%PDF- %PDF-
Mini Shell

Mini Shell

Direktori : /opt/pyxsoft/modsec/rules/0200/
Upload File :
Create Path :
Current File : //opt/pyxsoft/modsec/rules/0200/pyxsoft.conf

# --------------------------------------
# Pyxsoft Configuration file
# --------------------------------------
# Mod Security version 2.0.0



SecRequestBodyAccess On
# Max upload = 128MB
SecRequestBodyLimit 134217728
SecRequestBodyNoFilesLimit 1048576
SecRequestBodyInMemoryLimit 131072
SecTmpDir /tmp
SecUploadDir /tmp
SecUploadKeepFiles Off

#SecResponseBodyAccess On
#SecResponseBodyMimeType text/plain text/html
#SecResponseBodyLimit 524288
#SecResponseBodyLimitAction ProcessPartial
#SecStreamOutBodyInspection On
#SecDebugLogLevel 9

# PCRE Tuning
SecPcreMatchLimit 150000
SecPcreMatchLimitRecursion 150000

# Firewall inspection [nolog]
# SecRule REMOTE_ADDR "@inspectFile /opt/pyxsoft/modsec/checkdenied" "id:400012,nolog,noauditlog,phase:1,status:412,redirect:/cgi-sys/denied.shtml,t:none"

# Block BF marked IPs [nolog]
SecRule REQUEST_BASENAME "(?:wp-login|administrator)" "id:400023,chain,nolog,noauditlog,phase:1,status:412,msg:'Brute Force Attack',redirect:/cgi-sys/pxcaptcha?url=%{REQUEST_URI}"
SecRule REMOTE_ADDR "@inspectFile /opt/pyxsoft/modsec/isgreylisted"

# Obtener version de Mod Security [nolog]
# SecRule REQUEST_URI "getMS_version" "id:400013,nolog,noauditlog,phase:1,t:none,chain"
# SecRule MODSEC_BUILD "@inspectFile /opt/pyxsoft/modsec/modsecver"

# Obtener status de pyxsoft [nolog]
SecRule REQUEST_URI "PYX_getStatus" "id:400015,nolog,noauditlog,phase:1,t:none,chain"
SecRule MODSEC_BUILD "@inspectFile /opt/pyxsoft/modsec/pyxsoftstatus"

# Ataques de fuerza bruta - Wordpress [nolog]
SecRule REQUEST_URI "wp-login" "id:400022,phase:4,chain,nolog,noauditlog,redirect:/cgi-sys/pxcaptcha?url=%{REQUEST_URI}"
SecRule RESPONSE_BODY "<div id=[\"\']login_error[\"\']>" "chain"
SecRule FULL_REQUEST "@inspectFile /opt/pyxsoft/modsec/analyze_bf" "t:none,t:hexEncode"

# Ataques de fuerza bruta Joomla 1.5 [nolog]
SecRule REQUEST_URI "administrator" "id:400025,phase:4,chain,nolog,noauditlog,redirect:/cgi-sys/pxcaptcha?url=%{REQUEST_URI}"
SecRule RESPONSE_BODY "<dt class=\"error\">" "chain"
SecRule REQUEST_BODY "@inspectFile /opt/pyxsoft/modsec/analyze_bf" "t:none,t:hexEncode"

# Rule 400000 - Timthumb vulnerability
SecRule REQUEST_URI "(?:timthumb|thumb|resize|thumbnail|crop)\.php" "deny,id:400000,log,auditlog,phase:2,status:412,chain,msg:'Thimthumb Vulnerability',severity:ALERT"
SecRule ARGS:src "(?:flickr\.com|picasa\.com|blogger\.com|wordpress\.com|youtube\.com|wikimedia\.org|photobucket\.com)" "exec:/opt/pyxsoft/modsec/rules/pyxlog.lua"

# Rule 400001 - Delete data via URI SQL Injection
SecRule REQUEST_URI "delete[[:space:]]+from" "t:none,t:urldecode,deny,id:400001,log,auditlog,phase:2,status:412,msg:'SQL Injection (delete)',severity:ALERT, exec:/opt/pyxsoft/modsec/rules/pyxlog.lua"

# Rule 400002 - Insert data via URI SQL Injection
SecRule REQUEST_URI "insert[[:space:]]+into" "t:none,t:urldecode,deny,id:400002,log,auditlog,phase:2,status:412,msg:'SQL Injection (insert)',severity:ALERT, exec:/opt/pyxsoft/modsec/rules/pyxlog.lua"

