Mini File Manager

Edit File

# ------------------------------------------------------
# Imunify360 ModSecurity Rules
# Copyright (C) 2024 CloudLinux Inc All right reserved
# The Imunify360 ModSecurity Rules is distributed under
# IMUNIFY360 LICENSE AGREEMENT
# ------------------------------------------------------
# Imunify360 ModSecurity Base Ruleset

SecDefaultAction "phase:1,deny,nolog,auditlog"
SecDefaultAction "phase:2,deny,nolog,auditlog"
SecResponseBodyAccess Off
SecResponseBodyMimeType text/plain text/html text/xml

# Set JSON body processor
SecRule REQUEST_HEADERS:Content-Type "application/json" "id:77350039,phase:1,pass,nolog,severity:5,t:none,t:lowercase,ctl:requestBodyProcessor=JSON,tag:'service_im360'"
# Set XML body processor
SecRule REQUEST_HEADERS:Content-Type "text/xml" "id:77210050,phase:1,pass,nolog,severity:5,t:none,t:lowercase,ctl:requestBodyProcessor=XML,tag:'service_im360'"

SecRule REQUEST_HEADERS:CF-Connecting-IP|REQUEST_HEADERS:X-Sucuri-ClientIP|REQUEST_HEADERS:X-Forwarded-For|REQUEST_HEADERS:X-RealIP "@rx ^([^,:]+),?" "chain,id:77350282,phase:2,pass,severity:5,nolog,t:none,capture,skip:1"
SecRule TX:1 "@rx (\b25[0-5]|\b2[0-4][0-9]|\b[01]?[0-9][0-9]?)(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}" "capture,setvar:'tx.remote_addr=%{TX.0}'"

SecRule REQUEST_HEADERS:CF-Connecting-IP|REQUEST_HEADERS:X-Sucuri-ClientIP|REQUEST_HEADERS:X-Forwarded-For|REQUEST_HEADERS:X-RealIP "@rx ^([^,]+),?" "chain,id:77350283,phase:2,pass,severity:5,nolog,t:none,capture"
SecRule TX:1 "@rx ^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?\s*$" "t:none,capture,setvar:'tx.remote_addr=%{TX.1}'"

SecRule &TX:remote_addr "@eq 0" "id:77350286,phase:2,pass,nolog,severity:5,setvar:'tx.remote_addr=%{REMOTE_ADDR}',skip:1"

SecRule TX:remote_addr "@rx ^$" "id:77350287,phase:2,pass,nolog,severity:5,setvar:'tx.remote_addr=%{REMOTE_ADDR}'"
# RBL whitelist
SecRule TX:remote_addr "@ipMatchFromFile rbl_whitelist" "id:33310,phase:2,pass,nolog,severity:5,setvar:tx.rbl_whitelist_check=1,skipAfter:RBL_CHECK"

# IPv4 address
SecAction "id:33368,phase:2,pass,nolog,severity:5,setvar:tx.rbl_ip=%{TIME_HOUR}-%{TIME_MIN}.%{tx.remote_addr},initcol:ip=%{tx.remote_addr}"

# WordPress Bruteforce RBL persistent storage check
SecRule REQUEST_URI "/wp-login\.php|/xmlrpc\.php" "id:33302,chain,phase:2,t:none,block,severity:2,nolog,auditlog,msg:'IM360 WAF: WordPress Bruteforce RBL block||Name:%{ARGS.log}||WPU:%{ARGS.log}||T:APACHE||MV:%{MATCHED_VAR}',tag:'wp_core'"
SecRule REQUEST_METHOD "^POST$" "t:none,chain"
SecRule IP:rbl_brute "@eq 1"

