Mod_security 2 Rules
May 10, 2008Is there any difference with the old one?
I have a customized modsecurity.conf file in my old Apache 1.3 server. Is it ok to copy it to new modsec2.conf?
Is there any difference with the old one?
I have a customized modsecurity.conf file in my old Apache 1.3 server. Is it ok to copy it to new modsec2.conf?
Is it possible to disable a particular mod_security rule for particular directory or the rules are global?
View 4 Replies View RelatedI just installed mod_security via WHM, and want to know what rule should I enter to prevent some URLs from being opened.
For example, if URL contains word "abc" (like domain.com/some_folder/abc/file.php), it should not be opened.
how to set the rules of MOD_Security.
Another question for professionals:
Q: What are the best rules to secure my server? I'd appreciate if you managed to attach these rules to your replies. // FYI, I host VBulletin portals.
make this rules work on apache 2 mod_security 2?
View 4 Replies View RelatedAny good secure rules for mod_security 2 that work well for shared servers? 
Can someone share what rules you are using to secure your shared servers. Have tried a few different sets of rules, but a few customers always end up with errors and disabling it for their domain name doesn't sound like a safer option for them or the server.
Share your mod_sec 2 rules.
We were recently hacked on our dedicated server and the hacker managed to insert php files that generated thousands of doorway pages in one of our images folder on our site. We have done an extensive cleanup of our site, removing all malicious files and are locking down the server. We have already updated to the latest versions of PHP and Wordpress,not to mention change all database passwords and admin password. My question is about mod_security for apache. 
We were told Mod_security can prevent this from happening again but it must be configured correctly. 
We have already set rules for mod_security. The rules set up are in the files in the directory, /etc/httpd/modsecurity.d/modsec. We were told that the file 10_asl_rules.conf specifically has filters to prevent SQL injection attacks.
These are are current rules:
----------------------------------------------------------------------
/etc/httpd/modsecurity.d/modsec
# ls
05_asl_exclude.conf      30_asl_antispam.conf           domain-blacklist-local.txt   malware-blacklist.txt
05_asl_scanner.conf      30_asl_antispam_referrer.conf  domain-blacklist.txt         sql.txt
10_asl_antimalware.conf  40_asl_apache2-rules.conf      domain-spam-whitelist.conf   trusted-domains.conf
10_asl_rules.conf        50_asl_rootkits.conf           domain-spam-whitelist.txt    trusted-domains.txt
11_asl_data_loss.conf    60_asl_recons.conf             malware-blacklist-high.txt   whitelist.txt
20_asl_useragents.conf   99_asl_exclude.conf            malware-blacklist-local.txt
30_asl_antimalware.conf  99_asl_jitp.conf               malware-blacklist-low.txt
-----------------------------------------------------------------
I can do to prevent this or tune up apache mod_security from letting this happen again. We are so paranoid that we are now checking our access log files for POST commands every day?
Im using a vps with centos 5 and cpanel/whm with apache 2.2.
Im tring to figure out how to use the gotroot rules with mod_security. I had enabled mod_security with easy apache. I tried to follow some other post had I found around on other forums with no luck really, with that said I am a linux noob. I had tried to follow the wiki on atomic sites <-- not enof post so I cant do links sorry, but I found it hard to under stand cause I dont have a modsecurity.config file that I can find, also I cant find AddModule mod_security.c in my httpd.config, but I did find this line, Include "/usr/local/apache/conf/modsec2.conf". My thing is im looking for a complete noob guide on how to use gotroot rules with mod_security enabled through easy apache, or would it be easyer to manully install mod_security?
I am having the Modsec 2.5.9 I am using the defaults rules by the cpanel when i try to update the rules along with default rules given by the cpanel i am getting internal server error (500 Error)
The rules i tried to implement are from 
Quote:
[url]
How can I update mod_security rules in Cpanel/WHM server from gotroot.com?
View 3 Replies View RelatedI doubt anyone is writing their own rules so what do you think is the best site for mod_security rules which are strong but also do not result in many false positives.
