/etc/apache2/conf.d/modsec_vendor_configs/imunify360-full-apache
# ------------------------------------------------------ # Imunify360 ModSecurity Rules # Copyright (C) 2026 CloudLinux Inc All right reserved # The Imunify360 ModSecurity Rules is distributed under # IMUNIFY360 LICENSE AGREEMENT # ------------------------------------------------------ # Imunify360 ModSecurity Base Ruleset SecRule REQUEST_METHOD "!@rx ^POST$" "id:77316857,phase:2,pass,severity:5,t:none,nolog,skipAfter:MARKER_BRUTE_POST,tag:'noshow'" SecRule REQUEST_METHOD "@rx ^POST$" "id:33332,chain,phase:3,pass,nolog,auditlog,severity:2,t:none,msg:'IM360 WAF: Failed WordPress login||WPU:%{ARGS.log}||User:%{SCRIPT_USERNAME}||Script:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule ARGS:log "!@rx ^$" "chain,t:none" SecRule ARGS:pwd "!@rx ^$" "chain,t:none" SecRule RESPONSE_HEADERS:Set-cookie "@contains wordpress_" "chain,t:none" SecRule &RESPONSE_HEADERS:Location "@eq 0" "t:none" SecRule REQUEST_FILENAME "@endsWith index.php" "id:33333,chain,pass,nolog,auditlog,phase:2,severity:5,t:none,t:urlDecode,t:normalizePath,t:lowercase,msg:'IM360 WAF: Abantecart login attempt||%{REQUEST_HEADERS.Host}||User:%{SCRIPT_USERNAME}||Script:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule REQUEST_METHOD "^POST$" "chain,t:none,t:urlDecode" SecRule ARGS:rt "@contains index/login" "chain,t:none,t:urlDecode" SecRule ARGS:username "!@rx ^$" "chain,t:none,t:urlDecode" SecRule ARGS:password "!@rx ^$" "t:none" SecRule REQUEST_FILENAME "@endsWith admin/login.php" "id:33334,chain,pass,nolog,auditlog,phase:2,severity:5,t:none,t:urlDecode,t:normalizePath,t:lowercase,msg:'IM360 WAF: CMSMadeSimple login attempt||%{REQUEST_HEADERS.Host}||User:%{SCRIPT_USERNAME}||Script:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule REQUEST_METHOD "^POST$" "chain,t:none,t:urlDecode" SecRule ARGS:username "!@rx ^$" "chain,t:none,t:urlDecode" SecRule ARGS:password "!@rx ^$" "chain,t:none,t:urlDecode" SecRule ARGS:loginsubmit "!@rx ^$" "t:none" SecRule REQUEST_URI "@contains /downloader/" "id:33338,chain,pass,nolog,auditlog,phase:2,severity:5,t:none,t:urlDecode,t:normalizePath,t:lowercase,msg:'IM360 WAF: Magento CMS downloader login attempt||%{REQUEST_HEADERS.Host}||User:%{SCRIPT_USERNAME}||Script:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule REQUEST_METHOD "^POST$" "chain,t:none,t:urlDecode" SecRule ARGS:login[username] "!@rx ^$" "chain,t:none,t:urlDecode" SecRule ARGS:login[password] "!@rx ^$" "t:none" SecRule ARGS:form_key "!@rx ^$" "id:33335,chain,pass,nolog,auditlog,phase:2,severity:5,t:none,t:urlDecode,t:normalizePath,t:lowercase,msg:'IM360 WAF: Magento CMS login attempt||%{REQUEST_HEADERS.Host}||User:%{SCRIPT_USERNAME}||Script:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule REQUEST_METHOD "^POST$" "chain,t:none,t:urlDecode" SecRule ARGS:login[username] "!@rx ^$" "chain,t:none,t:urlDecode" SecRule ARGS:login[password] "!