Good Rules For Mod Security / Apache 2.2x
Dec 31, 2007Anyone can give me good rules for apache 2.2.6 / Cpanel , i'm new with this, i've use Apache 1.3.x before.
View 0 Replies
ADVERTISEMENT
Mod Security Rules
Aug 2, 2007I really want to know some importent mod_security rules that can come in handy to avoide hackers
I am using apache1
any good rules will do just fine
Do I Need To Use Iptables And Create Some Security Rules?
May 6, 2009If I buy a web server (Linux), Do I need to use iptables and create some security rules?
What types of rules?
Is it suggest use modsecurity for Apache?
If I host 2 sites (2 wordpress blog), what are better rules?
Mod Security Rules / Install Method
Feb 7, 2008I see that mod security is an option in whm > apache compile. Is this a good (and improved way) of install modsecurity over the old cpanel add-on from back in the 10x versions?
Also, can someone point me to really tight, yet reasonable mod security rules for these server settings?
#1
centos
cpanel with phpsuexec
apache 2.2
php 5
mysql 5
a few shared domains (main business box)
#2
centos
same as above, but apache 1 / php 4 / mysql 4
(shared / reseller hosting server)
Mod Security Rules And Hacking Attacks
Nov 15, 2007I have a problem with a hacker from China. He keeps uploading 4 files to my server:
mail.php
mysql.info.php
footer.txt
header.txt
He did this with 4 different accounts so far.
I have mod security installed with the ruleset from gotroot.com but it doesn't help. Now my questions:
1. Where can I download the mod security core ruleset (is it helpful anyway ?) I already found this page [url] but I do not see a "download here" link anywhere... I found the link that points to [url] but then I do not see the mod sec ruleset anywhere...
2. The rules on gotroot.com have not been updated for a long time. Are they still useful ? What do you think ?
3. Any other sources for good mod sec rules that may resolve my issues with PHP exploits.
Image Upload Security Idea Good Or Bad
Mar 1, 2008I was just working on some concepts for image upload security features and wanted some others opinions. Would the below be worth doing to not have to deal with the 777 or even 775 phpsu issue(s)?
- What about loading the images into a db and logging the upload. Then having a cron or a daemon move the file to a location under the owner (user) and then delete the file out of the db.
Pros:
- Images would be loaded and displayed from under the user of the site making no 777 issues.
Con:
- Mass use of db could cause crashes?
- Would have to write front end to know if the file was in db or in the folder location
Apache Rewrite Rules
Jan 12, 2007With this whole no-www thing going on. I've decided to have a look at whether I can do this for my domains.
Instead of writing a
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www.domain.com$ [NC]
RewriteRule ^(.*)$ h77p://domain.com/$1 [R=301,L]
for every single domain I'd like to do this for across all domains as standard. I'm not too hot on rewrite rules and have in the past avoided them cos of the complexities. But I'd like to get this done, and no silently do it, but reflect the URL difference in the webbrowsers address bar too.
Apache :: 2.4 Rewrite Rules Broken?
Jul 4, 2013I got a trouble with a server upgrade on GoDaddy.
Once the server was upgraded from Apache 2.2 to Apache 2.4 all
Apache :: 2.2.15 - Rewrite Rules For Non-hosted Domain
Jul 1, 2015CentOS 6. Apache 2.2.15
I am trying to redirect a request from a non-hosted domain, using a rewrite rule in our configuration file in conf.d. Our registrar has a pointer from this non-hosted domain to our domain.
Currently
*.domain1.com.vn -> http://www.domain1.com
domain1.com.vn -> http://domain1.com
I want to redirect a request like so in the web.conf file in conf.d
domain1.com.vn/terms => domain2.com/vn/terms
Apache :: Mod Rewrite - How To Define A Variable And Use It In Rules
Mar 28, 2014I am writing a rewrite rules using mod_rewrite module. I have the same data repeating all over the rules that I would like to replace with variable and set variable once at the top of rules then use variable in the rest of rules. Then if I need to add another IP address I would just add additional IP address to the variable instead like now need to change several rules.
For example I have IP addresses that I would like to set as a variable.
Now rules are the following (simplified) in httpd.conf:
RewriteEngine Off
RewriteCond %{REMOTE_ADDR} (192.168.5.20|192.168.7.15|10.10.20.50
Apache :: Setting Up URL Rewrite Rules Multiple VHs
Oct 21, 2012I'm kinda new to apache and I have the following situation.
I have a vps, on which I have set the following:
WordPress Site A, has it's own VirtualHost and domain
WordPress Site B, has it's own VirtualHost and domain
Canvas LMS (not connected to a domain).
