# all.conf
# Bad Bots and User Agents

# Deny Googlebot crawling temp mod_userdir URLs and falsely flagging
# the IMH/WHH corp site as hacked
SecRule REQUEST_HEADERS:User-Agent "Googlebot" \
    "chain,deny,log,auditlog,status:404,\
    msg:'Googlebot user agent crawling a temp url',id:13394"
SecRule REQUEST_HEADERS:Host "(webhostinghub|inmotionhosting|servconfig)\.com" "chain"
SecRule REQUEST_URI "^/~"

# Rule to prevent user agents identifying themselves as bingbot from POSTing
SecRule REQUEST_METHOD "^POST$" \
    "chain,deny,log,auditlog,status:406,\
    msg:'Bingbot user agent making POST requests',id:'13382',\
    tag:'WEB_ATTACK/BRUTE FORCE',severity:'4'"
SecRule REQUEST_HEADERS:User-Agent "bingbot/2\.0;[+]http://www\.bing\.com/bingbot\.htm" \
    "t:lowercase,t:removeWhitespace"

# Block user agents identifying themselves as "Mozilla/5.0" when they POST to
# PHP scripts in a particular path
SecRule REQUEST_METHOD "^POST$" \
    "chain,deny,log,auditlog,status:406,\
    msg:'Suspicious user agent making POST requests',id:'13383',\
    tag:'WEB_ATTACK/BRUTE FORCE',severity:'4'"
SecRule REQUEST_HEADERS:User-Agent "^Mozilla/5.0$" "t:removeWhitespace,chain"
SecRule REQUEST_URI "/images/.*\.php"

# Block BLEXbot user agent
SecRule HTTP_User-Agent "BLEXBot" "deny,log,auditlog,status:406,\
    msg:'Malicious user agent BLEXBot',id:'13072',\
    tag:'WEB_ATTACK/BRUTE FORCE',severity:'4'"

# Block GbPlugin user agent
SecRule REQUEST_HEADERS:User-Agent "GbPlugin" \
    "deny,log,auditlog,status:406,msg:'Malicious user agent GbPlugin',id:'13066',\
    tag:'WEB_ATTACK/BRUTE FORCE',severity:'4'"

# Block GSLFbot user agent
SecRule HTTP_User-Agent "GSLFbot" "deny,log,auditlog,status:406,\
    msg:'Malicious user agent GSLFbot',id:'13067',\
    tag:'WEB_ATTACK/BRUTE FORCE',severity:'4'"

# Block "Indy Library" UA
SecRule REQUEST_METHOD "GET|POST" "chain,deny,log,auditlog,status:406,\
    msg:'Indy Library agent making POST requests',id:'13401',\
    tag:'WEB_ATTACK/BRUTE FORCE',severity:'4'"
SecRule REQUEST_HEADERS:User-Agent "indylibrary" t:lowercase,t:removeWhitespace

# Block common bittorrent user agents
SecRule HTTP_User-Agent \
    "uTorrent|Bittorrent|BitComet|BitTorrent|qqdownload|NP0202_0_0|Azureus"\
    "deny,log,auditlog,status:406,msg:'Bit torrent user agent',id:'13728',\
    tag:'WEB_ATTACK/BRUTE FORCE',severity:'4'"

#https://trac.imhtech.net/T3/ticket/5850 : Malicious robot, attacks Joomla 1.5 com_jce
SecRule HTTP_User-Agent \
    "BOT/0.1\(BOTforJCE\)"\
    "deny,log,auditlog,t:removeWhitespace,status:406,msg:'Malicious robot',id:'13729',\
    tag:'WEB_ATTACK/INJECTION',severity:'4'"

# https://jira.imhdev.com/browse/T3O-4239
SecRule HTTP_User-Agent "Mozilla/5\.0 \(X11; Ubuntu; Linux x86_64; rv:62\.0\) Gecko/20100101 Firefox/62\.0" \
    "deny,log,auditlog,t:none,status:406,msg:'EOL Firefox',\
    msg:'T3O-4239',id:'13730',\
    tag:'WEB_ATTACK/BRUTE FORCE',severity:'4'"

# https://imh-internal.atlassian.net/browse/T3O2-3624
SecRule HTTP_User-Agent "Mozilla/5\.0 \(X11; Fedora; Linux x86_64; rv:94\.0\) Gecko/20100101 Firefox/95\.0" \
    "deny,log,auditlog,t:none,status:406,msg:'EOL Firefox',\
    msg:'https://imh-internal.atlassian.net/browse/T3O2-3624',id:'13731',\
    tag:'WEB_ATTACK/BRUTE FORCE',severity:'4'"
# both.conf
# shared and v/dedicated rules

# Holds rules to block malicious or otherwise un-wanted bots and to
# control bad behavior (e.g. Bingbot trying to log into WordPress)

# Limit GPTBot hits by user agent to one hit per 3 seconds
SecRule REQUEST_HEADERS:User-Agent "@pm GPTBot" \
    "id:13075,phase:2,nolog,pass,setuid:%{request_headers.host},setvar:user.ratelimit_gptbot=+1,expirevar:user.ratelimit_gptbot=3"
SecRule USER:RATELIMIT_GPTBOT "@gt 1" \
    "chain,id:13076,phase:2,deny,status:429,setenv:RATELIMITED_GPTBOT,log,msg:'RATELIMITED GPTBOT'"
    SecRule REQUEST_HEADERS:User-Agent "@pm GPTBot"
Header always set Retry-After "3" env=RATELIMITED_GPTBOT
ErrorDocument 429 "Too Many Requests"

# Limit ClaudeBot hits by user agent to one hit per 3 seconds
SecRule REQUEST_HEADERS:User-Agent "@pm ClaudeBot" \
    "id:13077,phase:2,nolog,pass,setuid:%{request_headers.host},setvar:user.ratelimit_claudebot=+1,expirevar:user.ratelimit_claudebot=3"
SecRule USER:RATELIMIT_CLAUDEBOT "@gt 1" \
    "chain,id:13078,phase:2,deny,status:429,setenv:RATELIMITED_CLAUDEBOT,log,msg:'RATELIMITED CLAUDEBOT'"
    SecRule REQUEST_HEADERS:User-Agent "@pm ClaudeBot"
Header always set Retry-After "3" env=RATELIMITED_CLAUDEBOT
ErrorDocument 429 "Too Many Requests"

# Limit Amazonbot hits by user agent to one hit per 3 seconds
SecRule REQUEST_HEADERS:User-Agent "@pm Amazonbot" \
    "id:13079,phase:2,nolog,pass,setuid:%{request_headers.host},setvar:user.ratelimit_amazonbot=+1,expirevar:user.ratelimit_amazonbot=3"
SecRule USER:RATELIMIT_AMAZONBOT "@gt 1" \
    "chain,id:13080,phase:2,deny,status:429,setenv:RATELIMITED_AMAZONBOT,log,msg:'RATELIMITED AMAZONBOT'"
    SecRule REQUEST_HEADERS:User-Agent "@pm Amazonbot"
Header always set Retry-After "3" env=RATELIMITED_AMAZONBOT
ErrorDocument 429 "Too Many Requests"