Tweet
How can we write a ModSecurity rule to cause a trigger to greylist the attacker?
Why we need this:
We have a situation where a successful attack, years ago, briefly took control of a few domains on a server (it lasted just about an hour before we cleaned it up) and ever since infected machines from this botnet try to download/post to specific files (no longer present). We use a rule to just give an internal server error when that happens. However, it might be better to change the rule to greylist them. Since there is nearly a 100% chance that all of the IPs are hitting these rules are infected machines (dozens of IPs per day minimum) it might be useful data to Imunify360 as well (assuming you collect data from attacks).
Here is a rule, how would we modify it to greylist:
Thank you for any advice you can offer.
Why we need this:
We have a situation where a successful attack, years ago, briefly took control of a few domains on a server (it lasted just about an hour before we cleaned it up) and ever since infected machines from this botnet try to download/post to specific files (no longer present). We use a rule to just give an internal server error when that happens. However, it might be better to change the rule to greylist them. Since there is nearly a 100% chance that all of the IPs are hitting these rules are infected machines (dozens of IPs per day minimum) it might be useful data to Imunify360 as well (assuming you collect data from attacks).
Here is a rule, how would we modify it to greylist:
Code:
SecRule REQUEST_FILENAME "@rx (?i:.*.nti)" "id:5000201,phase:2,block,log,severity:2,log,auditlog,msg:HACK ATTEMPT TO DOWNLOAD .NTI FILES"