Mini File Manager

Edit File

# ---------------------------------------------------------------
# Imunify360 ModSecurity Rules
# Copyright (C) 2021 CloudLinux Inc All right reserved
# The Imunify360 ModSecurity Rules is distributed under
# IMUNIFY360 LICENSE AGREEMENT
# Please see the enclosed IM360-LICENSE.txt file for full details.
# ---------------------------------------------------------------
# Imunify360 ModSecurity Base Ruleset

SecDefaultAction "phase:1,deny,nolog,auditlog"
SecDefaultAction "phase:2,deny,status:403,nolog,auditlog"
SecResponseBodyAccess Off
SecResponseBodyMimeType text/plain text/html text/xml

# Set JSON body processor
SecRule REQUEST_HEADERS:Content-Type "application/json" "id:77350039,phase:1,pass,nolog,severity:5,t:none,t:lowercase,ctl:requestBodyProcessor=JSON,tag:'service_gen'"
# Set XML body processor
SecRule REQUEST_HEADERS:Content-Type "text/xml" "id:77210050,phase:1,pass,nolog,severity:5,t:none,t:lowercase,ctl:requestBodyProcessor=XML,tag:'service_gen'"

SecRule REQUEST_HEADERS:x-forwarded-for "@rx ^([^,:]+),?" "chain,id:77350282,phase:2,pass,severity:5,nolog,t:none,capture,skip:1"
SecRule TX:1 "@rx (\b25[0-5]|\b2[0-4][0-9]|\b[01]?[0-9][0-9]?)(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}" "capture,setvar:'tx.remote_addr=%{TX.0}'"

SecRule REQUEST_HEADERS:x-forwarded-for "@rx ^([^,]+),?" "chain,id:77350283,phase:2,pass,severity:5,nolog,t:none,capture"
SecRule TX:1 "@rx ^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?\s*$" "t:none,capture,setvar:'tx.remote_addr=%{TX.1}'"

SecRule &TX:remote_addr "@eq 0" "id:77350286,phase:2,pass,nolog,severity:5,setvar:'tx.remote_addr=%{REMOTE_ADDR}',skip:1"

SecRule TX:remote_addr "@rx ^$" "id:77350287,phase:2,pass,nolog,severity:5,setvar:'tx.remote_addr=%{REMOTE_ADDR}'"
# RBL whitelist
SecRule TX:remote_addr "@ipMatchFromFile rbl_whitelist" "id:33310,phase:2,pass,nolog,severity:5,setvar:tx.rbl_whitelist_check=1,skipAfter:RBL_CHECK"

# IPv4 address
SecAction "id:33368,phase:2,pass,nolog,severity:5,setvar:tx.rbl_ip=%{TIME_HOUR}-%{TIME_MIN}.%{tx.remote_addr},initcol:ip=%{tx.remote_addr}"

# WordPress Bruteforce RBL persistent storage check
SecRule REQUEST_URI "/wp-login\.php|/xmlrpc\.php" "id:33302,chain,phase:2,t:none,deny,status:403,severity:2,nolog,auditlog,msg:'IM360 WAF: WordPress Bruteforce RBL block||Name:%{ARGS.log}||T:APACHE||MV:%{MATCHED_VAR}',tag:'wp_core',tag:'im360_req_post'"
SecRule REQUEST_METHOD "^POST$" "t:none,chain"
SecRule IP:rbl_brute "@eq 1"

# Magento Bruteforce RBL persistent storage check
SecRule ARGS:form_key "!@rx ^$" "id:33304,chain,phase:2,t:none,deny,status:403,severity:2,nolog,auditlog,msg:'IM360 WAF: Magento Bruteforce RBL block||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360',tag:'im360_req_post'"
SecRule REQUEST_METHOD "^POST$" "t:none,chain"
SecRule ARGS:login[username] "!@rx ^$" "t:none,chain"
SecRule ARGS:login[password] "!@rx ^$" "t:none,chain"
SecRule IP:rbl_brute "@eq 1"

# Drupal Bruteforce RBL persistent storage check
SecRule ARGS:q "!@rx ^$" "id:33306,chain,phase:2,t:none,deny,status:403,severity:2,nolog,auditlog,msg:'IM360 WAF: Drupal Bruteforce RBL block||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360',tag:'im360_req_post'"
SecRule REQUEST_METHOD "^POST$" "t:none,chain"
SecRule ARGS:form_build_id "@beginsWith form-" "t:none,t:urlDecode,chain"
SecRule ARGS:name "!@rx ^$" "t:none,chain"
SecRule ARGS:pass "!@rx ^$" "t:none,chain"
SecRule ARGS:form_id "!@rx ^$" "t:none,chain"
SecRule IP:rbl_brute "@eq 1"

