Good Configuration For Your Mod_Security
Mar 18, 2008
What's a good configuration to use for your mod_security installed within WHM?
It has a defualt one that you can use, but I was just wondering if there is something you should maybe take out of it or add... etc.
View 1 Replies
ADVERTISEMENT
Jul 24, 2009
I installed Mod_Security on my Cent OS server today and having some problem in configurating it.
Problem -
I have added this module in 'httpd.conf' file
Code:
<IfModule mod_security.c>
SecFilterEngine On
SecServerSignature "Apache"
SecFilterCheckUnicodeEncoding Off
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log
SecFilterScanPOST On
SecFilterDefaultAction "deny,log,status:403"
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
SecFilterSelective HTTP_Transfer-Encoding "!^$"
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
SecFilter "../"
SecFilter "viewtopic.php?" chain
SecFilter "chr(([0-9]{1,3}))" "deny,log"
SecFilterSelective THE_REQUEST "wget "
SecFilterSelective THE_REQUEST "lynx "
SecFilterSelective THE_REQUEST "scp "
SecFilterSelective THE_REQUEST "ftp "
SecFilterSelective THE_REQUEST "cvs "
SecFilterSelective THE_REQUEST "rcp "
SecFilterSelective THE_REQUEST "curl "
SecFilterSelective THE_REQUEST "telnet "
SecFilterSelective THE_REQUEST "ssh "
SecFilterSelective THE_REQUEST "echo "
SecFilterSelective THE_REQUEST "links -dump "
SecFilterSelective THE_REQUEST "links -dump-charset "
SecFilterSelective THE_REQUEST "links -dump-width "
SecFilterSelective THE_REQUEST "links http:// "
SecFilterSelective THE_REQUEST "links ftp:// "
SecFilterSelective THE_REQUEST "links -source "
SecFilterSelective THE_REQUEST "mkdir "
SecFilterSelective THE_REQUEST "cd /tmp "
SecFilterSelective THE_REQUEST "cd /var/tmp "
SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "
SecFilterSelective THE_REQUEST "/config.php?v=1&DIR "
SecFilterSelective THE_REQUEST "/../../ "
SecFilterSelective THE_REQUEST "&highlight=%2527%252E "
SecFilterSelective THE_REQUEST "changedir=%2Ftmp%2F.php "
# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
# Weaker XSS protection but allows common HTML tags
SecFilter "<[[:space:]]*script"
# Prevent XSS atacks (HTML/Javascript injection)
SecFilter "<(.|n)+>"
</IfModule>
But my website is multi forum hosting and requires 'index.php' file to pass parameter to make it work.
Example -
[url]
[url]
[url]
So i had to delete below mention code from above module.
Code:
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
SecFilterSelective HTTP_Transfer-Encoding "!^$"
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
SecFilter "../"
View 0 Replies
View Related
May 6, 2008
I'd like to start an ongoing thread here listing the 'Good Hosters with Good TELEPHONE tech support'. In other words, out of the 1,000s of host companies, this may cut it down to less than a dozen.
( And for all you Hosters out there who really want your company to grow, and want to know how, - it's easy: just read here.)
Good telephone support is the #1 ultimate requirement, because:
-It's a lot faster and easier for both the user and the host company, because you can state and answer all questions and clarifications on the spot, you don't need to continually pass new emails with new questions and clarifications, back and forth for days on end, until the issue is solved. It saves tech time and user's time. And saves a lot of nerves.
- It's the best way to sort the good guys from the bad. A bad company isn't going to bother to answer the phone, - or will make you wait way too long, - because they are likely getting endless complaints. The good guys are always ready to answer the phones, with a friendly voice, - because they really WANT to please the customer.
- If a company can't be bothered to pick up the phone, we can't be bothered to even consider them. They're a joke, and so won't be listed here on this thread. (So, before adding or listing any Hosters here, please verfify that they do have Good, quick, friendly, telephone support,; ideally 24/7, but 9am to 10pm might be acceptable, if it was supplemented by some emergency contact.
AND:
- Hoster ALSO needs good EMAIL support (and preferably, Chat online, extended hour availability). (I spend a lot of time overseas). It sems all emails should get a non-automated response within about an hour, - and then support should jump on fixing any problem.