# Magento Bruteforce RBL persistent storage check
SecRule ARGS:form_key "!@rx ^$" "id:33304,chain,phase:2,t:none,block,severity:2,nolog,auditlog,msg:'IM360 WAF: Magento Bruteforce RBL block||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_im360'"
SecRule REQUEST_METHOD "^POST$" "t:none,chain"
SecRule ARGS:login[username] "!@rx ^$" "t:none,chain"
SecRule ARGS:login[password] "!@rx ^$" "t:none,chain"
SecRule IP:rbl_brute "@eq 1"

# Drupal Bruteforce RBL persistent storage check
SecRule ARGS:q "!@rx ^$" "id:33306,chain,phase:2,t:none,block,severity:2,nolog,auditlog,msg:'IM360 WAF: Drupal Bruteforce RBL block||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_im360'"
SecRule REQUEST_METHOD "^POST$" "t:none,chain"
SecRule ARGS:form_build_id "@beginsWith form-" "t:none,t:urlDecode,chain"
SecRule ARGS:name "!@rx ^$" "t:none,chain"
SecRule ARGS:pass "!@rx ^$" "t:none,chain"
SecRule ARGS:form_id "!@rx ^$" "t:none,chain"
SecRule IP:rbl_brute "@eq 1"

# OpenCart Bruteforce RBL persistent storage check
SecRule REQUEST_FILENAME "@contains /admin/" "id:33353,chain,phase:2,t:none,block,severity:2,nolog,auditlog,msg:'IM360 WAF: OpenCart Bruteforce RBL block||T:APACHE||MV:%{MATCHED_VAR}',tag:'service_im360'"
SecRule REQUEST_METHOD "^POST$" "chain,t:none"
SecRule ARGS:username "!@rx ^$" "chain,t:none"
SecRule ARGS:password "!@rx ^$" "chain,t:none"
SecRule IP:rbl_brute "@eq 1"

# IP blocklist
SecRule TX:remote_addr "@ipMatchFromFile bl_ips" "id:33370,phase:2,block,log,severity:2,t:none,msg:'IM360 WAF: IP address is listed in blocklist bl_ips||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_i360custom'"

# Block risky actions
SecRule REQUEST_FILENAME "@pmFromFile risky-actions.list" "id:33315,phase:2,block,severity:2,log,t:none,msg:'IM360 WAF: RBL block risky actions||T:APACHE||MV:%{MATCHED_VAR}',ctl:auditLogParts=+C,chain,setvar:tx.rbl_perf=1,tag:'service_i360'"
SecRule TX:RBL_IP "@rbl risky-actions.v2.rbl.imunify.com." "t:none,chain"
SecRule TX:RBL_IP "!@rbl nxdomain.v2.rbl.imunify.com." "t:none"

SecMarker RBL_CHECK

SecRule ARGS:i360test "@streq 88ff0adf94a190b9d1311c8b50fe2891c85af732" "id:33312,msg:'IM360 WAF: Testing the IM360 ModSecurity ruleset||User:%{SCRIPT_USERNAME}||T:APACHE||',phase:2,block,log,status:406,t:none,t:lowercase,severity:2,tag:'service_i360custom'"

SecRule TX:trapped "@eq 1" "id:33314,phase:5,pass,nolog,auditlog,msg:'IM360 WAF: RTrack||RTrack: %{TX.trapinfo}||T:APACHE||R:%{RESPONSE_STATUS}',severity:7,tag:'service_i360',tag:'noshow',setvar:tx.trapped=0"

# IP Record, rule 1
SecAction "id:33327,phase:2,pass,nolog,severity:5,setvar:tx.i360_remote_addr=%{tx.remote_addr}"

# IP Record, rule 2
SecRule TX:i360_remote_addr "@pmFromFile ip-record.db" "id:33328,chain,phase:5,pass,nolog,severity:5,t:none,ctl:auditLogParts=+C,tag:'service_i360',tag:'noshow'"
SecRuleScript trap.lua "t:none,chain"
SecRule TX:i360_remote_addr "@pmFromFile ip-record.db" "t:none"
# ^ Do not delete this line, fix for systems without LUA