@rx ^$" "t:none" SecRule REQUEST_METHOD "^POST$" "id:33336,chain,pass,nolog,auditlog,phase:2,severity:5,t:none,msg:'IM360 WAF: Drupal CMS login attempt||%{REQUEST_HEADERS.Host}||User:%{SCRIPT_USERNAME}||Script:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule ARGS:form_id "!@rx ^$" "chain,t:none,t:urlDecode" SecRule ARGS:form_build_id "@beginsWith form-" "chain,t:none" SecRule ARGS:name "!@rx ^$" "chain,t:none" SecRule ARGS:pass "!@rx ^$" "t:none" SecRule REQUEST_METHOD "^POST$" "id:77316941,chain,pass,nolog,auditlog,phase:3,severity:2,t:none,msg:'IM360 WAF: Drupal CMS failed login attempt||%{REQUEST_HEADERS.Host}||User:%{SCRIPT_USERNAME}||Script:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule RESPONSE_STATUS "@rx ^20" "chain,t:none" SecRule ARGS:form_build_id "@beginsWith form-" "chain,t:none" SecRule ARGS:name "!@rx ^$" "chain,t:none,t:urlDecode" SecRule ARGS:pass "!@rx ^$" "chain,t:none,t:urlDecode" SecRule ARGS:form_id "!@rx ^$" "t:none" SecRule REQUEST_METHOD "^POST$" "id:33337,chain,pass,nolog,auditlog,phase:2,severity:5,t:none,msg:'IM360 WAF: Prestashop CMS login attempt||%{REQUEST_HEADERS.Host}||User:%{SCRIPT_USERNAME}||Script:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule REQUEST_FILENAME "@endsWith login.php" "chain,t:none,t:normalizePath,t:lowercase" SecRule ARGS:passwd "!@rx ^$" "chain,t:none" SecRule ARGS:email "!@rx ^$" "t:none" SecRule REQUEST_FILENAME "@endsWith xmlrpc.php" "id:33339,chain,pass,nolog,auditlog,phase:3,severity:5,t:none,t:urlDecode,t:normalizePath,t:lowercase,msg:'IM360 WAF: WordPress XML-RPC access attempt||%{REQUEST_HEADERS.Host}||User:%{SCRIPT_USERNAME}||Script:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule REQUEST_METHOD "^POST$" "chain,t:none" SecRule RESPONSE_STATUS "@pm 403 404 405 406" "t:none" SecRule REQUEST_URI "@pm /dologin.php /login" "id:33342,chain,pass,nolog,auditlog,phase:3,severity:5,t:none,t:urlDecode,t:normalizePath,t:lowercase,msg:'IM360 WAF: WHMCS successful login||%{REQUEST_HEADERS.Host}||User:%{SCRIPT_USERNAME}||Script:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule REQUEST_METHOD "^POST$" "chain,t:none,t:urlDecode" SecRule ARGS:token "!@rx ^$" "chain,t:none,t:urlDecode" SecRule ARGS:username "!@rx ^$" "chain,t:none,t:urlDecode" SecRule ARGS:password "!@rx ^$" "chain,t:none" SecRule REQUEST_HEADERS:Cookie "@rx WHMCS\w+" "chain,t:none" SecRule RESPONSE_HEADERS:Location "!@rx incorrect=1|^/login$" "t:none" SecRule REQUEST_FILENAME "@endsWith administrator/index.php" "id:33345,chain,pass,nolog,auditlog,phase:2,severity:5,t:none,t:urlDecode,t:normalizePath,t:lowercase,msg:'IM360 WAF: Joomla CMS login attempt||%{REQUEST_HEADERS.Host}||User:%{SCRIPT_USERNAME}||Script:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule REQUEST_METHOD "^POST$" "chain,t:none,t:urlDecode" SecRule ARGS:username "!@rx ^$" "chain,t:none,t:urlDecode" SecRule ARGS:passwd "!