File Manager
Upload
Current Directory: /home/lartcid/public_html/journal.lartc.id
[Back]
..
[Open]
Hapus
Rename
.htaccess
[Edit]
Hapus
Rename
.well-known
[Open]
Hapus
Rename
README.md
[Edit]
Hapus
Rename
api
[Open]
Hapus
Rename
cache
[Open]
Hapus
Rename
cgi-bin
[Open]
Hapus
Rename
classes
[Open]
Hapus
Rename
config.TEMPLATE.inc.php
[Edit]
Hapus
Rename
config.inc.php
[Edit]
Hapus
Rename
controllers
[Open]
Hapus
Rename
cypress.json
[Edit]
Hapus
Rename
dbscripts
[Open]
Hapus
Rename
docs
[Open]
Hapus
Rename
error_log
[Edit]
Hapus
Rename
favicon.ico
[Edit]
Hapus
Rename
index.php
[Edit]
Hapus
Rename
js
[Open]
Hapus
Rename
lib
[Open]
Hapus
Rename
locale
[Open]
Hapus
Rename
mini.php
[Edit]
Hapus
Rename
pages
[Open]
Hapus
Rename
php.ini
[Edit]
Hapus
Rename
plugins
[Open]
Hapus
Rename
public
[Open]
Hapus
Rename
registry
[Open]
Hapus
Rename
scheduledTaskLogs
[Open]
Hapus
Rename
schemas
[Open]
Hapus
Rename
styles
[Open]
Hapus
Rename
templates
[Open]
Hapus
Rename
tools
[Open]
Hapus
Rename
Edit File
# --------------------------------------------------------------- # Imunify360 ModSecurity Rules # Copyright (C) 2021 CloudLinux Inc All right reserved # The Imunify360 ModSecurity Rules is distributed under # IMUNIFY360 LICENSE AGREEMENT # Please see the enclosed IM360-LICENSE.txt file for full details. # --------------------------------------------------------------- # Imunify360 ModSecurity Anti-Bruteforce Ruleset # Logs WordPress failed sign-in attempts SecRule REQUEST_METHOD "!@rx ^POST$" "id:77316857,phase:2,pass,severity:5,t:none,nolog,skipAfter:MARKER_BRUTE_POST,tag:'noshow'" SecRule REQUEST_METHOD "@rx ^POST$" "id:33332,chain,phase:3,pass,log,severity:2,t:none,msg:'IM360 WAF: Failed WordPress login||Name:%{ARGS.log}||T:APACHE||User:%{SCRIPT_USERNAME}||',tag:'service_i360',tag:'noshow'" SecRule REQUEST_FILENAME "@contains /wp-login.php" "chain,t:none" SecRule ARGS:log "!@rx ^$" "chain,t:none" SecRule ARGS:pwd "!@rx ^$" "chain,t:none" SecRule RESPONSE_STATUS "@rx ^20" "t:none" # Logs Abantecart sign-in attempts SecRule REQUEST_FILENAME "@endsWith index.php" "id:33333,chain,pass,log,phase:2,severity:5,t:none,t:urlDecode,t:normalizePath,t:lowercase,msg:'IM360 WAF: Abantecart login attempt||%{REQUEST_HEADERS.Host}',tag:'service_bruteforce',tag:'service_i360',tag:'noshow'" SecRule REQUEST_METHOD "^POST$" "chain,t:none,t:urlDecode" SecRule ARGS:rt "@contains index/login" "chain,t:none,t:urlDecode" SecRule ARGS:username "!@rx ^$" "chain,t:none,t:urlDecode" SecRule ARGS:password "!@rx ^$" "t:none" # Logs CMSMAdeSimple sign-in attempts SecRule REQUEST_FILENAME "@endsWith admin/login.php" "id:33334,chain,pass,log,phase:2,severity:5,t:none,t:urlDecode,t:normalizePath,t:lowercase,msg:'IM360 WAF: CMSMadeSimple login attempt||%{REQUEST_HEADERS.Host}',tag:'service_bruteforce',tag:'service_i360',tag:'noshow'" SecRule REQUEST_METHOD "^POST$" "chain,t:none,t:urlDecode" SecRule ARGS:username "!@rx ^$" "chain,t:none,t:urlDecode" SecRule ARGS:password "!