Secrule modsecurity random numbers and adress ip post method

Question

I have an attack on my server, several thousand logs. Please take a look. I am looking for a method that could help me block these queries to my wordpress. I tried to block by IP, but there are others as well. This post query - is still the same

index.php=huya$$()owy3419magor <- Only the number changes.

Is it possible to block POST requests with random numbers in the middle of the text?

Can you give me a hint? I could not find such information.

My logs:

Look at the logs. Only the number in the middle changes. I've got thousands of it.

score 0 · Answer 1 · edited Oct 30 '20 at 18:34

0

I think the fastest rule could be like this:

SecRule REQUEST_URI "@beginsWith /index.php=huya$$()owy" \
    "id:900101,\
    phase:1,\
    t:none,\
    block,\
    msg:'WPadmin \"owy\" attack.',\
    log"

edited Oct 30 '20 at 18:34

Dharman

30,962
25
85
135

answered Oct 30 '20 at 18:28

airween

6,203
1
14
20

Secrule modsecurity random numbers and adress ip post method

1 Answers1