@rx ^$" "chain,t:none,t:urlDecode" SecRule ARGS:option "^com_login$" "chain,t:none,t:urlDecode" SecRule ARGS:task "^login$" "t:none,t:urlDecode" SecRule REQUEST_FILENAME "@endsWith administrator/index.php" "id:33346,chain,pass,nolog,auditlog,phase:2,severity:5,t:none,t:urlDecode,t:normalizePath,t:lowercase,msg:'IM360 WAF: Old Joomla CMS login attempt||%{REQUEST_HEADERS.Host}||User:%{SCRIPT_USERNAME}||Script:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule REQUEST_METHOD "^POST$" "chain,t:none,t:urlDecode" SecRule ARGS:usrname "!@rx ^$" "chain,t:none,t:urlDecode" SecRule ARGS:pass "!@rx ^$" "t:none,t:urlDecode" SecRule REQUEST_FILENAME "@contains /admin/" "id:33352,chain,pass,nolog,auditlog,phase:2,severity:5,t:none,t:urlDecode,t:normalizePath,t:lowercase,msg:'IM360 WAF: OpenCart CMS login attempt||%{REQUEST_HEADERS.Host}||User:%{SCRIPT_USERNAME}||Script:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule REQUEST_METHOD "^POST$" "chain,t:none,t:urlDecode" SecRule ARGS:username "!@rx ^$" "chain,t:none,t:urlDecode" SecRule ARGS:password "!@rx ^$" "t:none,t:urlDecode" SecRule REQUEST_FILENAME "@contains json-api/listaccts" "id:77316764,chain,pass,nolog,auditlog,phase:2,severity:5,t:none,t:urlDecode,t:normalizePath,t:lowercase,msg:'IM360 WAF: WHMCS API login attempt||%{REQUEST_HEADERS.Host}||User:%{SCRIPT_USERNAME}||Script:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule &ARGS:api.version "@gt 0" "chain,t:none" SecRule REQUEST_HEADERS:Authorization "@beginsWith whm" "t:none" SecRule &TX:rbl_whitelist_check "@eq 0" "id:77531625,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Monitor WordPress login page by RBL||RSV:8.02||T:APACHE||User:%{SCRIPT_USERNAME}||Script:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /wp-login.php" "chain,t:none" SecRule REQUEST_METHOD "!@rx ^POST" "t:none,setvar:tx.rbl_www_brute_rule=%{tx.rbl_www_brute_rule}r77531625" SecRule REQUEST_FILENAME "@contains /cpsess" "id:77316765,chain,pass,nolog,auditlog,phase:2,severity:5,t:none,t:urlDecode,t:normalizePath,t:lowercase,msg:'IM360 WAF: WHMCS link login attempt||%{REQUEST_HEADERS.Host}||User:%{SCRIPT_USERNAME}||Script:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule ARGS:session "@contains create_user_session" "t:none" SecRule REQUEST_METHOD "^POST$" "id:77316938,chain,pass,nolog,auditlog,phase:3,severity:2,t:none,msg:'IM360 WAF: Joomla CMS administrator login attempt failed||%{REQUEST_HEADERS.Host}||User:%{SCRIPT_USERNAME}||Script:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule REQUEST_FILENAME "@endsWith administrator/index.php" "chain,t:none,t:normalizePath,t:lowercase" SecRule ARGS:username "!@rx ^$" "chain,t:none" SecRule ARGS:passwd "!@rx ^$" "chain,t:none" SecRule ARGS:option "^com_login$" "chain,t:none" SecRule &RESPONSE_HEADERS:Set-Cookie "@eq 0" "t:none" SecRule REQUEST_METHOD "^POST$" "id:77316939,chain,pass,nolog,auditlog,phase:3,severity:2,msg:'IM360 WAF: Joomla CMS user login attempt failed||%{REQUEST_HEADERS.Host}||User:%{SCRIPT_USERNAME}||Script:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule REQUEST_URI "@contains /index.php/component/users/" "chain,t:none,t:normalizePath,t:lowercase" SecRule ARGS:username "!@rx ^$" "chain,t:none" SecRule ARGS:password "!