Canvas LMS can add multiple accounts, which may (or may not) be accessed individually using a URL that looks as follows:
{canvas_root}/accounts/{account_id}/
For example : http://....../accounts/4/
I need to add a link to each of WP sites, which points to each site's account on Canvas, such that it appears as .../learning/ folder
For example:
Code:
http://WPSiteA/learning/
http://WPSiteB/learning/
which actually represents
Code:
http://WPSiteA/accounts/4/
http://WPSiteB/accounts/5/
Which in turn represents
Code:
http://{my_vps_ip}/accounts/4/
http://{my_vps_ip}/accounts/5/
respectively
Noticing the following:
I do not want the users to see the /account/4/ , just /learning/
I also want to prevent accessing
Canvas LMS is located beyond the website's DocumentRoot
I want this to work with both HTTP and HTTPS
Convert Apache Rewrite Rules To Nginx
Nov 24, 2012How to convert apache rewrite rule to nginx:
RewriteEngine on
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^naujienos+ news.php/$1 [L]
RewriteRule ^naujienos/p(.*)$ /news.php?pg=$1 [nc]
RewriteRule ^naujienos/?$ /news.php [nc]
RewriteRule ^naujienos?$ /news.php [nc]
Apache :: Force HTAccess Rules To Apply To Subdirectories
Jun 15, 2014I have some instructions written in the .htaccess of root directory for my website. So how to force those rules to apply to all sub directories even if those sub directories have .htaccess that overwrite the rules of the mother .htaccess on the root directory ? For example the root .htaccess deny access to all *.log files, so how to force that rule even if in some subdirectories there is some .htaccess files that allow access of *.log files.
View 1 Replies View RelatedApache :: Write HTAccess Rules For Dynamic Pages
Feb 15, 2013I'm really struggling to write htaccess rules for dynamic pages. I've like 20 pages to redirect What I want to do is redirect:
[URL] ....
to
[URL] ....
Apache :: Rules In HTAccess Showing Errors In SeoMoz Reports
May 3, 2013How can i prevent error 302 in my site? for example, this [URL] .... is showing a status 200
But this same [URL] .... is showing me a status 302 (note the lack of forward slash)
Every folder in my site is showing this 302 error, so i tried to do a redirect in order to fix this, but its not working.
I think its the htaccess doing this kind of redirects in my hole site but I am new to this file, so i dont know how to fix this. Rules in my htaccess are here:
(I cant write into htaccess, but I can see the content of the file)...
RewriteCond %{HTTP_HOST} .
RewriteCond %{HTTP_HOST} !^www.saludymedicinas.com.mx [NC]
RewriteRule (.*) http://www.saludymedicinas.com.mx/$1 [R=301,L]
Apache Log 404-security
Feb 19, 2008I have a freshly installed Redhat Enterprise 5 box running Apache/MySQL/PHP. Currently it is only hosting the Red Hat default server page and I've noticed a few strange entries in the apache log file. For example there is this:
xx.xxx.xxx.x - - [17/Feb/2008:16:25:37 -0500] "GET xxxx://xxx.xxxx***********/xxx.php xxxx/1.1" 404 289 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
I edited out the IP and domain but neither belong to me. Do I have a security problem here with my server?
Apache Mod_rewrite Security Exploit
Feb 11, 2007One of my servers is running Apache 1.3.34 (Unix), and I recently noticed that there was a rather large mod_rewrite security exploit found:
[url]
I can't seem to figure out if this affects me with the version I am running? Can anyone help me out on this to determine if I need to upgrade or if I am already patched up?
Apache :: Does Virtualhost Environment Lower Web Or Server Security
Oct 11, 2012Does the apache virtualhost environment lower the web or apache server's security? virtualhost has no security issues.
View 3 Replies View RelatedApache :: Security Challenge - Rejecting Specific Requests Without Blocking IP
Jan 21, 2014I have been trying to solve a big problem for the last 2 weeks with one of our servers.
The client using our system (web based w/ apache and php) is a contact center firm. They have about 120 operators, all connect to our websever with the same IP.
We have been suffering DoS attacks from some of these operators. This are simple, browser attacks , namely 5 or 10 operators will just hold F5 key and bombard the server with requests when they shouldnt.
We did manage to produce a php protection which will recognize the multiple requests and blacklist the user, but its "too late" because the request have already been sent and processed by the webserver.
We use the user ID in the system to control who should be blacklisted, so this is all dependent on our own authentication.
Ideally, we need something EXACTLY like mod_evasive, but for rejecting single requests instead of blocking the IP. Exemplifying : if a user calls the same url, 5 times, in a 3 second spawn, we will reject every next request for 30 seconds, but only the requests by that user.
