# ------------------------------------------------------ # Imunify360 ModSecurity Rules # Copyright (C) 2026 CloudLinux Inc All right reserved # The Imunify360 ModSecurity Rules is distributed under # IMUNIFY360 LICENSE AGREEMENT # ------------------------------------------------------ # Imunify360 ModSecurity Base Ruleset SecDefaultAction "phase:1,deny,nolog,auditlog" SecDefaultAction "phase:2,deny,nolog,auditlog" SecResponseBodyAccess Off SecResponseBodyMimeType text/plain text/html text/xml SecRule REQUEST_HEADERS:Content-Type "application/json" "id:77350039,phase:1,pass,nolog,severity:5,t:none,t:lowercase,ctl:requestBodyProcessor=JSON,tag:'service_im360'" SecRule REQUEST_HEADERS:Content-Type "text/xml" "id:77210050,phase:1,pass,nolog,severity:5,t:none,t:lowercase,ctl:requestBodyProcessor=XML,tag:'service_im360'" SecRule &TX:remote_addr "@eq 0" "id:77350287,phase:2,pass,nolog,severity:5,setvar:'tx.remote_addr=%{REMOTE_ADDR}'" SecRule TX:remote_addr "@ipMatchFromFile rbl_whitelist" "id:33310,phase:2,pass,nolog,severity:5,msg:'IM360 WAF: Whitelist check',setvar:tx.rbl_whitelist_check=1,skipAfter:RBL_CHECK" SecAction "id:33368,phase:2,pass,nolog,severity:5,setvar:tx.rbl_ip=%{TIME_HOUR}-%{TIME_MIN}.%{tx.remote_addr},initcol:ip=%{tx.remote_addr}" SecRule REQUEST_URI "/wp-login\.php|/xmlrpc\.php" "id:33302,chain,phase:2,t:none,block,severity:2,nolog,auditlog,msg:'IM360 WAF: WordPress Bruteforce RBL block||Name:%{ARGS.log}||WPU:%{ARGS.log}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_METHOD "^POST$" "t:none,chain" SecRule IP:rbl_brute "@eq 1" "t:none" SecRule ARGS:form_key "!@rx ^$" "id:33304,chain,phase:2,t:none,block,severity:2,nolog,auditlog,msg:'IM360 WAF: Magento Bruteforce RBL block||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule REQUEST_METHOD "^POST$" "t:none,chain" SecRule ARGS:login[username] "!@rx ^$" "t:none,chain" SecRule ARGS:login[password] "!@rx ^$" "t:none,chain" SecRule IP:rbl_brute "@eq 1" "t:none" SecRule ARGS:q "!@rx ^$" "id:33306,chain,phase:2,t:none,block,severity:2,nolog,auditlog,msg:'IM360 WAF: Drupal Bruteforce RBL block||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule REQUEST_METHOD "^POST$" "t:none,chain" SecRule ARGS:form_build_id "@beginsWith form-" "t:none,t:urlDecode,chain" SecRule ARGS:name "!@rx ^$" "t:none,chain" SecRule ARGS:pass "!@rx ^$" "t:none,chain" SecRule ARGS:form_id "!@rx ^$" "t:none,chain" SecRule IP:rbl_brute "@eq 1" "t:none" SecRule REQUEST_FILENAME "@endsWith administrator/index.php" "id:33349,chain,phase:2,t:none,block,nolog,auditlog,severity:2,msg:'IM360 WAF: Old Joomla versions Bruteforce RBL block||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule REQUEST_METHOD "^POST$" "chain,t:none" SecRule ARGS:usrname "!@rx ^$" "chain,t:none" SecRule ARGS:pass "!