@rx ^$" "chain,t:none" SecRule ARGS:option "^com_login$" "chain,t:none" SecRule RESPONSE_HEADERS:Set-Cookie "!@rx joomla_user_state=logged_in" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77316840,chain,phase:3,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Failed WHMCS login||User:%{SCRIPT_USERNAME}||Script:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule REQUEST_URI "@rx (?:\/dologin\.php|\/login|\/index\.php\?rp=\/login)$" "chain,t:none,t:urlDecode" SecRule REQUEST_HEADERS:Cookie "@rx WHMCS\w+" "chain,t:none" SecRule ARGS:token "!@rx ^$" "chain,t:none,t:urlDecode" SecRule ARGS:username "!@rx ^$" "chain,t:none,t:urlDecode" SecRule ARGS:password "!@rx ^$" "chain,t:none" SecRule RESPONSE_HEADERS:Location "@pm incorrect=1 /login" "t:none" SecRule REQUEST_METHOD "@rx ^POST$" "id:77316841,chain,phase:3,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: WHMCS login attempt||User:%{SCRIPT_USERNAME}||Script:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule REQUEST_URI "@rx (?:\/dologin\.php|\/login)$" "chain,t:none,t:urlDecode" SecRule RESPONSE_STATUS "@streq 302" "chain,t:none" SecRule ARGS:token "!@rx ^$" "chain,t:none,t:urlDecode" SecRule ARGS:username "!@rx ^$" "chain,t:none,t:urlDecode" SecRule ARGS:password "!@rx ^$" "chain,t:none" SecRule RESPONSE_HEADERS:Set-Cookie "@rx WHMCS\w+" "t:none" SecRule &TX:rbl_whitelist_check "@eq 0" "id:77350195,phase:2,pass,severity:5,nolog,t:none,skipAfter:RBL_BRUTE_CHECK,tag:'noshow'" SecRule REQUEST_URI "@pm /dologin.php /login" "id:33373,chain,pass,nolog,auditlog,phase:2,severity:5,t:none,t:lowercase,msg:'IM360 WAF: WHMCS bruteforce attempt on login page||User:%{SCRIPT_USERNAME}||Script:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||%{REQUEST_HEADERS.Host}||',tag:'service_im360'" SecRule REQUEST_METHOD "^POST$" "chain,t:none" SecRule ARGS:token "!@rx ^$" "chain,t:none" SecRule ARGS:username "!@rx ^$" "chain,t:none" SecRule ARGS:password "!@rx ^$" "chain,t:none" SecRule REQUEST_HEADERS:Cookie "@rx WHMCS\w+" "t:none,setvar:tx.rbl_www_brute_rule=%{tx.rbl_www_brute_rule}r33373" SecRule REQUEST_METHOD "^POST$" "id:77316815,chain,pass,nolog,auditlog,phase:2,severity:5,t:none,msg:'IM360 WAF: Prestashop CMS login track from address in rbl www-brute||%{REQUEST_HEADERS.Host}||User:%{SCRIPT_USERNAME}||Script:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_FILENAME "@endsWith login.php" "chain,t:none,t:normalizePath,t:lowercase" SecRule ARGS:passwd "!@rx ^$" "chain,t:none" SecRule ARGS:email "!@rx ^$" "t:none,setvar:tx.rbl_www_brute_rule=%{tx.rbl_www_brute_rule}r77316815" SecRule REQUEST_METHOD "^POST$" "id:33303,chain,phase:2,t:none,pass,severity:5,nolog,auditlog,msg:'IM360 WAF: WordPress Bruteforce RBL track||Name:%{ARGS.log}||WPU:%{ARGS.log}||User:%{SCRIPT_USERNAME}||Script:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_URI "/wp-login\.php|/xmlrpc\.php" "t:none,setvar:tx.rbl_www_brute_rule=%{tx.rbl_www_brute_rule}r33303" SecRule ARGS:form_key "!