I only need support a few times a year. To answer some questions, or fix a problem, or do an install. That's lesss than 1 hour total, so any company paying maybe $18/hour tech support should be able to handle this. It IS reasonable to charge a custm for extended calls, beyond say, 90minutes a year, IF you don't count the 80%? Of times an issue is the Hoster;s fault of stmg gone wrong, and don't count the 'hold' times.
ALSO IMPORTANT:
- Uptime
- site Speeds
- Monthly plans, no contract (Only a dishonest host will try to force you into a contract, where they can then ignore you.)
- Reasonable price. (? Maybe $12 to $18/month for a basic business site. We don't need massive bandwitdths, - we all know that's an overselling scam, and can't ever be delivered.)
- a good upgrade plan of bigger options. Maybe even VPS.
- Dedicated IP, and availbility of SSL
-PHP 5, mysql, phpMyAdmin, etc
- cPanel ( Some Hosts are using problematic panels, like Hsphere, which are slow to load, slow in operation, require many more clicks, have too many options, spread apart on many separate pages. Time is money, and this really slows down the ability of a small business to manage his own site in effective time. For example, one WHT user wrote somewhere: "I don't feel that HSphere's interface is nice at all, although I have worked with cPanel and DA all my life... I just found it to include un-necessary features or split features up in to different hard to find pages, such as backups - mysql backups you had to find on a completely different page than file backups, and then there were options to have it in the home directory or server-end backup, in which then you had to wait a good 10 minutes before it was ready. cPanel, just hit backup and hit download and instantly it does everything you need...".
I have used several hosters. Currently on Aplus.net and Godad, which have phone support, and mediocre service.
My LIST So Far:
- Liquidweb: a very impressive company with good, 24 hour support. But to get dedicated IP, you need to go with their $25/month plan. Yikes!
- NewIdeaHosting.com. A very small company. My call was returned, and the owner chatted with me for an hour on the phone! Plans have small bandwidth, but promises No overselling, and personalized attention. Extra $5 for dedi IP. He specializes in Small business sites, and small eCommerce sites. He has only 250 accounts, on 3 servers. He rents servers from the Equinox data center of Chicago. Seems exceptionaly honest.
- MegaHosters. Excellent phone support and WHT reviews. But company was taken over by another company, and so may well go downhill in future. Another problem: uses Hsphere.
- Steadfast. Has a good rep on WHT, and seems impressive. Tech answered the phone immediately, but they say they prefer emails. Sales phone has limited hours. Good price on $20 SSL. But, uses Hshhere.
- JodoHost 24 hour phone. But, uses Hsphere. An Indian company with office in Florida, and good rep. I like the idea of outsourcing phone support, if it makes it more available and affordable. But, the accent on the phone was very hard for me to understand, so maybe this might not work.....
- Hostgator. Yes, it's a big overseller, but seems to get good reviews/results anyway, and good phone support.
- ? ThePrimeHost ?? Mostly good WHT reviews; some dissenters. Site says 24hour phone, but when I called on several nights, no one ever answered...
- Can anyone add to this list? Please list only hosts that meet the above minimum requirements of phone support, etc. Especially useful is hosters you've tried.
TO AVOID:
- Avoid Arvixe. I had a horrid experience with them, here: [WHT forum]:/showthread.php?p=5097822#post5097822
- Avoid WebHostingBuzz. This company never returned my phone msessage inquiries.
View 13 Replies
View Related
Apr 21, 2008
I have been using mod_security 1.9.x since it first release on apache 1.3 and apache 2.0.x, rules are great and they work perfect with no issues at all with any php-mysql website. Do you recommend using mod_security 2.0 or 2.5 ? (I do know that 2.5 does not work with apache 1.3).
View 2 Replies
View Related
Apr 19, 2008
using mod_security, but I believe that I have it installed correctly with some rules that should be generating entries in the security audit log. No matter what I do, I can't seem to get mod_security to generate any sort of log entries.
