HEX
Server: Apache
System: Linux msm5694.mjhst.com 3.10.0-1160.119.1.el7.x86_64 #1 SMP Tue Jun 4 14:43:51 UTC 2024 x86_64
User: camjab_ssh (1000)
PHP: 5.3.29
Disabled: NONE
$ pwd: /etc/httpd/
Upload Files
File: //etc/httpd/00_modsecurity_mojo.conf.FAILEDUPDATE
##Documentation - http://www.modsecurity.org/documentation/modsecurity-apache/2.5.12/modsecurity2-apache-reference.html
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/plain
SecResponseBodyLimit 1073741824
##Protects against DDOS Loophole of high RequestBodyLimit
SecRequestBodyNoFilesLimit 1073741824
SecRequestBodyLimit 1073741824
SecRequestBodyInMemoryLimit 1073741824
SecServerSignature Apache
SecComponentSignature 200911012341
SecUploadDir /etc/httpd/asl/data/suspicious
SecUploadKeepFiles Off
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!(04|03|16)))"
SecArgumentSeparator "&"
SecAuditLogType Concurrent
SecAuditLog /var/log/httpd/modsec_audit.log
SecAuditLogParts ABCEIFHZ
SecArgumentSeparator "&"
SecCookieFormat 0
SecDataDir /etc/httpd/asl/data/msa
SecTmpDir /tmp
SecAuditLogStorageDir /etc/httpd/asl/data/audit
SecResponseBodyLimitAction ProcessPartial
SecRule FILES_TMPNAMES "@inspectFile /usr/local/sbin/modsec-clamav" "log,deny,status:406,phase:2,t:none,id:'950115'"

SecPcreMatchLimit 100000
SecPcreMatchLimitRecursion 100000


#MOJO Allows
# Filter out any common false positive sripts
SecRule REQUEST_URI "epoch_returnurl.php" "phase:1,pass,nolog,id:'99999991'"
SecRule REQUEST_URI "^/track.*"  "phase:1,pass,nolog,id:'99999992'"
SecRule REQUEST_URI "^.*admin_templates.php"  "phase:1,pass,nolog,id:'99999993'"


## Ignore host system's own ips from being blocked by maldet
SecRule REMOTE_HOST "@eq %{SERVER_ADDR}" "id:12345,phase:2,t:none,pass,nolog,noauditlog,ctl:ruleRemovebyID=99999987"

SecRule RESPONSE_STATUS "!^(?:30[12]|[45]\d\d)$" "phase:3,pass,nolog,initcol:resource=%{REQUEST_FILENAME},id:'99999995'"

SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:'99999996'
        <Location /wp-login.php>
                #SecDebugLogLevel 9
                #SecDebugLog /tmp/troubleshooting.log
                # Setup brute force detection.
                ErrorDocument 406 "Error 406...IP block temporarily for too many failed logins"
                # React if block flag has been set.
                SecRule IP:bf_block "@gt 0" "phase:2,deny,status:406,log,msg:'ip address blocked for 5 minutes, more than 5 login attempts in 10 minutes.',id:'99999997'"

                # Setup Tracking.  On a successful login, a 302 redirect is performed, a 200 indicates login failed.
                SecRule REQUEST_METHOD "@streq POST" "phase:5,chain,t:none,nolog,pass,id:'99999998'"
                SecRule RESPONSE_STATUS "^200" "setvar:IP.bf_counter=+1,deprecatevar:IP.bf_counter=1/600"
                SecRule IP:bf_counter "@ge 5" "t:none,setvar:IP.bf_block=1,expirevar:IP.bf_block=300,setvar:IP.bf_counter=0,id:'99999999'"
        </location>

# Blocks excessive xmlrpc.php POSTs
<Location /xmlrpc.php>
# Setup brute force detection.
ErrorDocument 406 "Error 406...IP block temporarily for too many requests"
# React if block flag has been set.
SecRule IP:bf_block "@gt 0" "phase:2,deny,status:406,log,msg:'ip address blocked for 3 minutes, more than 4 posts in 30 seconds.',id:'99999987'"

# Setup Tracking for successful posts (status 200)
SecRule REQUEST_METHOD "@streq POST" "phase:5,chain,t:none,nolog,pass,id:'99999988'"
SecRule RESPONSE_STATUS "^200" "setvar:IP.bf_counter=+1,deprecatevar:IP.bf_counter=1/20"
SecRule IP:bf_counter "@ge 4" "t:none,setvar:IP.bf_block=1,expirevar:IP.bf_block=180,setvar:IP.bf_counter=0,id:'99999989'"
</Location>

SecDefaultAction phase:2,deny,status:406,log,auditlog
Include /etc/httpd/modsecurity.d/active_rules/*.conf
@ Telegram