@rx ^$" "id:33305,chain,phase:2,t:none,pass,severity:5,nolog,auditlog,msg:'IM360 WAF: Magento Bruteforce RBL track||MV:%{MATCHED_VAR}||User:%{SCRIPT_USERNAME}||Script:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_METHOD "^POST$" "t:none,chain" SecRule ARGS:login[username] "!@rx ^$" "t:none,chain" SecRule ARGS:login[password] "!@rx ^$" "t:none,setvar:tx.rbl_www_brute_rule=%{tx.rbl_www_brute_rule}r33305" SecRule REQUEST_FILENAME "@endsWith administrator/index.php" "id:33348,chain,phase:2,t:none,pass,severity:5,nolog,auditlog,msg:'IM360 WAF: Joomla Bruteforce RBL track||User:%{SCRIPT_USERNAME}||Script:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule REQUEST_METHOD "^POST$" "t:none,chain" SecRule ARGS:username "!@rx ^$" "chain,t:none" SecRule ARGS:passwd "!@rx ^$" "chain,t:none" SecRule ARGS:option "^com_login$" "chain,t:none" SecRule ARGS:task "^login$" "t:none,setvar:tx.rbl_www_brute_rule=%{tx.rbl_www_brute_rule}r33348" SecRule REQUEST_FILENAME "@endsWith administrator/index.php" "id:33350,pass,chain,phase:2,t:none,nolog,auditlog,severity:5,msg:'IM360 WAF: Old Joomla versions Bruteforce RBL track||User:%{SCRIPT_USERNAME}||Script:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||MV:%{ARGS.usrname}||',tag:'service_im360'" SecRule REQUEST_METHOD "^POST$" "chain,t:none" SecRule ARGS:usrname "!@rx ^$" "chain,t:none" SecRule ARGS:pass "!@rx ^$" "t:none,setvar:tx.rbl_www_brute_rule=%{tx.rbl_www_brute_rule}r33350" SecRule REQUEST_FILENAME "@contains /admin/" "id:33354,chain,phase:2,t:none,pass,severity:5,nolog,auditlog,msg:'IM360 WAF: OpenCart Bruteforce RBL trackARGS:usrname||MV:%{ARGS.username}||User:%{SCRIPT_USERNAME}||Script:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_METHOD "^POST$" "chain,t:none" SecRule ARGS:username "!@rx ^$" "chain,t:none" SecRule ARGS:password "!@rx ^$" "t:none,setvar:tx.rbl_www_brute_rule=%{tx.rbl_www_brute_rule}r33354" SecRule ARGS:option "@streq com_contact" "id:33351,chain,phase:2,nolog,auditlog,pass,severity:5,t:none,t:lowercase,msg:'IM360 WAF: track Joomla unsecured contact forms bruteforce||ID:%{ARGS.id}||ITEMID:%{ARGS.Itemid}||User:%{SCRIPT_USERNAME}||Script:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||MTD:%{tx.0}||',tag:'service_im360'" SecRule ARGS:task|ARGS:view "@contains contact" "chain,t:none,t:lowercase" SecRule ARGS:Itemid|ARGS:id "!@rx ^$" "t:none,setvar:tx.rbl_www_brute_rule=%{tx.rbl_www_brute_rule}r33351" SecRule ARGS:q "!@rx ^$" "id:33307,chain,phase:2,t:none,pass,severity:5,nolog,auditlog,msg:'IM360 WAF: Drupal Bruteforce RBL track||User:%{SCRIPT_USERNAME}||Script:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_im360'" SecRule REQUEST_METHOD "^POST$" "t:none,chain" SecRule ARGS:form_build_id "@beginsWith form-" "t:none,chain" SecRule ARGS:name "!@rx ^$" "t:none,chain" SecRule ARGS:pass "!@rx ^$" "t:none,chain" SecRule ARGS:form_id "!@rx ^$" "t:none,setvar:tx.rbl_www_brute_rule=%{tx.rbl_www_brute_rule}r33307" SecRule ARGS:author "!