# Old Joomla versions Bruteforce RBL persistent storage check
SecRule REQUEST_FILENAME "@endsWith administrator/index.php" "id:33349,chain,phase:2,t:none,deny,status:403,severity:2,nolog,auditlog,msg:'IM360 WAF: Old Joomla versions Bruteforce RBL block||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360',tag:'im360_req_post'"
SecRule REQUEST_METHOD "^POST$" "chain,t:none"
SecRule ARGS:usrname "!@rx ^$" "chain,t:none"
SecRule ARGS:pass "!@rx ^$" "chain,t:none"
SecRule IP:rbl_brute "@eq 1"

# OpenCart Bruteforce RBL persistent storage check
SecRule REQUEST_FILENAME "@contains /admin/" "id:33353,chain,phase:2,t:none,deny,status:403,severity:2,nolog,auditlog,msg:'IM360 WAF: OpenCart Bruteforce RBL block||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360',tag:'im360_req_post'"
SecRule REQUEST_METHOD "^POST$" "chain,t:none"
SecRule ARGS:username "!@rx ^$" "chain,t:none"
SecRule ARGS:password "!@rx ^$" "chain,t:none"
SecRule IP:rbl_brute "@eq 1"

# Bad bot detector
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile crawlers-ualist.data" "id:33311,phase:2,t:none,nolog,auditlog,block,severity:2,msg:'IM360 WAF: Found crawler not in whitelist||T:APACHE||User-Agent:%{REQUEST_HEADERS.User-Agent}||MV:%{MATCHED_VAR}',chain,tag:'service_i360'"
SecRule TX:remote_addr "!@ipMatch 127.0.0.1,::1" "chain,t:none"
SecRule TX:remote_addr "!@ipMatchFromFile crawlers-iplist.data" "chain,t:none,setvar:tx.rbl_perf=1"
SecRule TX:RBL_IP "!@rbl good-bots.v2.rbl.imunify.com." "t:none"

# IP blocklist
SecRule TX:REMOTE_ADDR "@ipMatchFromFile bl_ips" "id:33370,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: IP address is listed in blocklist bl_ips||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'"

# Block risky actions
SecRule REQUEST_FILENAME "@pmFromFile risky-actions.list" "id:33315,phase:2,block,severity:2,log,t:none,msg:'IM360 WAF: RBL block risky actions||T:APACHE||MV:%{MATCHED_VAR}',ctl:auditLogParts=+C,chain,setvar:tx.rbl_perf=1,tag:'service_i360'"
SecRule TX:RBL_IP "@rbl risky-actions.v2.rbl.imunify.com." "t:none,chain"
SecRule TX:RBL_IP "!@rbl nxdomain.v2.rbl.imunify.com." "t:none"

SecMarker RBL_CHECK

# DEFA-1404
SecRule ARGS:i360test "@streq 88ff0adf94a190b9d1311c8b50fe2891c85af732" "id:33312,msg:'IM360 WAF: Testing the IM360 ModSecurity ruleset||User:%{SCRIPT_USERNAME}||T:APACHE||',phase:2,deny,status:406,t:none,t:lowercase,severity:2,tag:'service_i360custom'"

# Track risky actions
SecRule REQUEST_FILENAME "@pmFromFile risky-actions.list" "id:33313,chain,phase:2,pass,severity:5,t:none,ctl:auditLogParts=+C,tag:'service_i360',tag:'noshow'"
SecRuleScript trap.lua "t:none,chain"
SecRule REQUEST_FILENAME "@pmFromFile risky-actions.list" "t:none"
# ^ Do not delete this line, fix for systems without LUA

SecRule TX:trapped "@eq 1" "id:33314,phase:5,pass,nolog,auditlog,msg:'IM360 WAF: RTrack||RTrack: %{TX.trapinfo}||T:APACHE||R:%{RESPONSE_STATUS}',severity:7,tag:'service_i360',tag:'noshow',setvar:tx.trapped=0"

