trying to get mod_security installed on my HSphere server, the install goes ok until i try and load rules?
If i just load the exclude.conf rule then php sites work, if i also load rules.conf or any other rules then my php sites get 'connection refused error' ?
I cannot find any thing in logs and there is no log written for mod_security?
here is my modsecurity.conf
Quote:
#If you want to scan the output, uncomment these
#SecFilterScanOutput On
#SecFilterOutputMimeTypes "(null) text/html text/plain"
# Accept almost all byte values
SecFilterForceByteRange 1 255
# Server masking is optional
#fake server banner - NOYB used - no one needs to know what we are using
SecServerSignature "NOYB"
#SecUploadDir /tmp
#SecUploadKeepFiles Off
# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog /var/log/audit_log
# You normally won't need debug logging
SecFilterDebugLevel 0
SecFilterDebugLog logs/modsec_debug_log
#And now, the rules
#Remove any of these Include lines you do not use or have rules for.
#First, add in your exclusion rules:
#These MUST come first!
Include /etc/modsecurity/exclude.conf
# Only inspect dynamic requests
# (YOU MUST TEST TO MAKE SURE IT WORKS AS EXPECTED)
#SecFilterEngine DynamicOnly
SecFilterEngine On
# Reject requests with status 500
SecFilterDefaultAction "deny,log,status:500"
# Some sane defaults
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat On
SecFilterCheckUnicodeEncoding Off
SecFilterNormalizeCookies On
# enable version 1 (RFC 2965) cookies
SecFilterCookieFormat 1
SecServerResponseToken Off
#If you want to scan the output, uncomment these
#SecFilterScanOutput On
#SecFilterOutputMimeTypes "(null) text/html text/plain"
# Accept almost all byte values
SecFilterForceByteRange 1 255
# Server masking is optional
#fake server banner - NOYB used - no one needs to know what we are using
SecServerSignature "NOYB"
#SecUploadDir /tmp
#SecUploadKeepFiles Off
# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog /var/log/audit_log
# You normally won't need debug logging
SecFilterDebugLevel 0
SecFilterDebugLog logs/modsec_debug_log
#And now, the rules
#Remove any of these Include lines you do not use or have rules for.
#First, add in your exclusion rules:
#These MUST come first!
Include /etc/modsecurity/exclude.conf
I have a VPS with 768Mb of RAM which was always suitable for the websites I'm hosting as most of them are not popular and none of them got high traffic recently at all
But for over 2 days the vps is eating the ram and killing all the services (cpanel/httpd/ftp/MySQL..) I want to know what is causing this and stop it by any way
I contacted my vps support and they told me to write "top" in the SSH but I didn't understand any thing from what I see and I didn't know what to do after writing that command .
I remember long time ago when I used to host on Layered Tech fast network good stuff, affordable price my first server costed me 90 dollars on Layered Tech with about 20 dollar setup one time fee.
I visited today after about 2 years and I'm pretty much surprised to see their prices they are by no means affordable as they were previously and the setup fee is now 50 dollars on every server.
With such large number of servers in their data centers shouldn't they be able to make them affordable? yet I have seen same server on WHT ads section for fraction of the price LT expects and not to mention the excessive setup fee.
I'm not complaining, its their business, but is it really helping them? I cant be the only person feeling this anti-love for Layered Tech being a former LT customer, I had no problems with them or their services I just left after I sold my site and moved into VPS. But seeing the new prices its a bit shocking.
I have a VPS with 256m guaranteed RAM .. and I have CPanel. A couple of days ago I got to fiddling with a database issue and had phpMyAdmin open for the better part of an hour. So I got to wondering what something like that does to my VPS?
A secondary question .. same thing but on a dedicated server with 1g RAM?
guys im tired off fighting those hackers everyday! i have about 20 websites,and everyday i have one of them hacked! i restore a backup then another one hacked!
thats unbelivable!!!
those bastards upload there shell scripts to websites via bugs or whatever from php files!!
is there anyway to stop these commands?
can .htaccess helps? how?
i talked to my webhosting companies for my websites! ....
Virtuozzo 3.0 is killing VPS's /usr/bin/mysqld_safe process but leaving /usr/sbin/mysqld UP which is causing cPanel to be unable to automatically restart MySQL after that.
I have a fairly unique problem. My server runs great 95% of the time. Loads average under 1. However backups have become a server killer. I use cpanel scheduled backup at early morning hours. The reason backups kill my server is that I have 300,000+ (and counting) images in a directory. They are all small pngs generated by LaTeX. It takes my server several hours to backup the images. I usually even have to stop apache to free up some power. This problem is only going to get worse as I get more images. Maybe I could upgrade proc or upgrade to faster HD? That would be costly, hopefully not.
Should I hire a professional backup service? Costly, and would that help? Or is there a way of storing the images or doing the cpbackup I am doing wrong?
My nobody_check is killing a process that seems to be o.k. but I'm not sure. The process is running /usr/bin/perl-bin which I never heard of. I thought it was /usr/bin/perl
Should I be concerned? Again, I don't know what /perl-bin is.