# Rule 400003 - Multipart Strict Error
SecRule MULTIPART_STRICT_ERROR "!@eq 0" "id:400003,  \
setenv:MPTESTS=%{REQBODY_PROCESSOR_ERROR}%{MULTIPART_BOUNDARY_QUOTED}%{MULTIPART_BOUNDARY_WHITESPACE}%{MULTIPART_DATA_BEFORE}\
%{MULTIPART_DATA_AFTER}%{MULTIPART_HEADER_FOLDING}%{MULTIPART_LF_LINE}%{MULTIPART_MISSING_SEMICOLON}%{MULTIPART_INVALID_QUOTING}\
%{MULTIPART_INVALID_HEADER_FOLDING}%{MULTIPART_FILE_LIMIT_EXCEEDED}, \
,deny,log,auditlog,phase:2,status:412,msg:'Multipart strict error',severity:WARNING,chain"
SecRule MULTIPART_STRICT_ERROR "@inspectfile /opt/pyxsoft/modsec/chk_multipart" "exec:/opt/pyxsoft/modsec/rules/pyxlog.lua"

# Rule 400004 - OsCommerce Login Vulnerability
SecRule REQUEST_URI "/admin/[a-z0-9-_]+?\.php/[a-z0-9-_]+?\.php" "deny,id:400004,log,auditlog,phase:2,status:412,msg:'osCommerce Login Vulnerability',rev:1, severity:ALERT,exec:/opt/pyxsoft/modsec/rules/pyxlog.lua"

# Rule 400005 - OsCommerce categories.php vulnerability
SecRule REQUEST_URI  "admin/categories\.php/login.php" "deny,id:400005,log,auditlog,phase:2,status:412,msg:'osCommerce categories.php vulnerability',severity:ALERT,exec:/opt/pyxsoft/modsec/rules/pyxlog.lua"

# Rule 400006 - osCommerce filemanager.php vulnerability
SecRule REQUEST_URI  "admin/file_manager\.php/login.php" "deny,id:400006,log,auditlog,phase:2,status:412,msg:'osCommerce filemanager.php vulnerabilidad',rev:1, severity:EMERGENCY,exec:/opt/pyxsoft/modsec/rules/pyxlog.lua"

# Rule 400007 - Volk Mass Mailer
SecRule REQUEST_URI "volk.{0,3}\.php"  "deny,id:400007,log,auditlog,phase:2,status:412,msg:'volk.php spam script',rev:1,severity:ALERT,exec:/opt/pyxsoft/modsec/rules/pyxlog.lua"

# Rule 400008 - Dark Mass Mailer
SecRule REQUEST_URI "(dm\.cgi|dark\.cgi|coms\.cgi|mrm\.cgi)" "deny,id:400008,log,auditlog,phase:2,status:412,msg:'dark.cgi spam script',severity:ALERT,exec:/opt/pyxsoft/modsec/rules/pyxlog.lua"

# Rule 400009 - Select data via SQL injection in URI
SecRule REQUEST_URI "select.+from" "deny,id:400009,log,auditlog,phase:2,status:412,chain,rev:1,severity:ALERT,msg:'Select data via SQL injection'"
SecRule REQUEST_URI "!@rx option=com_virtuemart" "exec:/opt/pyxsoft/modsec/rules/pyxlog.lua"

# Rule 400010 - WordPress 2.6.1 change password vulnerability
SecRule REQUEST_URI "wp-login\.php" "deny,id:400010,log,auditlog,phase:2,status:412,chain,msg:'WordPress 2.6.1 change password vulnerability',severity:ALERT"
SecRule ARGS:action "register" chain
SecRule ARGS:user_login "\s{5,}?" "exec:/opt/pyxsoft/modsec/rules/pyxlog.lua"

# Rule 400011 - Joomla 1.5 Token Remote Admin Change Password Vulnerability
SecRule ARGS:task "confirmreset" "deny,id:400011,log,auditlog,phase:2,status:412,chain, msg:'Token Remote Admin Change Password Vulnerability'"
SecRule ARGS:token "'" "exec:/opt/pyxsoft/modsec/rules/pyxlog.lua"

# Rule 400012,13,14,15 - Reservada

# Rule 400016 - JCE Upload Vulnerability Exploit
SecRule ARGS:option "com_jce" "chain,id:400016,deny,log,auditlog,phase:2,status:412,msg:'JCE Upload Vulnerability exploit attempt',severity:ALERT"
SecRule FULL_REQUEST "@inspectFile /opt/pyxsoft/modsec/jce" "t:none,t:hexEncode, exec:/opt/pyxsoft/modsec/rules/pyxlog.lua"

# Rule 400017 - Phishing Bancasa (Dominican Republic)
SecRule REQUEST_FILENAME "bhd\.com\.do" "deny,id:400017,log,auditlog,phase:2,status:412,rev:1,severity:ALERT,msg:'Phishing Bancasa',exec:/opt/pyxsoft/modsec/rules/pyxlog.lua"

