Using mod_security to stop Cyveillance

Let me start off by saying that I don’t condone making copyrighted material available to other users on the Internet. If you do that, you deserve all you get.

BUT there are some things that are worse than copyright infringement, and one of them is when someone attempts to break into your web server by creating random URLs in the effort to access parts of your website that you don’t publish or even trying to break into the underlying disks that hosts your website.

Cyveillance is a company that tries to exploit random URLs and possible web server misconfigurations to monitor your site.

Its all pretty dodgy and they will start spouting that they are only trying to protect their client’s intellectual property, but ironically they are breaking the law by trying to hack into your web server at the same time.

So, how can we take the initiative?

There is this really good Apache module called mod_security2, and it allows you to control who can do what against your server. Sounds pretty good, but how can we use mod_security to control Cyveillance? Well, read on.

Its very easy to configure mod_security2. We will show one configuration that works, there are probably others, but feel free to use this config or post your own below.

If I’ve missed IP addresses that these people use please also let me know.

<IfModule mod_security2.c>
SecRuleEngine On

# Cyveillance – start
SecRule REMOTE_ADDR ^63.148.99. log,redirect:http://www.google.com
SecRule REMOTE_ADDR ^65.118.41. log,redirect:http://www.google.com
SecRule REMOTE_ADDR ^38.118.25. log,redirect:http://www.google.com
SecRule REMOTE_ADDR ^38.118.42. log,redirect:http://www.google.com
SecRule REMOTE_ADDR ^216.32.64. log,redirect:http://www.google.com
SecRule REMOTE_ADDR ^38.112.21. log,redirect:http://www.google.com
SecRule REMOTE_ADDR ^207.87.178. log,redirect:http://www.google.com
SecRule REMOTE_ADDR ^65.222.185. log,redirect:http://www.google.com
SecRule REMOTE_ADDR ^65.222.176. log,redirect:http://www.google.com
SecRule REMOTE_ADDR ^63.100.163. log,redirect:http://www.google.com
SecRule REMOTE_ADDR ^151.173.221. log,redirect:http://www.google.com
SecRule REMOTE_ADDR ^68.48.24. log,redirect:http://www.google.com
SecRule REMOTE_ADDR ^4.35.201. log,redirect:http://www.google.com
SecRule REMOTE_ADDR ^38.100.41. log,redirect:http://www.google.com
# Cyveillance – stop

SecRequestBodyAccess On
SecResponseBodyAccess On

SecDebugLog /logs/security_debug_log
SecDebugLogLevel 0

SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus ^[45]
SecAuditLogParts ABIFHZ
SecAuditLogType serial
SecAuditLog /logs/security_audit_log

SecRequestBodyLimit 131072
SecRequestBodyInMemoryLimit 131072
SecResponseBodyLimit 524288

</IfModule>

Essentially, what this config snippet tells mod_security2 to do is that each time a request comes from a Cyveillance IP address, REMOTE_ADDR, we will just shunt them off to good old Google. Ironically, Google is probably where they got your website from in the first place.

By monitoring your /logs/security_debug_log & /logs/security_audit_log logfiles you can get information about how often they try to break into your website. It’ll be an interesting read.

This is just one use of mod_security2. If you use CMSs like Mambo or Joomla! you will most certainly see many cross site scripting exploits hitting your web server. A simple set of mod_security rules will kill off the exploits once and for all.