I am using version 2.1.7. I compiled it with no problems. In my httpd.conf file, I have the following relevant lines:
LoadFile /usr/lib/libxml2.so
LoadModule security2_module modules/mod_security2.so
Include conf/modsecurity/*.conf
I don't think there are any problems here, as I know it is running directives from the configuration file I edited. This is the file I'm working with:
modsecurity_crs_10_config.conf
Here are the relevant lines from the config file:
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 524288
SecDefaultAction "phase:2,auditlog,log,pass,status:500"
SecAuditEngine On
SecAuditLogType Serial
SecAuditLog logs/modsec_audit.log
SecAuditLogParts "ABIFHZ"
SecRequestBodyInMemoryLimit 131072
SecDebugLog logs/modsec_debug.log
SecDebugLogLevel 3
I know that the config file is being read because when I start apache, the log files (modsec_audit.log and modsec_debug.log) are created. The problem is that the files are empty and remain empty no matter what I do. I have even tried setting permissions on the files to 777.
Here are a couple of rules I created in an attempt to generate log entries:
SecRule REQUEST_BODY "viagra"
SecRule REMOTE_ADDR "^1.1.3.4$" auditlog,phase:1,allow
I put these in the same config file mentioned above. As far as I understand, the first rule should examine the request body (which would include data in POST requests) for the word, "viagra". Since my default action is phase:2,auditlog,log,pass,status:500, such requests should end up in the audit log. However, when I use a form on my site to post the word "viagra", nothing is generated in the log file.
The second rule, as far as I understand, should generate a log entry any time the IP address 1.2.3.4 is sent in the request headers. Instead of 1.2.3.4, of course, I have put in my real IP address. However, when I visit my server and browse pages, nothing is logged. I assume that my requests should generate log entries since I match the IP address.
View 3 Replies
View Related
Dec 1, 2007
I am currently running a few small websites that use a CMS. Two are Dragonfly and one is Joomla.
I am getting sporadic errors with both systems that, upon research, seem to be related to Apache and the mod_security module. I am getting the following error:
Code:
Not Acceptable
An appropriate representation of the requested resource /somefolder/index.php could not be found on this server.
Well, I'm no idiot (although some people may tend to disagree ) and after some searching, I found that this most likely points to an Apache error. Most solutions suggest to put the following in my .htacess file for the site:
Code:
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
It was noted that "SecFilterScanPOST Off" may or not be necessary. I have added the above to the .htaccess for each site (all 3 sites are subdomains) and have also added it to the .htaccess that is in the root folder for the site. Nothing has worked.
So my question is, is it possible that my webhost can override my .htaacess settings with their own? This is the only explanation that I can think of. But of course, I am no expert, which is why I turn to you good folks for help once again.
View 0 Replies
View Related
Jul 27, 2008
I want to add some more rules to to mod_security, however I am unsure if some of them are already being used.
So would it cause any problems if there are duplicate rules for the time being till I can check through all the rules?
View 2 Replies
View Related
Jul 23, 2007
I am having lots of problems installing mod_security on RH5 64 w/ Plesk.
mainly related to apr0, subversion, and the headers.
Any reason why everyone recommends to use version 1.94 of mod_security rather than the latest version available on www.modsecurity.org?
View 3 Replies
View Related
Oct 2, 2007
I've got this:
mod_security: Access denied with code 406. Error normalising REQUEST_URI: Invalid URL encoding detected: invalid characters used [hostname "www.mydomain.com"] [uri "/search/include/js_suggest/suggest.php?type=query&q=%u062E%u0636%u0631%u0627"]
how to disable/exclude this uri in mentioned host from being catched by mod_security?
View 4 Replies
View Related
Mar 29, 2007
how many people are actually using mod_security 2 instead of 1?
And why did you choose the version you did?
View 4 Replies
View Related
Jun 5, 2007
I installed modsecurity from Addone module in Cpanel
When I try to apply phpshell woork good without a mistakes and I can do anything despite of the presence of protection modsecurity and disable_functions in php.ini.
Is there a particular settings add to the httpd.conf to prevent application phpshell or prevent upload it to the site?
View 14 Replies
View Related
May 11, 2009
I tried using mod_security and mod_filter together. However, when I try to filter js files, I noticed that certain pages stop working, especially those using ajax.
View 2 Replies
View Related
May 25, 2009
Is it possible to disable a particular mod_security rule for particular directory or the rules are global?
View 4 Replies
View Related
Aug 15, 2008
I just installed mod_security via WHM, and want to know what rule should I enter to prevent some URLs from being opened.
