Welcome to WebmasterWorld Guest from 54.242.115.55

Forum Moderators: open

ModSecurity Rule Help vs Contact Form Spammers (WHM/cPanel)

Trying to fix a ModSecurity Rule

     
7:38 am on Dec 14, 2018 (gmt 0)

Junior Member

10+ Year Member

joined:July 25, 2006
posts: 41
votes: 0


Trying to get this rule to work within WHM (cPanel) to block specific text strings (say a domain or company or keyword) that contact form spammers use and keep the form from submitting.

Here is the rule I'm working with:

SecRule REQUEST_BODY "@contains TARGETSTRING" "id:2,deny,log,msg:'TARGETSTRING Spam Blocked'"


TARGETSTRING=Whatever my target is - a company name, domain name, term like SEO, etc.

E-mail submitted with the form and a perfect match is whizzing right by.

This is used in WHM Home > Security Center > ModSecurity Tools > Rules List

Any ideas on how to fix this?

Thank you!
5:13 pm on Dec 14, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15494
votes: 744


Any ideas on how to fix this?
I couldn't get past the confusion engendered by the underlying premise. Why would you need to use cPanel rather than putting the rule directly into the config file (or, presumably, an Include that is dedicated to mod_security alone)? Introducing a middleman only creates more ways things can go wrong.
5:52 pm on Dec 14, 2018 (gmt 0)

Junior Member

10+ Year Member

joined:July 25, 2006
posts: 41
votes: 0


Hi Lucy, thanks for the response.

I think you have helped me with .htaccess questions years ago.

I'm a bit surprised by your response - or perhaps confused. ModSecurity is installed by default in WHM on my VPS (and I suspect most with WHM/cPanel).

Under the tools menu one has the option to add custom rules that can protect the entire VPS (or be limited to specific domain(s) AFAIK).

Documentation: [documentation.cpanel.net...]

I want this protection across the entire VPS, rather than going domain by domain to install a duplicate solution that will need updating, etc.

I'd be grateful for any help - from you or anyone else with ideas. Thank you!
6:51 pm on Dec 14, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15494
votes: 744


The part I was trying to figure out is where the rule ends up getting installed, because usually when I think cPanel I think shared hosting, which means htaccess, which means you can't use mod_security--unless the site is using a truly ancient version. But you said VPS, meaning that cPanel will in some way talk to the config file? Now I understand why you're doing this in mod_security rather than, say, in mod_rewrite, which would have inheritance issues unless you've taken full advantage of the 2.4 inheritance options.

But the more important question is what, exactly, REQUEST_BODY covers: everything that is sent in, or just the part that shows up in server access logs? The content of an email is neither a part of the request itself (including query string) nor hidden in an associated header, so I'm worried that it may simply be out of mod_security's purview.

Option B is to write some additional php to do further mail filtering. The code wouldn't have to be repeated for every site; you can put it somewhere in the VPS and then let each site Include it (using the physical filepath instead of the more common document-root approach).
8:02 pm on Dec 14, 2018 (gmt 0)

Junior Member

10+ Year Member

joined:July 25, 2006
posts: 41
votes: 0


It is actually WHM - so allegedly - the entire (virtual) server sees it.

(WHM >> Home >> Security Center >> ModSecurity™ Tools)

As far as I know request_body will inspect the contact form body on submission. I've been searching online, etc., and this stuff is making my head spin. One issue I've just uncovered is a flag that must be set in the configuration (I don't think it is per rule but I may be wrong) and that is the instruction to allow body inspection.

Something like: SecRequestBodyAccess On

I've just poured over WHM again and can't find anywhere to inspect/change that - nor has Google been helpful*. Clearly, if that is set to "off" all the calls in the rules won't make any difference. Grrr.

*I did see one site that said I can add it in the tools > rules list which I tried/tested but no effect.

Thank you for the php idea. My command line host skills are limited - all the hosting management I do is for my own biz as an adjunct to my real work (which is also very technical as I imagine you'd guess from my screen name). Anywho, thank you so very much for taking a look.