# Rule 400018 - WP Total cache plugin for Wordpress Remote Execution
SecRule REQUEST_FILENAME "wp-comments-post\.php" "id:400018,rev:1,severity:ALERT,msg:'Wordpress WT Total cache remote command execution attempt',log,deny,auditlog,phase:2,status:412,t:none,t:htmlEntityDecode,t:lowercase,t:removeNulls,chain"
SecRule ARGS_POST:comment "<!.*(mclude|mfunc|dynamic-cached-content)" "exec:/opt/pyxsoft/modsec/rules/pyxlog.lua"

# Rule 400019 - Acunetix Vulnerability Scanner
SecRule REQUEST_HEADERS_NAMES "acunetix" "id:400019,rev:1,severity:ALERT,msg:'Acunetix Vulnerability Web Scanner',log,deny,auditlog,phase:2,status:412,t:none,t:lowercase,exec:/opt/pyxsoft/modsec/rules/pyxlog.lua"

# Rule 400020, 400021 - Upload inspections [nolog]
SecRule FILES "@inspectFile /opt/pyxsoft/modsec/modsec_name_scan" "id:400020,nolog,noauditlog,t:none,t:hexEncode,phase:2,status:412,redirect:http://%{SERVER_NAME}:2930/alert/upload"
SecRule FILES_TMPNAMES "@inspectFile /opt/pyxsoft/modsec/modsec_scan" "id:400021,nolog,noauditlog,phase:2,status:412,redirect:http://%{SERVER_NAME}:2930/alert/upload"

# Rule 400022,400023 reservadas

# Rule 400024 - ofc_upload_image.php Remote PHP Code Execution Vulnerability
SecRule REQUEST_URI "ofc_upload_image.php" "deny,id:400024,log,auditlog,phase:2,status:412,chain,msg:'OFC Upload Vulnerability'"
secRule ARGS:name "!@rx (?:\.gif|\.png|\.jpg|\.jpeg)$" "exec:/opt/pyxsoft/modsec/rules/pyxlog.lua"

# Rule 400025 reservada Fuerza bruta Joomla!

# Rule 400026 - WordPress XMLRPC Enumeration system.getCapabilities
SecRule REQUEST_URI "/xmlrpc.php" "id:400026,chain,rev:1,severity:ALERT,msg:'WordPress XMLRPC Enumeration system.getCapabilities',log,deny,auditlog,phase:2,status:412,t:none"
SecRule REQUEST_BODY "system.getcapabilities" "t:none,t:lowercase,exec:/opt/pyxsoft/modsec/rules/pyxlog.lua"

# Rule 400027 - WordPress XMLRPC Enumeration system.listMethods
SecRule REQUEST_URI "/xmlrpc.php" "id:400027,chain,rev:1,severity:ALERT,msg:'WordPress XMLRPC Enumeration system.listMethods',log,deny,auditlog,phase:2,status:412,t:none"
SecRule REQUEST_BODY "system.listmethods" "t:none,t:lowercase,exec:/opt/pyxsoft/modsec/rules/pyxlog.lua"

# Rule 400028 - Wordpress XMLRPC possible Password Brute Force
SecRule REQUEST_URI "/xmlrpc.php" "id:400028,chain,rev:1,severity:ALERT,msg:'WordPress XMLRPC System.multicall (brute force)',log,deny,auditlog,phase:2,status:412,t:none"
SecRule ARGS_POST:for "!@streq jetpack" chain
SecRule REQUEST_BODY "system.multicall" "t:none,t:lowercase,exec:/opt/pyxsoft/modsec/rules/pyxlog.lua"

# Rule 400029 Libre

# Rule 400030 - Phishing Banco Falabella (Chile)
SecRule REQUEST_FILENAME "bancofalabella\.cl" "deny,id:400030,log,auditlog,phase:2,status:412,rev:1,severity:ALERT,msg:'Phishing Banco Falabella',exec:/opt/pyxsoft/modsec/rules/pyxlog.lua"

# Rule 400031 - Worpress REST API Vulnerability
SecRule REQUEST_URI "wp/v2/posts/\d+\?" "chain,id:400031,deny,log,auditlog,phase:2,status:412,msg:'Wordpress REST API vulnerability attack',severity:ALERT"
SecRule ARGS_GET:id "^\d+?\D.+?$" "exec:/opt/pyxsoft/modsec/rules/pyxlog.lua"

# Rule 400032 - WordPress load-scripts DoS Vulnerability
SecRule REQUEST_URI "wp-admin/load-scripts\.php" "chain,id:400032,deny,log,auditlog,phase:2,status:412,msg:'WordPress LoadScripts DoS Vulnerability',severity:ALERT"
SecRule REMOTE_ADDR "@inspectFile /opt/pyxsoft/modsec/cve20186389" "exec:/opt/pyxsoft/modsec/rules/pyxlog.lua"

Zerion Mini Shell 1.0