Mod_security Killing Php

Jan 31, 2007

trying to get mod_security installed on my HSphere server, the install goes ok until i try and load rules?

If i just load the exclude.conf rule then php sites work, if i also load rules.conf or any other rules then my php sites get 'connection refused error' ?

I cannot find any thing in logs and there is no log written for mod_security?

here is my modsecurity.conf

Quote:

#If you want to scan the output, uncomment these
#SecFilterScanOutput On
#SecFilterOutputMimeTypes "(null) text/html text/plain"

# Accept almost all byte values
SecFilterForceByteRange 1 255

# Server masking is optional
#fake server banner - NOYB used - no one needs to know what we are using
SecServerSignature "NOYB"

#SecUploadDir /tmp
#SecUploadKeepFiles Off

# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog /var/log/audit_log

# You normally won't need debug logging
SecFilterDebugLevel 0
SecFilterDebugLog logs/modsec_debug_log

#And now, the rules
#Remove any of these Include lines you do not use or have rules for.

#First, add in your exclusion rules:
#These MUST come first!
Include /etc/modsecurity/exclude.conf

#Application protection rules
#Include /etc/modsecurity/rules.conf

bash-2.05b# cat /etc/modsecurity.conf
<IfModule mod_security.c>

# Only inspect dynamic requests
# (YOU MUST TEST TO MAKE SURE IT WORKS AS EXPECTED)
#SecFilterEngine DynamicOnly

SecFilterEngine On

# Reject requests with status 500
SecFilterDefaultAction "deny,log,status:500"

# Some sane defaults
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat On
SecFilterCheckUnicodeEncoding Off
SecFilterNormalizeCookies On
# enable version 1 (RFC 2965) cookies
SecFilterCookieFormat 1

SecServerResponseToken Off

#If you want to scan the output, uncomment these
#SecFilterScanOutput On
#SecFilterOutputMimeTypes "(null) text/html text/plain"

# Accept almost all byte values
SecFilterForceByteRange 1 255

# Server masking is optional
#fake server banner - NOYB used - no one needs to know what we are using
SecServerSignature "NOYB"

#SecUploadDir /tmp
#SecUploadKeepFiles Off

# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog /var/log/audit_log

# You normally won't need debug logging
SecFilterDebugLevel 0
SecFilterDebugLog logs/modsec_debug_log

#And now, the rules
#Remove any of these Include lines you do not use or have rules for.

#First, add in your exclusion rules:
#These MUST come first!
Include /etc/modsecurity/exclude.conf

#Application protection rules
#Include /etc/modsecurity/rules.conf

#Comment spam rules
#Include /etc/modsecurity/blacklist.conf

#Bad hosts, bad proxies and other bad players
##Include /etc/modsecurity/blacklist2.conf

#Bad clients, known bogus useragents and other signs of malware
##Include /etc/modsecurity/useragents.conf

#Known bad software, rootkits and other malware
##Include /etc/modsecurity/rootkits.conf

#Signatures to prevent proxying through your server
#only rule these rules if your server is NOT a proxy
##Include /etc/modsecurity/proxy.conf

#Just in Time Patching for Vulnerable Applications
##Include /etc/modsecurity/jitp.conf

#Google Hacks signatures
##Include /etc/modsecurity/recons.conf

#Include /etc/modsecurity/

</IfModule>

View 2 Replies


ADVERTISEMENT

VPS RAM Is Killing

Jan 17, 2008

I have a VPS with 768Mb of RAM which was always suitable for the websites I'm hosting
as most of them are not popular and none of them got high traffic recently at all

But for over 2 days the vps is eating the ram and killing all the services (cpanel/httpd/ftp/MySQL..)
I want to know what is causing this and stop it by any way

I contacted my vps support and they told me to write "top" in the SSH but I didn't understand any thing from what I see and I didn't know what to do after writing that command .

View 3 Replies View Related

Layeredtech Killing Itself

Jun 29, 2008

I remember long time ago when I used to host on Layered Tech fast network good stuff, affordable price my first server costed me 90 dollars on Layered Tech with about 20 dollar setup one time fee.

I visited today after about 2 years and I'm pretty much surprised to see their prices they are by no means affordable as they were previously and the setup fee is now 50 dollars on every server.