@rx ^$" "chain,t:none,t:urlDecode" SecRule ARGS:loginsubmit "!@rx ^$" "t:none" # Logs Magento CMS downloader login attempt SecRule REQUEST_URI "@contains /downloader/" "id:33338,chain,pass,log,phase:2,severity:5,t:none,t:urlDecode,t:normalizePath,t:lowercase,msg:'IM360 WAF: Magento CMS downloader login attempt||%{REQUEST_HEADERS.Host}||',tag:'service_bruteforce',tag:'noshow'" SecRule REQUEST_METHOD "^POST$" "chain,t:none,t:urlDecode" SecRule ARGS:login[username] "!@rx ^$" "chain,t:none,t:urlDecode" SecRule ARGS:login[password] "!@rx ^$" "t:none" # Logs Magento CMS sign-in attempts SecRule ARGS:form_key "!@rx ^$" "id:33335,chain,pass,log,phase:2,severity:5,t:none,t:urlDecode,t:normalizePath,t:lowercase,msg:'IM360 WAF: Magento CMS login attempt||%{REQUEST_HEADERS.Host}',tag:'service_bruteforce',tag:'service_i360',tag:'noshow'" SecRule REQUEST_METHOD "^POST$" "chain,t:none,t:urlDecode" SecRule ARGS:login[username] "!@rx ^$" "chain,t:none,t:urlDecode" SecRule ARGS:login[password] "!@rx ^$" "t:none" # Logs Drupal CMS sign-in attempts SecRule REQUEST_METHOD "^POST$" "id:33336,chain,pass,log,phase:2,severity:5,t:none,msg:'IM360 WAF: Drupal CMS login attempt||%{REQUEST_HEADERS.Host}',tag:'service_bruteforce',tag:'service_i360',tag:'noshow'" SecRule ARGS:form_id "!@rx ^$" "chain,t:none,t:urlDecode" SecRule ARGS:form_build_id "@beginsWith form-" "chain,t:none" SecRule ARGS:name "!@rx ^$" "chain,t:none" SecRule ARGS:pass "!@rx ^$" "t:none" SecRule REQUEST_METHOD "^POST$" "id:77316941,chain,pass,log,phase:3,severity:2,t:none,msg:'IM360 WAF: Drupal CMS failed login attempt||%{REQUEST_HEADERS.Host}',tag:'service_bruteforce',tag:'service_i360',tag:'noshow'" SecRule RESPONSE_STATUS "@rx ^20" "chain,t:none" SecRule ARGS:form_build_id "@beginsWith form-" "chain,t:none" SecRule ARGS:name "!@rx ^$" "chain,t:none,t:urlDecode" SecRule ARGS:pass "!@rx ^$" "chain,t:none,t:urlDecode" SecRule ARGS:form_id "!@rx ^$" "t:none" # Logs Prestashop CMS sign-in attempts SecRule REQUEST_METHOD "^POST$" "id:33337,chain,pass,log,phase:2,severity:5,t:none,msg:'IM360 WAF: Prestashop CMS login attempt||%{REQUEST_HEADERS.Host}',tag:'service_bruteforce',tag:'service_i360',tag:'noshow'" SecRule REQUEST_FILENAME "@endsWith login.php" "chain,t:none,t:normalizePath,t:lowercase" SecRule ARGS:passwd "!@rx ^$" "chain,t:none" SecRule ARGS:email "!@rx ^$" "t:none" # WordPress XML-RPC DoS abuse requests attempts SecRule REQUEST_FILENAME "@endsWith xmlrpc.php" "id:33339,chain,pass,log,phase:3,severity:5,t:none,t:urlDecode,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress XML-RPC access attempt||T:APACHE||%{REQUEST_HEADERS.Host}',tag:'service_bruteforce',tag:'service_i360',tag:'noshow'" SecRule REQUEST_METHOD "^POST$" "chain,t:none" SecRule RESPONSE_STATUS "@pm 403 404 405 406" "t:none" # Logs WHMCS sign-in attempts SecRule REQUEST_URI "@pm /dologin.php /login" "id:33342,chain,pass,log,phase:3,severity:5,t:none,t:urlDecode,t:normalizePath,t:lowercase,msg:'IM360 WAF: WHMCS successful login||%{REQUEST_HEADERS.Host}||T:APACHE||',tag:'service_bruteforce',tag:'noshow'" SecRule REQUEST_METHOD "^POST$" "chain,t:none,t:urlDecode" SecRule ARGS:token "!