For example, if URL contains word "abc" (like domain.com/some_folder/abc/file.php), it should not be opened.
View 4 Replies
View Related
May 20, 2009
I have installed a new server with debian lenny 5, ISPConfig 3.0.1.1 and the newest mod_security and implemented the default rules.
I deactivated the rule detecting IP in pageheaders.
Then I got another problem. Some actions of ISPConfig are detected as "remote file access attempt", severity "critical", tag "web attack/file injection" data "/etc/"
detected by rule file crs_40 line 114, id 950005
question: how do I authorize ISPConfig and only ISPConfig to perform such requests on the server?
View 4 Replies
View Related
Jun 4, 2008
how to set the rules of MOD_Security.
Another question for professionals:
Q: What are the best rules to secure my server? I'd appreciate if you managed to attach these rules to your replies. // FYI, I host VBulletin portals.
View 3 Replies
View Related
Dec 24, 2008
Trying to use an RBL with ModSecurity but this matches everything whether listed or not.
SecRule REMOTE_ADDR "@rbl bb.barracudacentral.org" "log,deny,msg:'POST RBL Comment Spammer'"
What I would like to do is do an RBL lookup and any POST operations.
View 2 Replies
View Related
Feb 25, 2008
make this rules work on apache 2 mod_security 2?
View 4 Replies
View Related
Dec 17, 2008
Any good secure rules for mod_security 2 that work well for shared servers?
Can someone share what rules you are using to secure your shared servers. Have tried a few different sets of rules, but a few customers always end up with errors and disabling it for their domain name doesn't sound like a safer option for them or the server.
Share your mod_sec 2 rules.
View 2 Replies
View Related
May 7, 2008
How can i disable some words from the contain of the page by Mod_Security2?
View 6 Replies
View Related
Jun 29, 2008
I've been having the hardest time getting mod_security on my new CentOS 5.2 64-bit box.
Everything is a straight, simple, standard install - nothing special or custom. Plesk and all the apps that come with it installed fine, everything was going great. Then I tried to compile mod_sec, and things have been nothing but problems. I think I've finally sorted out the problems with the compiler, but now I get this error:
/usr/bin/ld: warning: i386 architecture of input file `.libs/msc_lua.o' is incompatible with i386:x86-64 output
Repeated, for every file it tries to link.
View 3 Replies
View Related
Jun 17, 2008
I installed new cPanel server and enabled modsecurity inside
WHM > Manage Plugins > modsecurity
When I create a phpinfo() file, it doesn't showup. Are they any configuration that I should do? How about adding the rules?
View 6 Replies
View Related
Feb 16, 2008
Anyone care to share a good set of mod_security SecFilters?
Trying to find a good set that will be good at preventing exploits, but not too restrictive that it starts interfering with everyday operations.
View 5 Replies
View Related
Dec 14, 2008
i have search this forum and google.but none of them can help me to instal it.
i have centos with direct admin.
first i login via ssh to my server
~
then i wget the latest ver an untar it in ~ and go to /modsecurity-apache_2.5.7 folder and then apache2/
and run:
./configure
make
make install
and config httpd.conf
thats it.
is it right or not and how can i test it that is it work fine or not
View 2 Replies
View Related
Jan 16, 2008
I have been trying to install mod_security for the last few days and I can't seem to get it working. I'm with Rockmyweb hosting and for some reason although I have it listed in the httpd.conf, it is showing up in my vps control panel (under the security script) that it isn't installed.
Is there some way that I can test to see if it is actually installed or not?
Here is what is in my httpd.conf:
LoadFile /usr/lib64/libxml2.so
LoadModule security2_module /usr/lib/apache/mod_security2.so
<IfModule mod_security2.c>
Include conf/modsec/*.conf
</IfModule>
View 13 Replies
View Related
May 10, 2008
Is there any difference with the old one?
I have a customized modsecurity.conf file in my old Apache 1.3 server. Is it ok to copy it to new modsec2.conf?
View 13 Replies
View Related
Jul 5, 2008
Mod_security screwing up GD and such how do i fix it?