With such large number of servers in their data centers shouldn't they be able to make them affordable? yet I have seen same server on WHT ads section for fraction of the price LT expects and not to mention the excessive setup fee.

I'm not complaining, its their business, but is it really helping them? I cant be the only person feeling this anti-love for Layered Tech being a former LT customer, I had no problems with them or their services I just left after I sold my site and moved into VPS. But seeing the new prices its a bit shocking.

View 14 Replies View Related

Mysql Is Killing My Vps

Jul 14, 2008

the server load averges on my VPS have been very high - escalating to 6.5 in cases.

The process causing this is:

PidOwnerPriorityCpu %Mem %Command 7370 mysql -10
76.7
3.0 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/opal.ngwebservers.net.pid --skip-external-locking

My VPS is hosted by Virpus Networks, and has spec:
512RAM (1024 burstable), 10GB hard drive space.

8 of these processors on node:

Processor #1 Vendor: GenuineIntel
Processor #1 Name: Intel(R) Xeon(TM) CPU 2.80GHz
Processor #1 speed: 174.594 MHz
Processor #1 cache size: 2048 KB

No hardware or software changes were implemented on the VPS as far as I am aware.

The MySQL process causing this is:

28993movies_mybblocalhostmovies_mybbQuery36Copying to tmp tableSELECT t.tid, t.dateline, p.edittime, t.subject, f.allowhtml, f.allowmycode, f.allowsmilies, f.allow

This has been going on since I first saw the loads go high...

View 8 Replies View Related

VRTServers.net Is KILLING Me

Mar 10, 2008

I have many servers on vrtservers.net and is happy of they support. And I planing be a reseller of them.

But the nightmare come from last day..

My main server have got some SPAM report from spamcap.net
[url]

the spamcap.net report my server runing a open proxy.and somebody using it as SPAM.
before the SPAM report..

I know this ISSUE and have fix it..
so the proxy just run many hours.[ check the mrtg graph.[url]


sinse the SPAM report.
vrtserver.net put this server offline..
I can Understand it.

And I have contact the support@vrtservers.net Instantly.
And I proceed the case of spamcap.net too.

But the nightmare is ....

When I ask "how to reconnect my servers/What time will the case close?" to VRTSERVERs.NET.

the vrtservers.net reply to me said the server has been terminated and there is no way to get my data back.

My god ..
all of my server's data has been lost!

vrtservers.net is killing me now!

View 7 Replies View Related

Spamd Is Killing My VPS

Nov 25, 2007

I have a VPS with 320MB of RAM. The problem is that spammassassin is killing my VPS.

Spamd service was using 50% of memory (+- 150MB of RAM).

Do you think that this is normal RAM for Spamd?

View 10 Replies View Related

Is CPanel Killing My VPS

Feb 5, 2007

I have a VPS with 256m guaranteed RAM .. and I have CPanel. A couple of days ago I got to fiddling with a database issue and had phpMyAdmin open for the better part of an hour. So I got to wondering what something like that does to my VPS?

A secondary question .. same thing but on a dedicated server with 1g RAM?

View 4 Replies View Related

C99Shell Hackers Killing Me!

Jun 25, 2007

guys im tired off fighting those hackers everyday! i have about 20 websites,and everyday i have one of them hacked! i restore a backup then another one hacked!

thats unbelivable!!!

those bastards upload there shell scripts to websites via bugs or whatever from php files!!

is there anyway to stop these commands?

can .htaccess helps? how?

i talked to my webhosting companies for my websites! ....

View 10 Replies View Related

Virtuozzo Is Killing /usr/bin/mysqld_safe

Nov 2, 2009

Virtuozzo 3.0 is killing VPS's /usr/bin/mysqld_safe process but leaving /usr/sbin/mysqld UP which is causing cPanel to be unable to automatically restart MySQL after that.

View 14 Replies View Related

Gzip Is Killing My Server

Jan 28, 2008

from top:

12478 root 35 19 2004 680 308 R 39 0.0 8:54.95 gzip


using anywhere from 30-50% of my cpu for nearly 10 min now. but, no memory usage.

any ideas? should i kill the pid?

site is running pretty slow as a result of this.