If the webserver can make any use of it, the user id is stored in a cookie.
List Of Good Hosters With Good TELEPHONE Tech Support
May 6, 2008I'd like to start an ongoing thread here listing the 'Good Hosters with Good TELEPHONE tech support'. In other words, out of the 1,000s of host companies, this may cut it down to less than a dozen.
( And for all you Hosters out there who really want your company to grow, and want to know how, - it's easy: just read here.)
Good telephone support is the #1 ultimate requirement, because:
-It's a lot faster and easier for both the user and the host company, because you can state and answer all questions and clarifications on the spot, you don't need to continually pass new emails with new questions and clarifications, back and forth for days on end, until the issue is solved. It saves tech time and user's time. And saves a lot of nerves.
- It's the best way to sort the good guys from the bad. A bad company isn't going to bother to answer the phone, - or will make you wait way too long, - because they are likely getting endless complaints. The good guys are always ready to answer the phones, with a friendly voice, - because they really WANT to please the customer.
- If a company can't be bothered to pick up the phone, we can't be bothered to even consider them. They're a joke, and so won't be listed here on this thread. (So, before adding or listing any Hosters here, please verfify that they do have Good, quick, friendly, telephone support,; ideally 24/7, but 9am to 10pm might be acceptable, if it was supplemented by some emergency contact.
AND:
- Hoster ALSO needs good EMAIL support (and preferably, Chat online, extended hour availability). (I spend a lot of time overseas). It sems all emails should get a non-automated response within about an hour, - and then support should jump on fixing any problem.
I only need support a few times a year. To answer some questions, or fix a problem, or do an install. That's lesss than 1 hour total, so any company paying maybe $18/hour tech support should be able to handle this. It IS reasonable to charge a custm for extended calls, beyond say, 90minutes a year, IF you don't count the 80%? Of times an issue is the Hoster;s fault of stmg gone wrong, and don't count the 'hold' times.
ALSO IMPORTANT:
- Uptime
- site Speeds
- Monthly plans, no contract (Only a dishonest host will try to force you into a contract, where they can then ignore you.)
- Reasonable price. (? Maybe $12 to $18/month for a basic business site. We don't need massive bandwitdths, - we all know that's an overselling scam, and can't ever be delivered.)
- a good upgrade plan of bigger options. Maybe even VPS.
- Dedicated IP, and availbility of SSL
-PHP 5, mysql, phpMyAdmin, etc
- cPanel ( Some Hosts are using problematic panels, like Hsphere, which are slow to load, slow in operation, require many more clicks, have too many options, spread apart on many separate pages. Time is money, and this really slows down the ability of a small business to manage his own site in effective time. For example, one WHT user wrote somewhere: "I don't feel that HSphere's interface is nice at all, although I have worked with cPanel and DA all my life... I just found it to include un-necessary features or split features up in to different hard to find pages, such as backups - mysql backups you had to find on a completely different page than file backups, and then there were options to have it in the home directory or server-end backup, in which then you had to wait a good 10 minutes before it was ready. cPanel, just hit backup and hit download and instantly it does everything you need...".
I have used several hosters. Currently on Aplus.net and Godad, which have phone support, and mediocre service.
My LIST So Far:
- Liquidweb: a very impressive company with good, 24 hour support. But to get dedicated IP, you need to go with their $25/month plan. Yikes!
- NewIdeaHosting.com. A very small company. My call was returned, and the owner chatted with me for an hour on the phone! Plans have small bandwidth, but promises No overselling, and personalized attention. Extra $5 for dedi IP. He specializes in Small business sites, and small eCommerce sites. He has only 250 accounts, on 3 servers. He rents servers from the Equinox data center of Chicago. Seems exceptionaly honest.
- MegaHosters. Excellent phone support and WHT reviews. But company was taken over by another company, and so may well go downhill in future. Another problem: uses Hsphere.
- Steadfast. Has a good rep on WHT, and seems impressive. Tech answered the phone immediately, but they say they prefer emails. Sales phone has limited hours. Good price on $20 SSL. But, uses Hshhere.
- JodoHost 24 hour phone. But, uses Hsphere. An Indian company with office in Florida, and good rep. I like the idea of outsourcing phone support, if it makes it more available and affordable. But, the accent on the phone was very hard for me to understand, so maybe this might not work.....
- Hostgator. Yes, it's a big overseller, but seems to get good reviews/results anyway, and good phone support.
- ? ThePrimeHost ?? Mostly good WHT reviews; some dissenters. Site says 24hour phone, but when I called on several nights, no one ever answered...
- Can anyone add to this list? Please list only hosts that meet the above minimum requirements of phone support, etc. Especially useful is hosters you've tried.