I know of [url] posts rules but is there anyone else worth mentioning?
i want to prevent c99shell scripts from running.
 
I found this rule to detect URI's for the c99 shell.
#new kit
SecFilterSelective REQUEST_URI "/c99shell.txt"
SecFilterSelective REQUEST_URI "/c99.txt?"
My problem is that the hackers are being more stealthy and calling the
script some random name like .../myphpstuff.php. So the URI no longer helps detect it.
 
How could I detect "c99shell" in the actual file that apache servers? This assumes that the hacker was successfully in installing it.
 
my box 
 
Apache 1.3.37
WHM 11.2.0 cPanel 11.11.0-R16983
FEDORA 5 i686 - WHM X v3.1.0
I'm the main author of a control panel, and we are working toward security enforcement. So we are looking at what kinds of rules we can add in mod_security.
The issue is that our control panel is open source, and that, even if I have found some nice mod_security rule sets on the internet (for example at gotroot.com), I need to get some that are FREE (as freedom), and that I can include in our project.
What I am looking for is application specific rules (like the ones preventing phpBB highlight insertions, for example), so having someone using an old version of a given software on his hosting space is not an issue anymore.
I just wanted to confirm if you guys had the same problem. It seems that mod_security with gotroot rules for apache 1.3 is filtering out firefox. Everything works fine with IE. With the latest firefox I get this for any page requested:
mod_security-message: Access denied with code 500. Pattern match "^GET (http|https|ftp):/" at THE_REQUEST [severity "EMERGENCY"]
I signed up with Lunarpages a while back for a dedicated server for my business. Good price, managed hosting rocks, decent disk space... little problem once with a huge power outage, but **** happens, cool.
All is well until I wake up this morning to an email a minute about a failed cron job. It smells fishy, so I contact LUnar pages support to see whats up.
They inform me that some asswad had managed to brute force into my server using a temporary account I set up a while back for some tech support. (I prefaced this with 'im an idiot', so no you know why)
Either way, my server now has a rootkit, plus other **** im sure im not aware of... so they propose to move me to a brand new fresh box. im thinking they are gonna charge me a fee for this, a fee for that... no way. All is free of charge.
Im ****ting kittens now.
so im resetting everything up, and i manage to look myself out of my database...(i told you I was an idiot.. and this was a looooong day already)
they fix it. again. no problem...
If you are looking for a dedicated server, go to lunarpages. otherwise you are a freaking idiot as far as I am concerned... 
Lunarpages, I love you, I want your babies...
PS: I am in no way affiliated with lunarpages... however, if they want to give me a free year on their servers, i wouldnt complain... *hint hint*
One of my low knowledge area's is Iptables Rule's I just normally use APF/CSF.
However on a VPS Host node, I basically want to block all access to a certain port let's say 1234 apart from a certain IP address.
However I don't want to block this port on any of the VPS's on the Node, so what Iptable Rule(s) would I need to put into a bash script on startup.
I want to block the icmp6 and traceroute on my ipv6 server,how can i do it?
View 1 Replies View Relatedi have server windows 2003.
ISS 6.
PHP 5.x
MySQL 5.0
how to create rules with ip/5hit/s is black list and auto ban ip with IPSec.
when test attack file .php
info test :
using code attack files.
attack file test.php ( code files : <?php echo "we are test" ; ?> )
Ex : attack files test.php ( http://mydomain.php/test.php )
attack 200hit/s ( all files .php is not run ) php application is hang.
also wherewith code attack. i tested asp, html. it isn't problem. ( 1879hit/s ) ( good working)
 
how to create rules ban ip with 5hit/s?
I'v just upgraded to apache2.2 and modsecurity2
there is a difference between modsec1 and 2 rules
so i can't use modsecurity1 rules 
so can i have rules for modsecurity2 
and can you tell me how do i create a new rules
in modsecuirty1 i just do this :
Code:
SecFilter "cmd"
in modsecurity2 i triad:
Code:
SecRule "cmd"
but it didn't work
How do I set up rewrite on lighttpd?
