HEX
Server: Apache
System: Linux msm5694.mjhst.com 3.10.0-1160.119.1.el7.x86_64 #1 SMP Tue Jun 4 14:43:51 UTC 2024 x86_64
User: camjab_ssh (1000)
PHP: 5.3.29
Disabled: NONE
$ pwd: /etc/httpd/
Upload Files
File: //etc/httpd/00_modsecurity_mojo.conf.OLDRULE
##Documentation - http://www.modsecurity.org/documentation/modsecurity-apache/2.5.12/modsecurity2-apache-reference.html
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 1073741824
##Protects against DDOS Loophole of high RequestBodyLimit
SecRequestBodyNoFilesLimit 1073741824
SecRequestBodyLimit 1073741824
SecRequestBodyInMemoryLimit 1073741824
SecServerSignature Apache
SecComponentSignature 200911012341
SecUploadDir /etc/httpd/asl/data/suspicious
SecUploadKeepFiles Off
SecAuditEngine RelevantOnly
#SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogRelevantStatus "^(?:5|4(?!(04|03)))"
SecArgumentSeparator "&"
SecAuditLogType Concurrent
SecAuditLog /var/log/httpd/modsec_audit.log
SecAuditLogParts ABCEIFHZ
SecArgumentSeparator "&"
SecCookieFormat 0
SecDataDir /etc/httpd/asl/data/msa
SecTmpDir /tmp
SecAuditLogStorageDir /etc/httpd/asl/data/audit
SecResponseBodyLimitAction ProcessPartial
#SecRule FILES_TMPNAMES "@inspectFile /usr/local/maldetect/modsec.sh" "log,deny,status:406,phase:2,exec:/usr/local/sbin/hitcheck.sh"
SecRule FILES_TMPNAMES "@inspectFile /usr/local/sbin/modsec-clamav.pl" "log,deny,status:406,phase:2,t:none"

SecPcreMatchLimit 100000
SecPcreMatchLimitRecursion 100000


#MOJO Allows
# Filter out any common false positive sripts
SecRule REQUEST_URI "epoch_returnurl.php" "phase:1,pass,nolog"
SecRule REQUEST_URI "^/track.*"  "phase:1,pass,nolog"
SecRule REQUEST_URI "^.*admin_templates.php"  "phase:1,pass,nolog"
#Common autorank allow
#SecRule REQUEST_URI "/cgi-bin/autorank/(.*)" "phase:1,pass,nolog"
#worp-press
#SecRule REQUEST_URI "/wp-admin/post.php" "phase:1,pass,nolog"
SecRule RESPONSE_STATUS "!^(?:30[12]|[45]\d\d)$" "phase:3,pass,nolog,initcol:resource=%{REQUEST_FILENAME}"

# This has to be global, cannot exist within a directory or location clause . . .
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:10011
<Location /wp-login.php>
# Setup brute force detection.

# React if block flag has been set.
ErrorDocument 406 "Error 406...IP blocked temporarily for too many failed logins"
SecRule user:bf_block "@gt 0" "deny,status:406,log,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 10 minutes.',id:10011"

# Setup Tracking.  On a successful login, a 302 redirect is performed, a 200 indicates login failed.
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:10012"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,log,msg:'Too many failed logins',pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/600,id:10013"
SecRule ip:bf_counter "@gt 5" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</location>

SecDefaultAction phase:2,deny,status:406,log,auditlog
Include /etc/httpd/modsecurity.d/active_rules/*.conf
@ Telegram