,id:1990104,log,auditlog,deny,msg:'Malicious Bot UA'"
SecRule REQUEST_HEADERS:User-Agent "^Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0$" "phase:1,id:1990105,log,auditlog,deny,msg:'Malicious Bot UA'"

#User-Agent Block - Javascript
SecRule REQUEST_HEADERS:User-Agent "^><script type=text/javascript src=" "phase:1,id:1990106,log,auditlog,deny,msg:'Javascript include in UA'"

# blocks from EAP on 05/01/2020 WP Attacks
SecRule REQUEST_HEADERS:User-Agent "^Mozilla$" "phase:1,id:1990107,log,auditlog,deny,msg:'Bot UA - Mozilla'"
SecRule REQUEST_URI "php.suspected$" "phase:1,id:1990108,deny,log,auditlog,msg:'WP exploit pack files'"

# Unique Accept-Language header in DDOS Script - TRASH FLOOD BY SERPICO
SecRule REQUEST_HEADERS:Accept-Language "^en-US,en;q=0.9,he-IL;q=0.8,he;q=0.7,fr;q=0.6$" "phase:1,id:1990109,log,deny,msg:'DDOS - TRASH FLOOD BY SERPICO'"

#DDOS vs. load-scripts.php in WordPress
SecRule ARGS "@contains eutil,common,wp-a11y,sack,quicktag,colorpicker,editor,wp-fullscreen-stu,wp-ajax-response,wp-api-request,wp-pointer,autosave,heartbeat,wp-auth-check,wp-lists,prototype,scriptaculous-root,scriptaculous-builder" "chain,phase:2,id:1990110,log,deny,msg:'DDOS load-scripts.php'"
        SecRule REQUEST_URI "/load-scripts.php"

# blocking outdated Apple UA that was only used for scraping wp-config files
SecRule REQUEST_HEADERS:User-Agent "^Mozilla\/5.0 $iPhone\; CPU iPhone OS 6_1_2 like Mac OS X$" "phase:1,id:1990112,log,auditlog,deny,msg:'Outdated Apple UA - scraping wp-config files'"

#WordPress File Manager Plug-in Exploit https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/
SecRule REQUEST_URI "@contains /connector.minimal.php" "phase:1,id:'1990113',log,deny,msg:'Block WordPress File Manager Exploit'"

#IDBTE4M CoDE87 User agent for attack tools
SecRule REQUEST_HEADERS:User-Agent "IDBTE4M CODE87" "phase:1,id:1990114,log,auditlog,deny,msg:'Malicious Bot UA: IDBTE4M'"

# block log4j crawling
SecRule REQUEST_HEADERS:User-Agent "^jndi:ldap$" "phase:1,id:1990115,log,auditlog,deny,msg:'Log4j2 exploit crawling'"

#Block keywords in Mailer scripts used for spam
SecRule RESPONSE_BODY "@pmFromFile spam-mailer.data" "phase:4,nolog,auditlog,deny,id:1990116,msg:'Mailer spam script'"

#SQLi Defense - Enhanced to detect comment-based obfuscation
SecRule ARGS|ARGS_NAMES "@rx (?i)(?:INFORMATION_SCHEMA(?:\s|/\*.*?\*/)*\.(?:\s|/\*.*?\*/)*(?:[^\s,\)]+))(?:\s|/\*.*?\*/)*.*?(?:COUNT(?:\s|/\*.*?\*/)*$(?:\s|/\*.*?\*/)*\*(?:\s|/\*.*?\*/)*$)" "id:1990117,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'SQL Injection Attack: INFORMATION_SCHEMA with COUNT(*) detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

#Detect XOR operator with COUNT(*) patterns - Enhanced to detect comment-based obfuscation
SecRule ARGS|ARGS_NAMES "@rx (?i)(?:COUNT(?:\s|/\*.*?\*/)*$(?:\s|/\*.*?\*/)*\*(?:\s|/\*.*?\*/)*$(?:\s|/\*.*?\*/)*.*?(?:WHERE|AND)(?:\s|/\*.*?\*/)*.*?(?:0(?:\s|/\*.*?\*/)*(?:XOR|x(?:\s|/\*.*?\*/)*o(?:\s|/\*.*?\*/)*r)(?:\s|/\*.*?\*/)*1))" "id:1990118,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'SQL Injection Attack: COUNT(*) with XOR operator detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

#Detect excessive SQL comment usage as potential obfuscation technique
SecRule ARGS|ARGS_NAMES "@rx (?:/\*.*?\*/){3,}" "id:1990119,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'SQL Injection Attack: Multiple SQL comments detected (potential obfuscation)',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

${this.title}

Code Editor : 99_dreamhost_rules.conf