View 3 Replies
View Related
Dec 22, 2007
Anyone here have problem with Mod_Security and VBulletin ? Currently running Apache 1.3.x and Vbulletin 3.6.8 patch 2 and want to install Mod_Security on Apache so I want to know if there any conflict with Mod_Security and Vbulletin.
View 3 Replies
View Related
Jan 31, 2007
trying to get mod_security installed on my HSphere server, the install goes ok until i try and load rules?
If i just load the exclude.conf rule then php sites work, if i also load rules.conf or any other rules then my php sites get 'connection refused error' ?
I cannot find any thing in logs and there is no log written for mod_security?
here is my modsecurity.conf
Quote:
#If you want to scan the output, uncomment these
#SecFilterScanOutput On
#SecFilterOutputMimeTypes "(null) text/html text/plain"
# Accept almost all byte values
SecFilterForceByteRange 1 255
# Server masking is optional
#fake server banner - NOYB used - no one needs to know what we are using
SecServerSignature "NOYB"
#SecUploadDir /tmp
#SecUploadKeepFiles Off
# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog /var/log/audit_log
# You normally won't need debug logging
SecFilterDebugLevel 0
SecFilterDebugLog logs/modsec_debug_log
#And now, the rules
#Remove any of these Include lines you do not use or have rules for.
#First, add in your exclusion rules:
#These MUST come first!
Include /etc/modsecurity/exclude.conf
#Application protection rules
#Include /etc/modsecurity/rules.conf
bash-2.05b# cat /etc/modsecurity.conf
<IfModule mod_security.c>
# Only inspect dynamic requests
# (YOU MUST TEST TO MAKE SURE IT WORKS AS EXPECTED)
#SecFilterEngine DynamicOnly
SecFilterEngine On
# Reject requests with status 500
SecFilterDefaultAction "deny,log,status:500"
# Some sane defaults
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat On
SecFilterCheckUnicodeEncoding Off
SecFilterNormalizeCookies On
# enable version 1 (RFC 2965) cookies
SecFilterCookieFormat 1
SecServerResponseToken Off
#If you want to scan the output, uncomment these
#SecFilterScanOutput On
#SecFilterOutputMimeTypes "(null) text/html text/plain"
# Accept almost all byte values
SecFilterForceByteRange 1 255
# Server masking is optional
#fake server banner - NOYB used - no one needs to know what we are using
SecServerSignature "NOYB"
#SecUploadDir /tmp
#SecUploadKeepFiles Off
# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog /var/log/audit_log
# You normally won't need debug logging
SecFilterDebugLevel 0
SecFilterDebugLog logs/modsec_debug_log
#And now, the rules
#Remove any of these Include lines you do not use or have rules for.
#First, add in your exclusion rules:
#These MUST come first!
Include /etc/modsecurity/exclude.conf
#Application protection rules
#Include /etc/modsecurity/rules.conf
#Comment spam rules
#Include /etc/modsecurity/blacklist.conf
#Bad hosts, bad proxies and other bad players
##Include /etc/modsecurity/blacklist2.conf
#Bad clients, known bogus useragents and other signs of malware
##Include /etc/modsecurity/useragents.conf
#Known bad software, rootkits and other malware
##Include /etc/modsecurity/rootkits.conf
#Signatures to prevent proxying through your server
#only rule these rules if your server is NOT a proxy
##Include /etc/modsecurity/proxy.conf
#Just in Time Patching for Vulnerable Applications
##Include /etc/modsecurity/jitp.conf
#Google Hacks signatures
##Include /etc/modsecurity/recons.conf
#Include /etc/modsecurity/
</IfModule>
View 2 Replies
View Related
Jun 25, 2007
if anyone with Mod_Security knowledge could write up a rule for *@mail.ru.
Anyone running a forum knows that a ton of spam accounts come from somebody@mail.ru (which most of the times bounces).
Also, does anyone know if there is a large number of people who use mail.ru addresses for legitimate purposes? Would blocking mail.ru be like blocking hotmail.com (which obviously I wouldn't do)
View 5 Replies
View Related
Jul 9, 2007
in which case a hacker will know how to get around it, I'm just asking if someone here with a good quality and current ruleset could PM it to me. I want to compare it to my own ruleset and see what I can add to it.
I've just had an annoying exploit recently and I am looking to try to improve my mod_security ruleset,
View 0 Replies
View Related