@rx ^$" "chain,t:none,t:urlDecode" SecRule ARGS:username "!@rx ^$" "chain,t:none,t:urlDecode" SecRule ARGS:password "!@rx ^$" "chain,t:none" SecRule REQUEST_HEADERS:Cookie "@rx WHMCS\w+" "chain,t:none" SecRule RESPONSE_HEADERS:Location "!@rx incorrect=1" "t:none" # Logs Joomla CMS sign-in attempts SecRule REQUEST_FILENAME "@endsWith administrator/index.php" "id:33345,chain,pass,log,phase:2,severity:5,t:none,t:urlDecode,t:normalizePath,t:lowercase,msg:'IM360 WAF: Joomla CMS login attempt||%{REQUEST_HEADERS.Host}',tag:'service_bruteforce',tag:'service_i360',tag:'noshow'" SecRule REQUEST_METHOD "^POST$" "chain,t:none,t:urlDecode" SecRule ARGS:username "!@rx ^$" "chain,t:none,t:urlDecode" SecRule ARGS:passwd "!@rx ^$" "chain,t:none,t:urlDecode" SecRule ARGS:option "^com_login$" "chain,t:none,t:urlDecode" SecRule ARGS:task "^login$" "t:none,t:urlDecode" # An additional rule for logging sign-in attempts in old Joomla versions SecRule REQUEST_FILENAME "@endsWith administrator/index.php" "id:33346,chain,pass,log,phase:2,severity:5,t:none,t:urlDecode,t:normalizePath,t:lowercase,msg:'IM360 WAF: Old Joomla CMS login attempt||%{REQUEST_HEADERS.Host}',tag:'service_bruteforce',tag:'service_i360',tag:'noshow'" SecRule REQUEST_METHOD "^POST$" "chain,t:none,t:urlDecode" SecRule ARGS:usrname "!@rx ^$" "chain,t:none,t:urlDecode" SecRule ARGS:pass "!@rx ^$" "t:none,t:urlDecode" # Logs OpenCart CMS sign-in attempts SecRule REQUEST_FILENAME "@contains /admin/" "id:33352,chain,pass,log,phase:2,severity:5,t:none,t:urlDecode,t:normalizePath,t:lowercase,msg:'IM360 WAF: OpenCart CMS login attempt||%{REQUEST_HEADERS.Host}',tag:'service_bruteforce',tag:'service_i360',tag:'noshow'" SecRule REQUEST_METHOD "^POST$" "chain,t:none,t:urlDecode" SecRule ARGS:username "!@rx ^$" "chain,t:none,t:urlDecode" SecRule ARGS:password "!@rx ^$" "t:none,t:urlDecode" # Simple password bruteforce prevention arguments encoding, rule 1 SecRule REQUEST_URI "@contains /wp-login.php" "id:33357,pass,nolog,severity:5,phase:3,t:none,t:normalizePath,setvar:tx.URI=%{MATCHED_VAR},tag:'service_i360',tag:'noshow'" # Simple password bruteforce prevention arguments encoding, rule 2 SecRule REQUEST_HEADERS:Referer "!@rx ^$" "id:33358,pass,nolog,severity:5,phase:3,t:none,t:normalizePath,setvar:tx.RFR=%{MATCHED_VAR},tag:'service_i360',tag:'noshow'" # Simple password bruteforce prevention arguments encoding, rule 3 SecRule SERVER_NAME "!@rx ^$" "id:33359,pass,nolog,severity:5,phase:3,t:none,setvar:tx.SN=%{MATCHED_VAR},tag:'service_i360',tag:'noshow'" # Simple password bruteforce prevention SecRule REQUEST_METHOD "@rx ^POST$" "id:33355,chain,phase:3,msg:'IM360 WAF: WordPress login weak password||T:APACHE||Name:%{ARGS.log}||User:%{SCRIPT_USERNAME}||',redirect:https://imunify-alert.com/compromised.html?SN=%{TX.SN}&SP=%{SERVER_PORT}&RFR=%{TX.RFR}&URI=%{TX.URI}&cms_name=wordpress&version=1,log,t:none,severity:5,tag:'service_i360',tag:'service_rbl_infectors'" SecRule RESPONSE_STATUS "@streq 302" "chain,t:none" SecRule REQUEST_FILENAME "@contains /wp-login.php" "chain,t:none" SecRule ARGS:log "!