TO AVOID:
- Avoid Arvixe. I had a horrid experience with them, here: [WHT forum]:/showthread.php?p=5097822#post5097822
- Avoid WebHostingBuzz. This company never returned my phone msessage inquiries.
Joomla Security / Linux Security
Apr 4, 2008I run a web hosting company and one of my servers is a LAMP server running CentOs 5. A user of mine has a Joomla installation running to manage his website and he has run into the following problem that I am puzzled by.
When Joomla adds a component or module to itself, or when a user uses the Joomla upload functionality, Joomla will add the new files under the user name "apache". This makes sense as it is the apache service running PHP that is actually creating the files.
However, when he FTP's into the account to modify these files, he doesn't have the appropriate permissions to do so as he doesn't have a root level login, just permissions on his home directory which is the site. Any help would be much appreciated.
Also, does anyone know how to change the owner/group of a directory and all of its sub directories in Linux without changing the actual permissions? I.e. some of the files in the folder have different permissions (0644 as apposed to 0755) than its parent but if I do a top down user/group change on the folder it will change everything in that folder to 0755.
Why Lunarpages Rules
Aug 9, 2006I signed up with Lunarpages a while back for a dedicated server for my business. Good price, managed hosting rocks, decent disk space... little problem once with a huge power outage, but **** happens, cool.
All is well until I wake up this morning to an email a minute about a failed cron job. It smells fishy, so I contact LUnar pages support to see whats up.
They inform me that some asswad had managed to brute force into my server using a temporary account I set up a while back for some tech support. (I prefaced this with 'im an idiot', so no you know why)
Either way, my server now has a rootkit, plus other **** im sure im not aware of... so they propose to move me to a brand new fresh box. im thinking they are gonna charge me a fee for this, a fee for that... no way. All is free of charge.
Im ****ting kittens now.
so im resetting everything up, and i manage to look myself out of my database...(i told you I was an idiot.. and this was a looooong day already)
they fix it. again. no problem...
If you are looking for a dedicated server, go to lunarpages. otherwise you are a freaking idiot as far as I am concerned...
Lunarpages, I love you, I want your babies...
PS: I am in no way affiliated with lunarpages... however, if they want to give me a free year on their servers, i wouldnt complain... *hint hint*
Iptables Rules
Jul 2, 2009One of my low knowledge area's is Iptables Rule's I just normally use APF/CSF.
However on a VPS Host node, I basically want to block all access to a certain port let's say 1234 apart from a certain IP address.
However I don't want to block this port on any of the VPS's on the Node, so what Iptable Rule(s) would I need to put into a bash script on startup.
Mod_security Rules
May 25, 2009Is it possible to disable a particular mod_security rule for particular directory or the rules are global?
View 4 Replies View RelatedIp6tables Rules
May 26, 2009I want to block the icmp6 and traceroute on my ipv6 server,how can i do it?
View 1 Replies View RelatedMod_security Rules In WHM
Aug 15, 2008I just installed mod_security via WHM, and want to know what rule should I enter to prevent some URLs from being opened.
For example, if URL contains word "abc" (like domain.com/some_folder/abc/file.php), it should not be opened.
How To Set The Rules Of MOD_Security
Jun 4, 2008how to set the rules of MOD_Security.
Another question for professionals:
Q: What are the best rules to secure my server? I'd appreciate if you managed to attach these rules to your replies. // FYI, I host VBulletin portals.
Mod_security 2 Rules
Feb 25, 2008make this rules work on apache 2 mod_security 2?
View 4 Replies View RelatedMod_security 2 Rules
Dec 17, 2008Any good secure rules for mod_security 2 that work well for shared servers?
Can someone share what rules you are using to secure your shared servers. Have tried a few different sets of rules, but a few customers always end up with errors and disabling it for their domain name doesn't sound like a safer option for them or the server.
Share your mod_sec 2 rules.
How To Create Rules
Mar 15, 2008i have server windows 2003.
ISS 6.
PHP 5.x
MySQL 5.0
how to create rules with ip/5hit/s is black list and auto ban ip with IPSec.
when test attack file .php
info test :
using code attack files.
attack file test.php ( code files : <?php echo "we are test" ; ?> )
Ex : attack files test.php ( http://mydomain.php/test.php )
attack 200hit/s ( all files .php is not run ) php application is hang.
also wherewith code attack. i tested asp, html. it isn't problem. ( 1879hit/s ) ( good working)
how to create rules ban ip with 5hit/s?
Mod_security 2 Rules
May 10, 2008Is there any difference with the old one?
I have a customized modsecurity.conf file in my old Apache 1.3 server. Is it ok to copy it to new modsec2.conf?