@rx ^$" "chain,t:none" SecRule IP:rbl_brute "@eq 1" "t:none" SecRule REQUEST_FILENAME "@endsWith administrator/index.php" "id:33347,chain,phase:2,t:none,block,severity:2,nolog,auditlog,msg:'IM360 WAF: Joomla Bruteforce RBL block||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'joomla_core'" SecRule REQUEST_METHOD "^POST$" "chain,t:none" SecRule ARGS:username "!@rx ^$" "chain,t:none" SecRule ARGS:passwd "!@rx ^$" "chain,t:none" SecRule ARGS:option "^com_login$" "chain,t:none" SecRule ARGS:task "^login$" "chain,t:none" SecRule IP:rbl_brute "@eq 1" "t:none" SecRule REQUEST_FILENAME "@contains /admin/" "id:33353,chain,phase:2,t:none,block,severity:2,nolog,auditlog,msg:'IM360 WAF: OpenCart Bruteforce RBL block||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule REQUEST_METHOD "^POST$" "chain,t:none" SecRule ARGS:username "!@rx ^$" "chain,t:none" SecRule ARGS:password "!@rx ^$" "chain,t:none" SecRule IP:rbl_brute "@eq 1" "t:none" SecRule REQUEST_HEADERS:User-Agent "@pmFromFile crawlers-ualist.data" "id:33311,phase:2,t:none,nolog,auditlog,pass,severity:5,msg:'IM360 WAF: Found crawler not in whitelist||RSV:8.02||T:APACHE||RA:%{REMOTE_ADDR}||TA:%{tx.remote_addr}||',chain,tag:'service_im360'" SecRule TX:remote_addr "!@rx ^1(?:0|27|69\.254|72\.(?:1[6-9]|2[0-9]|3[0-1])|92\.168)\.|^::1$|(?:^[fF][cCdD])" "chain,t:none" SecRule TX:remote_addr "!@ipMatchFromFile crawlers-iplist.data" "chain,t:none,setvar:tx.rbl_perf=1" SecRule TX:RBL_IP "!@rbl good-bots.rbl.imunify.com." "t:none" SecRule TX:remote_addr "@ipMatchFromFile bl_ips" "id:33370,phase:2,block,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: IP address is listed in blocklist bl_ips||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule REQUEST_FILENAME "@pmFromFile risky-actions.list" "id:33315,phase:2,block,severity:2,nolog,auditlog,t:none,msg:'IM360 WAF: RBL block risky actions||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',chain,setvar:tx.rbl_perf=1,tag:'service_im360'" SecRule TX:RBL_IP "@rbl risky-actions.v2.rbl.imunify.com." "t:none,chain" SecRule TX:RBL_IP "!@rbl nxdomain.v2.rbl.imunify.com." "t:none" SecMarker RBL_CHECK SecRule REQUEST_FILENAME "@pmFromFile risky-actions.list" "id:33313,chain,phase:2,pass,severity:5,t:none,msg:'IM360 WAF: Risky actions detection',tag:'service_im360',tag:'noshow'" SecRuleScript trap.lua "t:none,chain" SecRule REQUEST_FILENAME "!@rx ^$" "t:none" SecRule TX:trapped "@eq 1" "id:33314,phase:5,pass,nolog,auditlog,msg:'IM360 WAF: RTrack||RTrack: %{TX.trapinfo}||RSV:8.02||T:APACHE||',severity:7,tag:'service_im360',tag:'noshow',setvar:tx.trapped=0" SecAction "id:33327,phase:2,pass,nolog,severity:5,setvar:tx.i360_remote_addr=%{tx.remote_addr}" SecRule TX:i360_remote_addr "@pmFromFile ip-record.db" "id:33328,chain,phase:5,pass,nolog,severity:5,t:none,tag:'service_im360',tag:'noshow'" SecRuleScript trap.lua "t:none,chain" SecRule TX:i360_remote_addr "@pmFromFile ip-record.db" "t:none" SecRule UNIQUE_ID "@rx fff$" "id:33340,chain,phase:5,capture,pass,nolog,severity:5,t:none,t:md5,t:hexEncode,t:lowercase,tag:'service_im360',tag:'noshow'" SecRule &TX:trapped "@eq 0" "chain,t:none" SecRuleScript trap.lua "chain,t:none" SecRule &ARGS "@ge 0" "t:none" SecRule HIGHEST_SEVERITY "@le 2" "id:33343,chain,phase:5,pass,nolog,severity:5,t:none,tag:'service_im360',tag:'noshow'" SecRule RESPONSE_STATUS "@rx ^403" "t:none,chain" SecRule &TX:trapped "@eq 0" "t:none,chain" SecRuleScript trap.lua "t:none,chain" SecRule &ARGS "@ge 0" "t:none" SecRule HIGHEST_SEVERITY "@eq 6" "id:77350577,chain,phase:5,pass,nolog,severity:5,t:none,tag:'service_im360',tag:'noshow'" SecRule &TX:trapped "@eq 0" "t:none,chain" SecRuleScript trap.lua "t:none,chain" SecRule &ARGS "@ge 0" "t:none" SecRule SCRIPT_FILENAME "@pmFromFile malware_standalone.list" "id:33356,chain,phase:2,block,nolog,auditlog,t:none,severity:2,msg:'IM360 WAF: Standalone malware access attempt||RSV:8.02||T:APACHE||SC:%{SCRIPT_FILENAME}||',tag:'service_im360'" SecRule SCRIPT_FILENAME "!@endsWith /" "chain,t:none" SecRule SCRIPT_FILENAME "!@endsWith index.php" "t:none,t:lowercase" SecRule ARGS:tag_test "@streq wp_core" "id:33360,msg:'IM360 WAF: Testing tags (wp_core)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,t:none,t:lowercase,severity:2,tag:'wp_core'" SecRule ARGS:tag_test "@streq joomla_core" "id:33361,msg:'IM360 WAF: Testing tags (joomla_core)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||RSV:8.02||T:APACHE||',phase:2,block,t:none,t:lowercase,severity:2,tag:'joomla_core'" SecRule TX:trapped "@eq 1" "id:33326,phase:2,pass,nolog,auditlog,msg:'IM360 WAF: IPR||HT: %{TX.trapinfo}||RSV:8.02||T:APACHE||',severity:7,tag:'service_im360',tag:'noshow',setvar:tx.trapped=0" SecRule SCRIPT_FILENAME "@pmFromFile malware_found.list" "id:33325,chain,phase:2,pass,nolog,severity:5,t:none,tag:'service_im360',tag:'noshow'" SecRuleScript trap.lua "t:none,chain" SecRule SCRIPT_FILENAME "@pmFromFile malware_found.list" "t:none" SecRule SCRIPT_FILENAME "@pmFromFile malware_found_b64.list" "id:77316816,phase:2,pass,nolog,severity:5,t:none,t:base64Encode,chain,tag:'service_im360',tag:'noshow'" SecRuleScript trap.lua "t:none,chain" SecRule &ARGS "@ge 0" "t:none" SecRule SCRIPT_FILENAME "!@rx (?:index\.php|wp-load\.php|\/$)" "id:77316817,chain,phase:2,block,nolog,auditlog,t:none,t:lowercase,severity:2,msg:'IM360 WAF: Standalone malware access attempt (base64)||RSV:8.02||T:APACHE||SC:%{SCRIPT_FILENAME}||File:%{REQUEST_FILENAME}||User:%{SCRIPT_USERNAME}||',tag:'service_im360'" SecRule SCRIPT_FILENAME "@pmFromFile malware_standalone_b64.list" "t:none,t:base64Encode" SecRule REQUEST_HEADERS:Cookie "wordpress_logged_in_[^=]+=([^\|=]+?)\|" "id:77350273,phase:1,pass,nolog,severity:5,t:none,t:urlDecode,capture,msg:'IM360 WAF: WordPress User Capture',setvar:tx.wp_user=%{TX.1},tag:'wp_core',tag:'noshow'" SecRule RESPONSE_HEADERS:set-cookie "@rx wordpress_logged_in_[^=]+=([^\|=]+?)\|" "id:77350315,phase:3,pass,nolog,severity:5,t:none,t:urlDecode,capture,setvar:tx.wp_user=%{TX.1},tag:'wp_core',tag:'noshow'"