a) ANTIVIRUS
I did not see any rules for antivirus check for uploaded files, so i share mine.
-
First you need to have mod_lua installed, so modsec2.conf where it is:
#LoadFile /opt/lua/lib/liblua.so
Must be:
LoadFile /opt/lua/lib/liblua.so -
then i add this to the custom rules on whm cwaf:
SecRequestBodyAccess On
SecRule FILES_TMPNAMES "[at]inspectFile /usr/local/maldetect/modsec.lua" \
"phase:request,\
id:'900',\
t:none,\
log,\
auditlog,\
deny,\
msg:'COMODO WAF: VIRUS or MALWARE content was found in uploaded file',\
severity:'ERROR'"
SecRequestBodyAccess Off
- Then the LUA Script (you need to have clam antivirus, that is listed on cpanel plugins):
function main(filename)
-- Made BY JonixKonios_V5
-- Configure paths
local clamscan = "/usr/bin/clamdscan"
-- The system command we want to call
local cmd = clamscan .. " --stdout"
-- Run the command and get the output
local f = io.popen(cmd .. " " .. filename)
local l = f:read("*a")
m.log(9, l)
-- Get the Hostname
local fff = io.popen ("/bin/hostname")
local hostname = fff:read("*a") or ""
fff:close()
hostname = string.gsub(hostname, "\n$", "")
-- Get Date and Time
data = os.date("%d.%m.%Y [at] %H:%M:%S")
body = "----------- DATE/TIME -----------\n" .. data .. "\n\n----------- VIRUS FOUND -----------\n" .. l
-- Check the output for the FOUND or ERROR strings which indicate
-- an issue we want to block access on
local isVuln = string.find(l, "FOUND")
local isError = string.find(l, "ERROR")
if isVuln ~= nil then
-- Send Email
os.execute(string.format("/bin/echo \"%s\" | /bin/mail -s \"%s - Virus Check FOUND\" email[at]domain.com",body,hostname))
return 1
elseif isError ~= nil then
os.execute(string.format("/bin/echo \"%s\" | /bin/mail -s \"%s - Virus Check FOUND\" servidores[at]datasource.pt",body,hostname))
return 1
else
return nil
end
end
This prevents very nasty uploads that any other rule can’t stop.
B) Joomla
Does this rules prevent the brute force attack on /administrator from joomla?
