1#@!#!123s

: / opt / bitninja-waf / etc / BitNinja /
Filename : 400-BITNINJA-INITIALIZATION.conf
back
#SecAction "id:400000, phase:1,\
#  nolog,\
#  pass,\
#  t:none,\
#  setvar:tx.bn_inbound_found=0,\
#  setvar:tx.bn_outbound_found=0,\
#  setvar:tx.bn_pattern_lockdown=1,\
#  setvar:tx.bn_pattern_can_honeypotify=1,\
#  setvar:tx.bn_pattern="
SecRule TX:BN_PATTERN_LOCKDOWN "@lt 1" "phase:1, id:400010, nolog,noauditlog,pass,skipAfter:BITNINJA-LOCKDOWN"
SecRule TX:BN_PATTERN_LOCKDOWN "@lt 1" "phase:2, id:400011, nolog,noauditlog,pass,skipAfter:BITNINJA-LOCKDOWN"
SecRule &ARGS_POST "@gt 0" \
  "id:400110, \
  phase:2,\
  msg:'Requested location [%{tx.bn_pattern}] is on lockdown. No POST data allowed.',\
  logdata:'POST data not allowed.',\
  deny,\
  status:405,\
  severity:WARNING
SecRule TX:BN_PATTERN_CAN_HONEYPOTIFY "@lt 1" "phase:2, id:400013, nolog,noauditlog,pass,skipAfter:VIRTUAL-HONEYPOT"
SecRule &ARGS_POST "@gt 0" \
  "id:400112, \
  phase:2,\
  rev:'1',\
  msg:'Requested location is a virtual honeypot location. No POST data allowed.',\
  logdata:'Requested location is a virtual honeypot location. No POST data allowed.',\
  block,\
  setvar:tx.bn_inbound_found=+1,\
  severity:CRITICAL
# Many user enabled virtual honeypotification on / and made there sites unreachable.
# This is not the way this should be used.
SecRule TX:BN_PATTERN_CAN_HONEYPOTIFY "@lt 1" "phase:1, id:400012, nolog,noauditlog,pass,skipAfter:VIRTUAL-HONEYPOT"
SecRule REQUEST_BODY "(?:(?:<\?php|<\?)\s)"
  "setvar:tx.bn_inbound_found=+1,\
  id:400114, \
  phase:2,\
  rev:'1',\
  msg:'PHP file upload not allowed on this location',\
  logdata:'PHP file upload not allowed on this location',\
  block,\
  severity:CRITICAL"

SecMarker "VIRTUAL-HONEYPOT"SecRule &ARGS_GET "@gt 0" \
  "id:400113, \
  phase:2,\
  rev:'1',\
  msg:'Requested location is a virtual honeypot location. No GET data allowed.',\
  logdata:'Requested location is a virtual honeypot location. No GET data allowed.',\
  block,\
  setvar:tx.bn_inbound_found=+1,\
  severity:CRITICAL
SecRule &ARGS_POST "@gt 0" \
  "id:400111,\
  phase:1, \
  msg:'Requested location [${tx.pattern}] is on lockdown. No POST data allowed.',\
  logdata:'POST data not allowed.',\
  deny,\
  status:405,\
  severity:WARNING

SecMarker "BITNINJA-LOCKDOWN"
SecRule REQUEST_URI "@contains /wp-admin/" \
  "id:301090, \
  phase:3,\
  nolog,\
  rev:'1',\
  severity:info,\
  pass,\
  chain"
SecRule &REQUEST_COOKIES:/^wordpress_logged_in_/ "@ge 1" "t:none,chain" 
SecRule RESPONSE_STATUS "@streq 200" "t:none,chain"
SecRule REQUEST_URI "!@contains wp-login.php" "t:none,chain"
SecRule REQUEST_URI "!@contains admin-ajax.php" "t:none,t:normalizePath,setvar:ip.wp_admin_in=1"

SecRule REQUEST_URI "@endsWith /xmlrpc.php" "id:301091,phase:2,nolog,severity:info,t:none,t:normalizePath,pass,chain"
SecRule REQUEST_BODY "@contains <methodCall>" "t:none,chain"
SecRule REQUEST_BODY "@endsWith </methodCall>" "setvar:tx.bn_xmlrpc_call=1"

SecRule ARGS_POST_NAMES "^cpanel_jsonapi_module$" "id:301092,phase:2,nolog,severity:info,t:none,t:normalizePath,pass,chain"
SecRule ARGS_POST_NAMES "^cpanel_jsonapi_func$" "setvar:tx.bn_cpanel_call=1"