@rx ^$" "chain,t:none" SecRule ARGS:pwd "!@rx ^$" "chain,t:none,setvar:tx.wp_passwd=/%{MATCHED_VAR}/" SecRule TX:wp_passwd "@pmFromFile weak_passwords" "t:none" # Local bruteforce SecRule REMOTE_ADDR "!@ipMatch 127.0.0.1,::1" "pass,nolog,id:33364,phase:2,t:none,skipAfter:WP_LBF_MARKER,severity:5,tag:'noshow'" SecRule REQUEST_METHOD "^POST$" "chain,pass,log,id:33365,phase:2,initcol:global=wp_local_brute_force_collection,severity:5,tag:'noshow'" SecRule ARGS:log "!@rx ^$" "chain SecRule ARGS:psw "!@rx ^$" "chain" SecRule GLOBAL:local_brute_block "!@eq 0" "setvar:global.local_brute_block=1,expirevar:global.local_brute_block=30" SecRule RESPONSE_STATUS "!@streq 302" "t:none,chain,id:33366,msg:'IM360 WAF: Local WP failed login attempt||%{REQUEST_HEADERS.Host}||MTD:%{tx.0}||LOG:%{ARGS.log}',pass,nolog,phase:3,severity:5,tag:'service_bruteforce',tag:'service_i360',tag:'noshow'" SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" "chain" SecRule ARGS:pwd "!@rx ^$" "t:none,chain" SecRule ARGS:log "!@rx ^$" "t:none,initcol:global=wp_local_brute_force_collection,setvar:global.login_attempts=+1,expirevar:global.login_attempts=60" SecRule GLOBAL:login_attempts "@gt 60" "phase:3,id:33367,deny,log,chain,setvar:global.local_brute_block=1,expirevar:global.local_brute_block=60,msg:'IM360 WAF: Local WP brute force||T:APACHE||global_collection:%{global.key}||login_attempts:%{global.login_attempts}||LOG:%{ARGS.log}||REMOTE_ADDR:%{REMOTE_ADDR}||',severity:2" SecRule REQUEST_METHOD "@rx ^POST$" "chain,t:none" SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" "chain" SecRule ARGS:pwd "!@rx ^$" "t:none,chain" SecRule ARGS:log "!@rx ^$" "t:none,chain" SecRule REQUEST_FILENAME "@contains /wp-login.php" "t:none" SecMarker WP_LBF_MARKER # DEFA-3523 SecRule REQUEST_FILENAME "@contains json-api/listaccts" "id:77316764,chain,pass,log,phase:2,severity:5,t:none,t:urlDecode,t:normalizePath,t:lowercase,msg:'IM360 WAF: WHMCS API login attempt||%{REQUEST_HEADERS.Host}',tag:'service_bruteforce',tag:'service_i360',tag:'noshow'" SecRule &ARGS:api.version "@gt 0" "chain,t:none" SecRule REQUEST_HEADERS:Authorization "@beginsWith whm" "t:none" # DEFA-3523 SecRule REQUEST_FILENAME "@contains /cpsess" "id:77316765,chain,pass,log,phase:2,severity:5,t:none,t:urlDecode,t:normalizePath,t:lowercase,msg:'IM360 WAF: WHMCS link login attempt||%{REQUEST_HEADERS.Host}',tag:'service_bruteforce',tag:'service_i360',tag:'noshow'" SecRule ARGS:session "@contains create_user_session" "t:none" # Joomla! Failed Login SecRule REQUEST_METHOD "^POST$" "id:77316938,chain,pass,log,phase:3,severity:2,t:none,msg:'IM360 WAF: Joomla CMS administrator login attempt failed||%{REQUEST_HEADERS.Host}||T:APACHE||',tag:'service_bruteforce',tag:'service_i360',tag:'noshow'" SecRule REQUEST_FILENAME "@endsWith administrator/index.php" "chain,t:none,t:normalizePath,t:lowercase" SecRule ARGS:username "!