@rx ^$" "id:77140879,pass,auditlog,phase:2,severity:5,t:none,msg:'IM360 WAF: RBL track WordPress users enumeration||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||User:%{SCRIPT_USERNAME}||Script:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',setvar:tx.rbl_www_brute_rule=%{tx.rbl_www_brute_rule}r77140879,tag:'service_im360'" SecMarker RBL_BRUTE_CHECK SecRule REQUEST_METHOD "^POST$" "id:77317953,chain,pass,nolog,auditlog,phase:3,severity:5,t:none,msg:'IM360 WAF: Prestashop CMS failed login attempt||%{REQUEST_HEADERS.Host}||User:%{SCRIPT_USERNAME}||Script:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule REQUEST_FILENAME "@endsWith /login" "chain,t:none,t:normalizePath,t:lowercase" SecRule &ARGS:password|&ARGS:passwd "@gt 0" "chain,t:none" SecRule &ARGS:email "@gt 0" "chain,t:none" SecRule RESPONSE_STATUS "@rx ^20" "t:none" SecRule REQUEST_METHOD "^POST$" "id:77317954,chain,pass,nolog,auditlog,phase:2,severity:5,t:none,msg:'IM360 WAF: Prestashop CMS administrator login attempt||Host:%{REQUEST_HEADERS.Host}||User:%{SCRIPT_USERNAME}||Script:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule REQUEST_FILENAME "@endsWith /index.php" "chain,t:none,t:normalizePath,t:lowercase" SecRule ARGS:controller "@streq AdminLogin" "chain,t:none" SecRule &ARGS:password|&ARGS:passwd "@gt 0" "chain,t:none" SecRule &ARGS:email "@gt 0" "t:none" SecRule REQUEST_METHOD "^POST$" "id:77317958,chain,pass,nolog,auditlog,phase:3,severity:5,t:none,t:urlDecode,msg:'IM360 WAF: Magento CMS admin failed login attempt||Host:%{REQUEST_HEADERS.Host}||User:%{SCRIPT_USERNAME}||Script:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule REQUEST_URI "@contains /admin/" "chain,t:none,t:normalizePath" SecRule &ARGS:login[username] "@gt 0" "chain,t:none" SecRule &ARGS:login[password] "@gt 0" "chain,t:none" SecRule RESPONSE_STATUS "@rx ^20" "t:none" SecRule REQUEST_METHOD "^POST$" "id:77317959,chain,pass,nolog,auditlog,phase:3,severity:5,t:none,t:urlDecode,msg:'IM360 WAF: Magento CMS customer failed login attempt||Host:%{REQUEST_HEADERS.Host}||User:%{SCRIPT_USERNAME}||Script:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule REQUEST_URI "@contains /customer/" "chain,t:none,t:normalizePath" SecRule &ARGS:login[username] "@gt 0" "chain,t:none" SecRule &ARGS:login[password] "@gt 0" "chain,t:none" SecRule RESPONSE_HEADERS:Set-Cookie "!@rx ^X-Magento-Vary" "t:none" SecMarker MARKER_BRUTE_POST SecRule REQUEST_URI "@rx clientarea\.php\?incorrect=(?:true|1)" "id:77316762,phase:2,pass,nolog,auditlog,severity:5,t:normalizePath,msg:'IM360 WAF: WHMCS failed authorization||RSV:8.02||T:APACHE||User:%{SCRIPT_USERNAME}||Script:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_BASENAME "@streq banned.php" "id:77350200,chain,phase:2,pass,nolog,auditlog,severity:5,msg:'IM360 WAF: WHMCS banned IP for several failed authorization||MV:%{MATCHED_VAR}||User:%{SCRIPT_USERNAME}||Script:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'service_im360'" SecRule REQUEST_HEADERS:Referer "@rx \/admin\/index\.php$" "t:none,t:normalizePath" SecRule &TX:rbl_whitelist_check "@eq 0" "id:77845274,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Attempt to register new user (custom endpoint RBL) ||billing_first_name:%{ARGS.billing_first_name}||email:%{ARGS.email}||User:%{SCRIPT_USERNAME}||Script:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_METHOD "@rx ^POST" "chain,t:none" SecRule REQUEST_URI "@contains /register/" "chain,t:none,t:normalizePath" SecRule ARGS:billing_first_name "!