View 1 Replies View RelatedI got on one of my dedi server apf firewall installed and it keep reseting every 24 hours?
i put the devile mode to 0.
i have cpanel 11 and centos 4 runing
Does anyone know any good mod_evasive rules that pick up DoS, but not many false positives? Just looking to see what works for everyone out there, been having trouble. 
Or if there is better apache module to combat DoS.
I really want to know some importent mod_security rules that can come in handy to avoide hackers 
I am using apache1
any good rules will do just fine
I had csf firewall installed, and due to my own stupidity, attempted to login with the wrong password one too many times, which added my IP to iptables, locking me out. I had to SSH into a linux box at school, and then ssh into my server to stop the iptables service so I could get into my server. 
I removed every trace of my IP that I could find in csf, but sometime in the middle of the night, iptables reloads some rules from somewhere that blocks me again. I also tried doing iptables -F to clear all rules, but again, sometime in the middle of the night, rules are reloaded and I get blocked. I even uninstalled csf to no avail. I just want to remove my IP once and for all.
I doubt anyone is writing their own rules so what do you think is the best site for Snort rules for a web server which are strong but also do not result in many false positives.
View 4 Replies View RelatedThese new "rules" make BFD ban faster, checks every minute. BFD only checked every 10 minutes and could miss attackers that show up at the right time. Now we keep 10 minutes of IPs, and ban using that list.
I feel that APF and BFD are still the best choices for protecting my server. Cpanel's new "cphulk" feature has a lot more to go to be as good, plus you have total control with BFD where you can add and change rules to suit your needs as they grow, or modify them for particular problems.
The changes I made are based on the latest version of BFD V0.9, you should have that version installed and WORKING ALREADY.
Remember, they are simply shell scripts that define the log file to keep track of and what keywords to trigger on. You can view them with any text reader.
WARNING: These work for me, USE AT YOUR OWN RISK, always make sure you add your current IP in /usr/local/bfd/ignore.hosts (and) /etc/apf/allow_hosts.rules so you don't accidentally ban yourself!
Inside the below tar.gz file are my modified "rules" files for exim, pure-ftpd, rh_imap, rh_pop3, sendmail and sshd. No changes to the BFD V0.9 main program are needed.
You should change the cron job to run BFD every minute, edit this file:
/etc/cron.d/bfd
Change the line in that file to this so it runs every minute:
*/1 * * * * root /usr/local/sbin/bfd -q
I checked the CPU load and since it's reading only a small part of the log file every minute, the CPU load isn't bad, it's done in about 8 seconds on my system. Expect a small rise in load average since it is doing work more often.
The "rules" files are contained in your server directory:
/usr/local/bfd/rules
The "rules" files should be REPLACED with the new ones, if you want to keep the old ones around then MOVE THEM OUT to another directory NOT INSIDE the "rules" directory, or else they will be run when BFD runs.
If you need apache, proftpd or other "rules" then you will have to modify them yourself, otherwise you should move these out of the "rules" DIRECTORY, they will not do much with BFD set to run every minute (unless you modify them yourself). I only modified the rules I needed for my server, feel free to post your own mods here.
OK enough, here's the file:
[url]
(it's also attached to this message, see below)
This file will only be around for a few months on this free upload site. Someone please put it in a good place/mirror and post a link, thanks.
Technical details:
This runs every minute but keeps a list of the last 10 minutes of bad IPs in a file in tmp, trimming the file every minute so only new IPs are saved.
You can see the list of IPs in files such as:
/usr/local/bfd/tmp/.exim
/usr/local/bfd/tmp/.sshd
The marker "----" (four dashes) is used to mark each minute and is ignored by BFD but used to trim the old IPs off the file.
If the number of "----" are more than 10, it trims the top of the file up to the marker every run. If the file doesn't exist it's created.
The exim filter "grep" part was modified slightly because the old one was producing bad data every once and a while. The others are all the default filters that come with V0.9.