@rx ^$" "chain,t:none" SecRule ARGS:passwd "!@rx ^$" "chain,t:none" SecRule ARGS:option "^com_login$" "chain,t:none" SecRule &RESPONSE_HEADERS:Set-Cookie "@eq 0" "t:none" SecRule REQUEST_METHOD "^POST$" "id:77316939,chain,pass,log,phase:3,severity:2,msg:'IM360 WAF: Joomla CMS user login attempt failed||%{REQUEST_HEADERS.Host}||T:APACHE||',tag:'service_bruteforce',tag:'service_i360',tag:'noshow'" SecRule REQUEST_URI "@contains /index.php/component/users/" "chain,t:none,t:normalizePath,t:lowercase" SecRule ARGS:username "!@rx ^$" "chain,t:none" SecRule ARGS:password "!@rx ^$" "chain,t:none" SecRule ARGS:option "^com_login$" "chain,t:none" SecRule RESPONSE_HEADERS:Set-Cookie "!@rx joomla_user_state=logged_in" "t:none" # DEFA-3984 SecRule REQUEST_METHOD "@rx ^POST$" "id:77316840,chain,phase:3,pass,log,severity:5,t:none,msg:'IM360 WAF: Failed WHMCS login||User:%{SCRIPT_USERNAME}||T:APACHE||',tag:'service_i360',tag:'noshow'" SecRule REQUEST_URI "@rx (?:\/dologin\.php|\/login)$" "chain,t:none,t:urlDecode" SecRule REQUEST_HEADERS:Cookie "@rx WHMCS\w+" "chain,t:none" SecRule ARGS:token "!@rx ^$" "chain,t:none,t:urlDecode" SecRule ARGS:username "!@rx ^$" "chain,t:none,t:urlDecode" SecRule ARGS:password "!@rx ^$" "chain,t:none" SecRule RESPONSE_HEADERS:Location "@contains incorrect=1" "t:none" # DEFA-3984 SecRule REQUEST_METHOD "@rx ^POST$" "id:77316841,chain,phase:3,pass,log,severity:5,t:none,msg:'IM360 WAF: WHMCS login attempt||User:%{SCRIPT_USERNAME}||T:APACHE||',tag:'service_i360',tag:'noshow'" SecRule REQUEST_URI "@rx (?:\/dologin\.php|\/login)$" "chain,t:none,t:urlDecode" SecRule RESPONSE_STATUS "@streq 302" "chain,t:none" SecRule ARGS:token "!@rx ^$" "chain,t:none,t:urlDecode" SecRule ARGS:username "!@rx ^$" "chain,t:none,t:urlDecode" SecRule ARGS:password "!@rx ^$" "chain,t:none" SecRule RESPONSE_HEADERS:Set-Cookie "@rx WHMCS\w+" "t:none" # WPT-137 # RBL whitelist SecRule TX:rbl_whitelist_check "@eq 1" "id:77350195,phase:2,pass,severity:5,nolog,t:none,skipAfter:RBL_BRUTE_CHECK,tag:'noshow'" # DEFA-3539, DEFA-3949 SecRule REQUEST_URI "@pm /dologin.php /login" "id:33373,chain,block,log,phase:2,severity:2,t:none,t:normalizePath,t:lowercase,msg:'IM360 WAF: WHMCS bruteforce attempt on login page||T:APACHE||%{REQUEST_HEADERS.Host}',tag:'service_bruteforce'" SecRule REQUEST_METHOD "^POST$" "chain,t:none" SecRule ARGS:token "!@rx ^$" "chain,t:none" SecRule ARGS:username "!@rx ^$" "chain,t:none" SecRule ARGS:password "!@rx ^$" "chain,t:none" SecRule REQUEST_HEADERS:Cookie "@rx WHMCS\w+" "chain,t:none,setvar:tx.rbl_perf=1" SecRule TX:RBL_IP "@rbl www-brute.v2.rbl.imunify.com." "t:none,chain" SecRule TX:RBL_IP "!@rbl nxdomain.v2.rbl.imunify.com." "t:none,setvar:ip.rbl_brute=1,expirevar:ip.rbl_brute=300" # DEFA-3782 SecRule REQUEST_METHOD "^POST$" "id:77316815,chain,block,log,phase:2,severity:2,t:none,msg:'IM360 WAF: Prestashop CMS login block from address in rbl www-brute||%{REQUEST_HEADERS.Host}||T:APACHE||',tag:'service_bruteforce',tag:'service_i360'" SecRule REQUEST_FILENAME "@endsWith login.php" "chain,t:none,t:normalizePath,t:lowercase" SecRule ARGS:passwd "!