@rx ^$" "chain,t:none" SecRule ARGS:email "!@rx ^$" "t:none,setvar:tx.rbl_www_brute_rule=%{tx.rbl_www_brute_rule}r77845274" SecRule &TX:rbl_whitelist_check "@eq 0" "id:77845275,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Attempt to register new user (custom endpoint RBL) ||billing_first_name:%{ARGS.billing_first_name}||email:%{ARGS.email}||User:%{SCRIPT_USERNAME}||Script:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_METHOD "@rx ^POST" "chain,t:none" SecRule REQUEST_URI "@contains /register/" "chain,t:none,t:normalizePath" SecRule ARGS:billing_first_name "!@rx ^$" "chain,t:none" SecRule ARGS:email "!@rx ^$" "t:none,setvar:tx.rbl_infectors_rule=%{tx.rbl_infectors_rule}r77845275" SecRule &TX:rbl_whitelist_check "@eq 0" "id:77845276,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Attempt to register new user (custom endpoint) ||MV:%{MATCHED_VAR}||User:%{SCRIPT_USERNAME}||Script:%{SCRIPT_FILENAME}||RSV:8.02||T:APACHE||',tag:'wp_core'" SecRule REQUEST_METHOD "@rx ^POST" "chain,t:none" SecRule REQUEST_URI "@contains /register/" "t:none,t:normalizePath" SecRule &TX:rbl_whitelist_check "@eq 0" "id:77350636,chain,phase:2,pass,nolog,auditlog,severity:5,msg:'IM360 WAF: Access to login page in WordPress (counter)||RSV:8.02||T:APACHE||MV:%{MATCHED_VAR}||',tag:'wp_core'" SecRule REQUEST_FILENAME "@endsWith /wp-login.php" "chain,t:none" SecRule REQUEST_METHOD "!@rx ^POST" "t:none"
.
Edit
..
Edit
000_i360_init.conf
Edit
001_i360_pass.conf
Edit
002_i360_basic.conf
Edit
003_i360_wp_logic.conf
Edit
004_i360_vectors.conf
Edit
005_i360_bruteforce.conf
Edit
006_i360_malware.conf
Edit
007_i360_custom.conf
Edit
008_i360_wordpress.conf
Edit
009_i360_joomla.conf
Edit
010_i360_drupal.conf
Edit
011_i360_otherapps.conf
Edit
012_i360_spam.conf
Edit
013_i360_generic.conf
Edit
014_i360_infectors.conf
Edit
015_i360_filescan.conf
Edit
016_i360_monitor.conf
Edit
017_i360_weak_pass.conf
Edit
018_Disable_WP_Redirect.conf
Edit
IM360-LICENSE.txt
Edit
RELEASE
Edit
VERSION
Edit
bl_agents
Edit
bl_chains
Edit
bl_db_list
Edit
bl_db_list_ext
Edit
bl_ips
Edit
bl_os_files
Edit
bl_path_files
Edit
bl_scanners
Edit
bl_uri
Edit
bl_web_files
Edit
bl_wpboost_uri
Edit
bl_xss_input
Edit
changelog.json
Edit
changelog.txt
Edit
cloudav_list
Edit
crawlers-google-iplist.data
Edit
crawlers-iplist.data
Edit
crawlers-ualist.data
Edit
danme_top100
Edit
detectlua.lua
Edit
inspectfile.lua
Edit
ip-record.db
Edit
java_data
Edit
malware_found.list
Edit
malware_found_b64.list
Edit
malware_standalone.list
Edit
malware_standalone_b64.list
Edit
path_traversal
Edit
php_data
Edit
rbl_whitelist
Edit
rce_uri
Edit
risky-actions.list
Edit
trap.lua
Edit
trap_cookie.lua
Edit
userdata_dirb_URLs.data
Edit