# IP Record, rule 1
SecAction "id:33327,phase:2,pass,nolog,severity:5,setvar:tx.i360_remote_addr=%{tx.remote_addr}"

# IP Record, rule 2
SecRule TX:I360_REMOTE_ADDR "@pmFromFile ip-record.db" "id:33328,chain,phase:5,pass,nolog,severity:5,t:none,ctl:auditLogParts=+C,tag:'service_i360',tag:'noshow'"
SecRuleScript trap.lua "t:none,chain"
SecRule TX:I360_REMOTE_ADDR "@pmFromFile ip-record.db" "t:none"
# ^ Do not delete this line, fix for systems without LUA

SecRule REQUEST_METHOD "!@rx ^POST$" "id:77350289,phase:2,pass,nolog,severity:5,t:none,skip:3"
# Track file upload
SecRule FILES|FILES_TMPNAMES "!@rx ^$" "id:77317957,phase:2,pass,log,severity:5,t:none,ctl:auditLogParts=-C,ctl:auditLogParts=-E,msg:'IM360 WAF: Track file upload||MV:%{MATCHED_VAR}||Size:%{FILES_SIZES}||User:%{SCRIPT_USERNAME}||SC:%{SCRIPT_FILENAME}||WPU:%{TX.wp_user}||T:APACHE||',tag:'im360_req_post',tag:'service_i360custom',tag:'noshow'"

SecRule FILES "@rx (?i)^[^\n]+?(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)\W?\.\w+$" "id:77350275,phase:2,pass,log,severity:5,t:none,capture,ctl:auditLogParts=-C,ctl:auditLogParts=-E,msg:'IM360 WAF: Track suspicious file upload||MV:%{TX.0}||User:%{SCRIPT_USERNAME}||SC:%{SCRIPT_FILENAME}||WPU:%{TX.wp_user}||T:APACHE||',tag:'im360_req_post',tag:'service_i360custom',tag:'noshow'"

SecRule FILES "@rx (?i)\.(?:h?php[\ds]?|pht[m]?|s?p?html?|swf|xap|phar|inc|ctp|pl|pgif|cgi|htaccess|module|exe|js|suspected|ico)\W" "id:77350288,phase:2,pass,log,severity:5,t:none,msg:'IM360 WAF: File Extension track upload||MVN:%{MATCHED_VAR_NAME}||WPU:%{TX.wp_user}||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom',tag:'im360_req_post',tag:'noshow'"

# Rnd Record
SecRule UNIQUE_ID "@rx fff$" "id:33340,chain,phase:5,capture,pass,log,severity:5,ctl:auditLogParts=+C,t:none,t:md5,t:hexEncode,t:lowercase,tag:'service_i360',tag:'noshow'"
SecRule &TX:TRAPPED "@eq 0" "chain,t:none"
SecRuleScript trap.lua "chain,t:none"
SecRule &ARGS "@ge 0" "t:none"
# ^ Do not delete this line, fix for systems without LUA

# Record each block event
SecRule HIGHEST_SEVERITY "@le 2" "id:33343,chain,phase:5,pass,nolog,severity:5,t:none,tag:'service_i360',tag:'noshow'"
SecRule RESPONSE_STATUS "@rx ^403" "t:none,chain"
SecRule &TX:TRAPPED "@eq 0" "t:none,chain"
SecRuleScript trap.lua "t:none,chain"
SecRule &ARGS "@ge 0" "t:none"
# ^ Do not delete this line, fix for systems without LUA

# IP Record
SecRule TX:trapped "@eq 1" "id:33329,phase:5,t:none,pass,nolog,auditlog,msg:'IPRec: %{TX.trapinfo}||T:APACHE||R:%{RESPONSE_STATUS}',severity:7,tag:'service_i360',tag:'noshow',setvar:tx.trapped=0"

# Block requests to stadalone malware files (full path)
SecRule SCRIPT_FILENAME "@pmFromFile malware_standalone.list" "id:33356,chain,phase:2,block,log,t:none,severity:2,msg:'IM360 WAF: Standalone malware access attempt||T:APACHE||SC:%{SCRIPT_FILENAME}||',tag:'service_i360'"
SecRule SCRIPT_FILENAME "!@endsWith index.php" "t:none,t:lowercase"

# Rules configurator tag tests
SecRule ARGS:tag_test "@streq wp_core" "id:33360,msg:'IM360 WAF: Testing tags (wp_core)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,t:none,t:lowercase,severity:2,tag:'wp_core'"