@rx ^$" "chain,t:none" SecRule ARGS:email "!@rx ^$" "chain,t:none,setvar:tx.rbl_perf=1" SecRule TX:RBL_IP "@rbl www-brute.v2.rbl.imunify.com." "t:none,chain" SecRule TX:RBL_IP "!@rbl nxdomain.v2.rbl.imunify.com." "t:none" # WordPress Bruteforce RBL remote check SecRule REQUEST_URI "/wp-login\.php|/xmlrpc\.php" "id:33303,chain,phase:2,t:none,deny,status:403,severity:2,nolog,auditlog,msg:'IM360 WAF: WordPress Bruteforce RBL block||Name:%{ARGS.log}||T:APACHE||MV:%{MATCHED_VAR}',tag:'wp_core'" SecRule REQUEST_METHOD "^POST$" "t:none,chain,setvar:tx.rbl_perf=1" SecRule TX:RBL_IP "@rbl www-brute.v2.rbl.imunify.com." "t:none,chain" SecRule TX:RBL_IP "!@rbl nxdomain.v2.rbl.imunify.com." "t:none,setvar:ip.rbl_brute=1,expirevar:ip.rbl_brute=300" # Magento Bruteforce RBL remote check SecRule ARGS:form_key "!@rx ^$" "id:33305,chain,phase:2,t:none,deny,status:403,severity:2,nolog,auditlog,msg:'IM360 WAF: Magento Bruteforce RBL block||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360'" SecRule REQUEST_METHOD "^POST$" "t:none,chain" SecRule ARGS:login[username] "!@rx ^$" "t:none,chain" SecRule ARGS:login[password] "!@rx ^$" "t:none,chain,setvar:tx.rbl_perf=1" SecRule TX:RBL_IP "@rbl www-brute.v2.rbl.imunify.com." "t:none,chain" SecRule TX:RBL_IP "!@rbl nxdomain.v2.rbl.imunify.com." "t:none,setvar:ip.rbl_brute=1,expirevar:ip.rbl_brute=300" # Joomla Bruteforce RBL remote check SecRule REQUEST_FILENAME "@endsWith administrator/index.php" "id:33348,chain,phase:2,t:none,deny,status:403,severity:2,nolog,auditlog,msg:'IM360 WAF: Joomla Bruteforce RBL block||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360'" SecRule REQUEST_METHOD "^POST$" "t:none,chain" SecRule ARGS:username "!@rx ^$" "chain,t:none" SecRule ARGS:passwd "!@rx ^$" "chain,t:none" SecRule ARGS:option "^com_login$" "chain,t:none" SecRule ARGS:task "^login$" "chain,t:none,setvar:tx.rbl_perf=1" SecRule TX:RBL_IP "@rbl www-brute.v2.rbl.imunify.com." "t:none,chain" SecRule TX:RBL_IP "!@rbl nxdomain.v2.rbl.imunify.com." "t:none,setvar:ip.rbl_brute=1,expirevar:ip.rbl_brute=300" # Old Joomla versions Bruteforce RBL remote check SecRule REQUEST_FILENAME "@endsWith administrator/index.php" "id:33350,chain,phase:2,t:none,deny,status:403,severity:2,nolog,auditlog,msg:'IM360 WAF: Old Joomla versions Bruteforce RBL block||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360'" SecRule REQUEST_METHOD "^POST$" "chain,t:none" SecRule ARGS:usrname "!@rx ^$" "chain,t:none" SecRule ARGS:pass "!@rx ^$" "chain,t:none,setvar:tx.rbl_perf=1" SecRule TX:RBL_IP "@rbl www-brute.v2.rbl.imunify.com." "t:none,chain" SecRule TX:RBL_IP "!