So we've got a client setup with 2 domains; 1 main and 1 secondary.
The secondary domain is a 301 redirect with masking through GoDaddy. The reason for the masking is because we need the domain name to stay the same after the redirect. (So people who come in on DomainB will only see DomainB in the url bar.)
The problem: GoDaddy has uses a "zero frame" element to implement the masking and it's messing up the display of our site.
Note: The display only screws up in IE.
Primary domain: www.BristolCountyWomensJournal.com --> (This works fine.) 301 domain: www.WomensJournals.com --> (Check out the messy background!)
We're running on Linux/Apache/MySQL/RoR and have a number of cron jobs that run throughout the day on our server. We've been noticing lately that at certain times of the day the site becomes really slow. When I'm online with my engineers I can mention this to them and they can check and see and say "Oh yeah, it's job XYZ that's spiking the server load."
That's great but much of the time when I notice the sluggishness my developers are offline (we're in different time zones). I'm wondering if there's a fairly easy way to track this when they're not online so we can say "Yup, last night at 10 PM your time when you noticed that it was job ABC." There has to be something that allows you to do this right?
I have been using mod_security 1.9.x since it first release on apache 1.3 and apache 2.0.x, rules are great and they work perfect with no issues at all with any php-mysql website. Do you recommend using mod_security 2.0 or 2.5 ? (I do know that 2.5 does not work with apache 1.3).
using mod_security, but I believe that I have it installed correctly with some rules that should be generating entries in the security audit log. No matter what I do, I can't seem to get mod_security to generate any sort of log entries.
I am using version 2.1.7. I compiled it with no problems. In my httpd.conf file, I have the following relevant lines:
LoadFile /usr/lib/libxml2.so LoadModule security2_module modules/mod_security2.so Include conf/modsecurity/*.conf
I don't think there are any problems here, as I know it is running directives from the configuration file I edited. This is the file I'm working with:
modsecurity_crs_10_config.conf
Here are the relevant lines from the config file:
SecRuleEngine On SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType (null) text/html text/plain text/xml SecResponseBodyLimit 524288 SecDefaultAction "phase:2,auditlog,log,pass,status:500" SecAuditEngine On SecAuditLogType Serial SecAuditLog logs/modsec_audit.log SecAuditLogParts "ABIFHZ" SecRequestBodyInMemoryLimit 131072 SecDebugLog logs/modsec_debug.log SecDebugLogLevel 3
I know that the config file is being read because when I start apache, the log files (modsec_audit.log and modsec_debug.log) are created. The problem is that the files are empty and remain empty no matter what I do. I have even tried setting permissions on the files to 777.
Here are a couple of rules I created in an attempt to generate log entries:
I put these in the same config file mentioned above. As far as I understand, the first rule should examine the request body (which would include data in POST requests) for the word, "viagra". Since my default action is phase:2,auditlog,log,pass,status:500, such requests should end up in the audit log. However, when I use a form on my site to post the word "viagra", nothing is generated in the log file.
The second rule, as far as I understand, should generate a log entry any time the IP address 1.2.3.4 is sent in the request headers. Instead of 1.2.3.4, of course, I have put in my real IP address. However, when I visit my server and browse pages, nothing is logged. I assume that my requests should generate log entries since I match the IP address.
I am currently running a few small websites that use a CMS. Two are Dragonfly and one is Joomla.
I am getting sporadic errors with both systems that, upon research, seem to be related to Apache and the mod_security module. I am getting the following error:
Code: Not Acceptable
An appropriate representation of the requested resource /somefolder/index.php could not be found on this server.
Well, I'm no idiot (although some people may tend to disagree ) and after some searching, I found that this most likely points to an Apache error. Most solutions suggest to put the following in my .htacess file for the site:
Code: <IfModule mod_security.c> SecFilterEngine Off SecFilterScanPOST Off </IfModule>
It was noted that "SecFilterScanPOST Off" may or not be necessary. I have added the above to the .htaccess for each site (all 3 sites are subdomains) and have also added it to the .htaccess that is in the root folder for the site. Nothing has worked.
So my question is, is it possible that my webhost can override my .htaacess settings with their own? This is the only explanation that I can think of. But of course, I am no expert, which is why I turn to you good folks for help once again.
I installed modsecurity from Addone module in Cpanel
When I try to apply phpshell woork good without a mistakes and I can do anything despite of the presence of protection modsecurity and disable_functions in php.ini.
Is there a particular settings add to the httpd.conf to prevent application phpshell or prevent upload it to the site?
I tried using mod_security and mod_filter together. However, when I try to filter js files, I noticed that certain pages stop working, especially those using ajax.
I have installed a new server with debian lenny 5, ISPConfig 3.0.1.1 and the newest mod_security and implemented the default rules.
I deactivated the rule detecting IP in pageheaders.
Then I got another problem. Some actions of ISPConfig are detected as "remote file access attempt", severity "critical", tag "web attack/file injection" data "/etc/"
detected by rule file crs_40 line 114, id 950005
question: how do I authorize ISPConfig and only ISPConfig to perform such requests on the server?