# Rules configurator tag tests
SecRule ARGS:tag_test "@streq joomla_core" "id:33361,msg:'IM360 WAF: Testing tags (joomla_core)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,t:none,t:lowercase,severity:2,tag:'joomla_core'"

SecRule TX:trapped "@eq 1" "id:33326,phase:2,pass,nolog,auditlog,msg:'IM360 WAF: IPR||HT: %{TX.trapinfo}||T:APACHE||',severity:7,tag:'service_i360',tag:'noshow',setvar:tx.trapped=0"

# HackerTrap
SecRule SCRIPT_FILENAME "@pmFromFile malware_found.list" "id:33325,chain,phase:2,pass,nolog,severity:5,t:none,ctl:auditLogParts=+C,tag:'service_i360',tag:'noshow'"
SecRuleScript trap.lua "t:none,chain"
SecRule SCRIPT_FILENAME "@pmFromFile malware_found.list" "t:none"

# HackerTrap Base64
SecRule SCRIPT_FILENAME "@pmFromFile malware_found_b64.list" "id:77316816,phase:2,pass,nolog,severity:5,t:none,t:base64Encode,ctl:auditLogParts=+C,chain,tag:'service_i360',tag:'noshow'"
SecRuleScript trap.lua "t:none,chain"
SecRule SCRIPT_FILENAME "@pmFromFile malware_found_b64.list" "t:none"

# Block requests to stadalone malware files (full path Base64)
SecRule SCRIPT_FILENAME "@pmFromFile malware_standalone_b64.list" "id:77316817,chain,phase:2,block,log,t:none,t:base64Encode,severity:2,msg:'IM360 WAF: Standalone malware access attempt (base64)||T:APACHE||SC:%{SCRIPT_FILENAME}||',tag:'service_i360'"
SecRule SCRIPT_FILENAME "!@endsWith index.php" "t:none,t:lowercase"

SecRule REMOTE_HOST "@pmFromFile bl_uri" "id:77316940,pass,log,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: Block URI containing malicious URLs||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}||',tag:'service_i360custom',tag:'noshow'"

SecRule &ARGS:cmd "@gt 0" "id:77350134,chain,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: Block malware interaction||SC:%{SCRIPT_FILENAME}||T:APACHE||',tag:'service_i360'"
SecRule ARGS:k "@rx ^bf0b1ced7505c16f7a921ef36c780a6e$" "t:none"

SecRule REQUEST_URI "@contains /upl.php" "id:77350135,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Block malware interaction||SC:%{SCRIPT_FILENAME}||T:APACHE||ARGS.cmd:%{ARGS.cmd}||ARGS.k:%{ARGS.k}||',tag:'service_i360'"
SecRule &ARGS:cmd "@gt 0" "chain,t:none"
SecRule ARGS:k "@rx [a-fA-F0-9]+$" "t:none"

# WPT-261
SecRule REQUEST_HEADERS:Content-Type "@rx (?:application|multipart|text)\/[\w\-\.\+]{3,32}?[^\n]{1,256}?(?:application|multipart|text)\/[\w\-\.\+]{3,32}?" "id:77350248,phase:1,pass,log,t:none,severity:5,msg:'IM360 WAF: Multiple Content-Type Request Headers (CVE-2023-38199)||SC:%{SCRIPT_FILENAME}||T:APACHE||',tag:'service_i360',setvar:'tx.rbl_infectors=1',setvar:'tx.mult_cont_type=1'"

SecRule TX:mult_cont_type "@gt 0" "chain,id:77350254,phase:2,block,log,t:none,severity:2,msg:'IM360 WAF: Multiple Content-Type Request Headers (CVE-2023-38199)||SC:%{SCRIPT_FILENAME}||T:APACHE||',tag:'service_i360'"
SecRule REQBODY_ERROR "@eq 1"

SecRule &REQUEST_HEADERS:Content-Type "@gt 1" "id:77350255,phase:1,block,log,t:none,severity:2,msg:'IM360 WAF: Multiple Content-Type Request Headers (CVE-2023-38199)||SC:%{SCRIPT_FILENAME}||T:APACHE||',tag:'service_i360'"

# WordPress user capture
SecRule REQUEST_COOKIES:/wordpress_logged_in_/ "@rx ^([^\|]+?)\|" "id:77350273,phase:1,pass,nolog,severity:5,t:none,t:urlDecode,capture,setvar:tx.wp_user=%{TX.1},msg:'IM360 WAF: Track a WordPress user||T:APACHE||',tag:'wp_core',tag:'noshow'"