@rbl nxdomain.v2.rbl.imunify.com." "t:none,setvar:ip.rbl_brute=1,expirevar:ip.rbl_brute=300" # OpenCart Bruteforce RBL remote check SecRule REQUEST_FILENAME "@contains /admin/" "id:33354,chain,phase:2,t:none,deny,status:403,severity:2,nolog,auditlog,msg:'IM360 WAF: OpenCart Bruteforce RBL block||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360'" SecRule REQUEST_METHOD "^POST$" "chain,t:none" SecRule ARGS:username "!@rx ^$" "chain,t:none" SecRule ARGS:password "!@rx ^$" "chain,t:none,setvar:tx.rbl_perf=1" SecRule TX:RBL_IP "@rbl www-brute.v2.rbl.imunify.com." "t:none,chain" SecRule TX:RBL_IP "!@rbl nxdomain.v2.rbl.imunify.com." "t:none,setvar:ip.rbl_brute=1,expirevar:ip.rbl_brute=300" # Block Joomla unsecured contact forms bruteforce SecRule ARGS:option "@streq com_contact" "id:33351,chain,phase:2,log,block,severity:2,t:none,t:lowercase,msg:'IM360 WAF: Block Joomla unsecured contact forms bruteforce||ID:%{ARGS.id}||ITEMID:%{ARGS.Itemid}||T:APACHE||MTD:%{tx.0}||',tag:'service_bruteforce'" SecRule ARGS:task|ARGS:view "@contains contact" "chain,t:none,t:lowercase" SecRule ARGS:Itemid|ARGS:id "!@rx ^$" "chain,t:none,setvar:tx.rbl_perf=1" SecRule TX:RBL_IP "@rbl www-brute.v2.rbl.imunify.com." "chain,t:none" SecRule TX:RBL_IP "!@rbl nxdomain.v2.rbl.imunify.com." "t:none" # Drupal Bruteforce RBL remote check SecRule ARGS:q "!@rx ^$" "id:33307,chain,phase:2,t:none,deny,status:403,severity:2,nolog,auditlog,msg:'IM360 WAF: Drupal Bruteforce RBL block||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_i360'" SecRule REQUEST_METHOD "^POST$" "t:none,chain" SecRule ARGS:form_build_id "@beginsWith form-" "t:none,chain" SecRule ARGS:name "!@rx ^$" "t:none,chain" SecRule ARGS:pass "!@rx ^$" "t:none,chain" SecRule ARGS:form_id "!@rx ^$" "t:none,chain,setvar:tx.rbl_perf=1" SecRule TX:RBL_IP "@rbl www-brute.v2.rbl.imunify.com." "t:none,chain" SecRule TX:RBL_IP "!@rbl nxdomain.v2.rbl.imunify.com." "t:none,setvar:ip.rbl_brute=1,expirevar:ip.rbl_brute=300" # WPT-137 SecRule ARGS:author "@ge 1" "id:77140879,chain,block,auditlog,phase:2,severity:2,t:none,msg:'IM360 WAF: RBL Block WordPress users enumeration||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',setvar:tx.rbl_perf=1,tag:'service_i360custom'" SecRule TX:RBL_IP "@rbl www-brute.v2.rbl.imunify.com." "t:none,chain" SecRule TX:RBL_IP "!@rbl nxdomain.v2.rbl.imunify.com." "t:none" SecMarker RBL_BRUTE_CHECK # DEFA-4354 SecRule REQUEST_METHOD "^POST$" "id:77317953,chain,pass,log,phase:3,severity:5,t:none,msg:'IM360 WAF: Prestashop CMS failed login attempt||%{REQUEST_HEADERS.Host}||T:APACHE||',tag:'service_bruteforce',tag:'service_i360',tag:'noshow'" SecRule REQUEST_FILENAME "@endsWith /login" "chain,t:none,t:normalizePath,t:lowercase" SecRule &ARGS:password|&ARGS:passwd "@gt 0" "chain,t:none" SecRule &ARGS:email "@gt 0" "chain,t:none" SecRule RESPONSE_STATUS "@rx ^20" # DEFA-4354 SecRule REQUEST_METHOD "^POST$" "id:77317954,chain,pass,log,phase:2,severity:5,t:none,msg:'IM360 WAF: Prestashop CMS administrator login attempt||Host:%{REQUEST_HEADERS.Host}||T:APACHE||',tag:'service_bruteforce',tag:'service_i360',tag:'noshow'" SecRule REQUEST_FILENAME "@endsWith /index.php" "chain,t:none,t:normalizePath,t:lowercase" SecRule ARGS:controller "@streq AdminLogin" "chain,t:none" SecRule &ARGS:password|&ARGS:passwd "@gt 0" "chain,t:none" SecRule &ARGS:email "@gt 0" "t:none" # DEFA-4372 SecRule REQUEST_METHOD "^POST$" "id:77317958,chain,pass,log,phase:3,severity:5,t:none,t:urlDecode,msg:'IM360 WAF: Magento CMS admin failed login attempt||Host:%{REQUEST_HEADERS.Host}||T:__{server.upper)__||',tag:'service_bruteforce',tag:'noshow'" SecRule REQUEST_URI "@contains /admin/" "chain,t:none,t:normalizePath" SecRule &ARGS:login[username] "@gt 0" "chain,t:none" SecRule &ARGS:login[password] "@gt 0" "chain,t:none" SecRule RESPONSE_STATUS "@rx ^20" "t:none" SecRule REQUEST_METHOD "^POST$" "id:77317959,chain,pass,log,phase:3,severity:5,t:none,t:urlDecode,msg:'IM360 WAF: Magento CMS customer failed login attempt||Host:%{REQUEST_HEADERS.Host}||T:__{server.upper)__||',tag:'service_bruteforce',tag:'noshow'" SecRule REQUEST_URI "@contains /customer/" "chain,t:none,t:normalizePath" SecRule &ARGS:login[username] "@gt 0" "chain,t:none" SecRule &ARGS:login[password] "@gt 0" "chain,t:none" SecRule RESPONSE_HEADERS:Set-Cookie "!@rx ^X-Magento-Vary" "t:none" # DEFA-4450 SecRule REQUEST_METHOD "^POST$" "id:33374,chain,phase:3,pass,nolog,severity:5,t:none,msg:'IM360 WAF: XMLRPC response body access||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360custom',tag:'noshow',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@endsWith xmlrpc.php" "t:none,ctl:responseBodyAccess=On" SecRule REQUEST_METHOD "^POST$" "id:33375,chain,phase:4,pass,log,severity:5,t:none,msg:'IM360 WAF: XMLRPC fault response||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360custom',tag:'noshow',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@endsWith xmlrpc.php" "chain,t:none" SecRule RESPONSE_BODY "@contains faultCode</name><value><int>403<" "t:none,t:compressWhitespace,t:removeWhitespace" SecRule REQUEST_METHOD "^POST$" "id:33376,chain,phase:4,pass,log,severity:5,t:none,msg:'IM360 WAF: XMLRPC fault response||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360custom',tag:'noshow',tag:'im360_req_post'" SecRule REQUEST_FILENAME "@endsWith xmlrpc.php" "chain,t:none" SecRule RESPONSE_BODY "@contains faultCode" "t:none,t:compressWhitespace,t:removeWhitespace" SecMarker MARKER_BRUTE_POST # WPT-150 SecRule REQUEST_URI "@rx clientarea\.php\?incorrect=(?:true|1)" "id:77316762,phase:2,pass,log,severity:5,t:normalizePath,msg:'IM360 WAF: WHMCS failed authorization||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||User:%{SCRIPT_USERNAME}||',tag:'service_i360custom'" SecRule REQUEST_BASENAME "@streq banned.php" "id:77350200,chain,phase:2,pass,log,severity:5,t:urlDecodeUni,t:removeWhitespace,msg:'IM360 WAF: WHMCS banned IP for several failed authorization||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||User:%{SCRIPT_USERNAME}||',tag:'service_i360custom'" SecRule REQUEST_HEADERS:Referer "@rx \/admin\/index\.php$" "t:none,t:normalizePath"
Simpan