# Rnd Record
SecRule UNIQUE_ID "@rx fff$" "id:33340,chain,phase:5,capture,pass,nolog,auditlog,severity:5,ctl:auditLogParts=+C,t:none,t:md5,t:hexEncode,t:lowercase,tag:'service_i360',tag:'noshow'"
SecRule &TX:trapped "@eq 0" "chain,t:none"
SecRuleScript trap.lua "chain,t:none"
SecRule &ARGS "@ge 0" "t:none"
# ^ Do not delete this line, fix for systems without LUA

# Record each block event
SecRule HIGHEST_SEVERITY "@le 2" "id:33343,chain,phase:5,pass,nolog,severity:5,t:none,tag:'service_i360',tag:'noshow'"
SecRule RESPONSE_STATUS "@rx ^403" "t:none,chain"
SecRule &TX:trapped "@eq 0" "t:none,chain"
SecRuleScript trap.lua "t:none,chain"
SecRule &ARGS "@ge 0" "t:none"
# ^ Do not delete this line, fix for systems without LUA

# IP Record
SecRule TX:trapped "@eq 1" "id:33329,phase:5,t:none,pass,nolog,auditlog,msg:'IPRec: %{TX.trapinfo}||T:APACHE||R:%{RESPONSE_STATUS}',severity:7,tag:'service_i360',tag:'noshow',setvar:tx.trapped=0"

# Rules configurator tag tests
SecRule ARGS:tag_test "@streq wp_core" "id:33360,msg:'IM360 WAF: Testing tags (wp_core)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,t:none,t:lowercase,severity:2,tag:'wp_core'"

# Rules configurator tag tests
SecRule ARGS:tag_test "@streq joomla_core" "id:33361,msg:'IM360 WAF: Testing tags (joomla_core)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,t:none,t:lowercase,severity:2,tag:'joomla_core'"

SecRule TX:trapped "@eq 1" "id:33326,phase:2,pass,nolog,auditlog,msg:'IM360 WAF: IPR||HT: %{TX.trapinfo}||T:APACHE||',severity:7,tag:'service_i360',tag:'noshow',setvar:tx.trapped=0"

# HackerTrap Base64
SecRule SCRIPT_FILENAME "@pmFromFile malware_found_b64.list" "id:77316816,phase:2,pass,nolog,severity:5,t:none,t:base64Encode,ctl:auditLogParts=+C,chain,tag:'service_i360',tag:'noshow'"
SecRuleScript trap.lua "t:none,chain"
SecRule &ARGS "@ge 0" "t:none"

SecRule SCRIPT_FILENAME "!@rx (?:index\.php|wp-load\.php|\/$)" "id:77316817,chain,phase:2,block,log,t:none,t:lowercase,severity:2,msg:'IM360 WAF: Standalone malware access attempt (base64)||T:APACHE||SC:%{SCRIPT_FILENAME}||File:%{REQUEST_FILENAME}||User:%{SCRIPT_USERNAME}||',tag:'service_i360'"
SecRule SCRIPT_FILENAME "@pmFromFile malware_standalone_b64.list" "t:none,t:base64Encode"

# WordPress user capture
SecRule REQUEST_HEADERS:Cookie "wordpress_logged_in_[^=]+=([^\|]+?)\|[^;]+(\w{6})(?:\;|$)" "id:77350273,phase:1,pass,nolog,severity:5,t:none,t:urlDecode,capture,setvar:tx.wp_user=%{TX.1},setvar:tx.wp_cookie=%{TX.2},tag:'service_im360',tag:'noshow'"

SecRule RESPONSE_HEADERS:set-cookie "@rx wordpress_logged_in_[^=]+=([^\|]+?)\|[^;]+(\w{6})(?:\;|$)" "id:77350315,phase:3,pass,nolog,severity:5,t:none,t:urlDecode,capture,setvar:tx.wp_user=%{TX.1},setvar:tx.wp_cookie=%{TX.2},tag:'service_im360',tag:'noshow'"