1. Forums
  2. Imunify360
  3. Imunify360 and Imunify Sensor
  1. Edie Etoile
  2. Wednesday, May 24, 2017
  3.  Subscribe via email
How can we write a ModSecurity rule to cause a trigger to greylist the attacker?

Why we need this:
We have a situation where a successful attack, years ago, briefly took control of a few domains on a server (it lasted just about an hour before we cleaned it up) and ever since infected machines from this botnet try to download/post to specific files (no longer present). We use a rule to just give an internal server error when that happens. However, it might be better to change the rule to greylist them. Since there is nearly a 100% chance that all of the IP's are hitting these rules are infected machines (dozens of IP's per day minimum) it might be useful data to Imunify360 as well (assuming you collect data from attacks).

Here is a rule, how would we modify it to greylist:

SecRule REQUEST_FILENAME "@rx (?i:.*\.nti)" \
"id:5000201,phase:2,block,log,severity:2,log,auditlog,msg:'HACK ATTEMPT TO DOWNLOAD .NTI FILES'"

Thank you for any advice you can offer.
Rate this post:
  1. 25.05.2017 21:05:51
  2. # 1
Alexander Z Accepted Answer
Posts: 13
Joined: 29.03.2017
Hello, Edie!

You can setup Imunify360 so that it will block and adds to graylist on any rule you want. Add the following in /etc/sysconfig/imunify360/imunify360.config:

max_incident_repetition: 0
check_period: 120 # in case of 0 could be any value

This way Imunify360 will block IP address if it gets any mod_security events with rule 5000201 in 120 seconds.

Alexander, Imunify360 developer
  1. 01.06.2017 18:06:16
  2. # 2
Edie Etoile Accepted Answer
Posts: 0
Joined: 26.06.2017
Thanks, Alexander Z,

That works. I will note for anyone else trying this that if you already have a ```MOD_SEC_BLOCK_BY_CUSTOM_RULE:``` entry you can't repeat that header or that code block will be removed upon the next update. So, edit in this style:

check_period: 120
max_incident_repetition: 10
check_period: 86400
max_incident_repetition: 1

  • Page :
  • 1

There are no replies made for this post yet.
Be one of the first to reply to this post!
Submit Your Response
Upload files or images for this discussion by clicking on the upload button below. Supports gif,jpg,png,zip,rar,pdf
• Remove Upload Files (Maximum File Size: 2 MB)
You may insert polls into your post. The poll would then appear in the post.
Vote Options
To protect the site from bots and unauthorized scripts, we require that you enter the captcha codes below before posting your question.