(BFD people feel free to add this to the next version update, I consider it GPL)
my server have problem with login to ftp
i ask of cpanel,cpanel answer : 
Howdy,
Are you using any kind of external firewalling? I have enabled the passive
ports in pure-ftpd and attempted to connect in passive mode, but it still
fails.
and 
Howdy,
You should allow connections on 30000 through 50000 for passive ftp
---
this is vps
how may i solved it?
i use of csf
With this whole no-www thing going on. I've decided to have a look at whether I can do this for my domains.
Instead of writing a
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www.domain.com$ [NC]
RewriteRule ^(.*)$ h77p://domain.com/$1 [R=301,L]
for every single domain I'd like to do this for across all domains as standard. I'm not too hot on rewrite rules and have in the past avoided them cos of the complexities. But I'd like to get this done, and no silently do it, but reflect the URL difference in the webbrowsers address bar too.
I have been using mod_security 1.9.x since it first release on apache 1.3 and apache 2.0.x, rules are great and they work perfect with no issues at all with any php-mysql website. Do you recommend using mod_security 2.0 or 2.5 ? (I do know that 2.5 does not work with apache 1.3).
View 2 Replies View Relatedusing mod_security, but I believe that I have it installed correctly with some rules that should be generating entries in the security audit log.  No matter what I do, I can't seem to get mod_security to generate any sort of log entries.
I am using version 2.1.7.  I compiled it with no problems.  In my httpd.conf file, I have the following relevant lines:
LoadFile /usr/lib/libxml2.so
LoadModule security2_module modules/mod_security2.so
Include conf/modsecurity/*.conf
I don't think there are any problems here, as I know it is running directives from the configuration file I edited.  This is the file I'm working with:
modsecurity_crs_10_config.conf
Here are the relevant lines from the config file:
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 524288
SecDefaultAction "phase:2,auditlog,log,pass,status:500"
SecAuditEngine On
SecAuditLogType Serial
SecAuditLog logs/modsec_audit.log
SecAuditLogParts "ABIFHZ"
SecRequestBodyInMemoryLimit 131072
SecDebugLog             logs/modsec_debug.log
SecDebugLogLevel        3
I know that the config file is being read because when I start apache, the log files (modsec_audit.log and modsec_debug.log) are created.  The problem is that the files are empty and remain empty no matter what I do.  I have even tried setting permissions on the files to 777.
Here are a couple of rules I created in an attempt to generate log entries:
SecRule REQUEST_BODY "viagra"
SecRule REMOTE_ADDR "^1.1.3.4$" auditlog,phase:1,allow
I put these in the same config file mentioned above.  As far as I understand, the first rule should examine the request body (which would include data in POST requests) for the word, "viagra".  Since my default action is phase:2,auditlog,log,pass,status:500, such requests should end up in the audit log.  However, when I use a form on my site to post the word "viagra", nothing is generated in the log file.
The second rule, as far as I understand, should generate a log entry any time the IP address 1.2.3.4 is sent in the request headers.  Instead of 1.2.3.4, of course, I have put in my real IP address.  However, when I visit my server and browse pages, nothing is logged.  I assume that my requests should generate log entries since I match the IP address.
I am currently running a few small websites that use a CMS. Two are  Dragonfly and one is Joomla.
I am getting sporadic errors with both systems that, upon research, seem to be related to Apache and the mod_security module. I am getting the following error:
Code:
Not Acceptable
An appropriate representation of the requested resource /somefolder/index.php could not be found on this server.
Well, I'm no idiot (although some people may tend to disagree  ) and after some searching, I found that this most likely points to an Apache error. Most solutions suggest to put the following in my .htacess file for the site:
Code:
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
It was noted that "SecFilterScanPOST Off" may or not be necessary. I have added the above to the .htaccess for each site (all 3 sites are subdomains) and have also added it to the .htaccess that is in the root folder for the site. Nothing has worked.
So my question is, is it possible that my webhost can override my .htaacess settings with their own? This is the only explanation that I can think of. But of course, I am no expert, which is why I turn to you good folks for help once again.