View 3 Replies View Related

Httpd Is Killing My Server

Dec 15, 2007

24 hours ago something wired happend..

For some reason httpd is causing high serverload.
ATM : 22:44:17 up 22:17, 2 users, load average: 6.23, 6.12, 8.88
U

Will keep gooing up and httpd need to be restartet when serverload comes up to 30.

The traffic on the server is normal, no changes is made on the server.

View 5 Replies View Related

Backups Killing My Server

Dec 7, 2007

Opt 248
3gb ram
250gb sata II

I have a fairly unique problem. My server runs great 95% of the time. Loads average under 1. However backups have become a server killer. I use cpanel scheduled backup at early morning hours. The reason backups kill my server is that I have 300,000+ (and counting) images in a directory. They are all small pngs generated by LaTeX. It takes my server several hours to backup the images. I usually even have to stop apache to free up some power. This problem is only going to get worse as I get more images. Maybe I could upgrade proc or upgrade to faster HD? That would be costly, hopefully not.

Should I hire a professional backup service? Costly, and would that help? Or is there a way of storing the images or doing the cpbackup I am doing wrong?

View 3 Replies View Related

Killing A Server With WHMCS Installed

Feb 5, 2008

if it was possible to kill a server running WHMCS by executing the cron.php via cronjob on a remote server once every minute.

I just wanted to see if this was potentially harmful, so I can submit it to Matt without sounding like an idiot...

View 3 Replies View Related

Iptables: Which One Of My Rules Is Killing Nslookup

Oct 4, 2007

One of these rules is causing name server lookups to fail, but I can't seem to figure out which one, can anyone spot the problem?

Code:

[root@example ~]# iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
INVDROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:20
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:143
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:465
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:953
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:993
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:995
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10023
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:20
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:21
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:953
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 8
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53 dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53 dpts:1024:65535
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpts:1024:65535
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:53
LOGDROPIN all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
INVDROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:20
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:113
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:953
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10023
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9999
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:20
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:21
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:113
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:123
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:953
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 8
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53 dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53 dpts:1024:65535
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpts:1024:65535
LOGDROPOUT all -- 0.0.0.0/0 0.0.0.0/0
Chain INVDROP (18 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain LOGDROPIN (1 references)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:68
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:68
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:111
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:111
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:113
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:135:139
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:135:139
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:445
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:513
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:513
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:520
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_IN Blocked* '
LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_IN Blocked* '
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_IN Blocked* '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain LOGDROPOUT (1 references)
target prot opt source destination
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_OUT Blocked* '
LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_OUT Blocked* '
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_OUT Blocked* '
DROP all -- 0.0.0.0/0 0.0.0.0/0

View 3 Replies View Related

Nobody_check Killing Spamd Process

Jul 24, 2007

My nobody_check is killing a process that seems to be o.k. but I'm not sure. The process is running /usr/bin/perl-bin which I never heard of. I thought it was /usr/bin/perl

Should I be concerned? Again, I don't know what /perl-bin is.

Process ID: 28457 has been killed
Restuls for PID: 28457
total 0
dr-xr-xr-x 3 nobody nobody 0 Jul 23 17:00 .
dr-xr-xr-x 201 root root 0 Jun 29 11:59 ..
dr-xr-xr-x 2 root root 0 Jul 23 17:00 attr
-r-------- 1 root root 0 Jul 23 17:00 auxv
-r--r--r-- 1 root root 0 Jul 23 17:00 cmdline
lrwxrwxrwx 1 root root 0 Jul 23 17:00 cwd -> /
-r-------- 1 root root 0 Jul 23 17:00 environ
lrwxrwxrwx 1 root root 0 Jul 23 17:00 exe -> /usr/bin/perl-bin
dr-x------ 2 root root 0 Jul 23 17:00 fd
-rw-r--r-- 1 root root 0 Jul 23 17:00 loginuid
-r-------- 1 root root 0 Jul 23 17:00 maps
-rw------- 1 root root 0 Jul 23 17:00 mem
-r--r--r-- 1 root root 0 Jul 23 17:00 mounts
lrwxrwxrwx 1 root root 0 Jul 23 17:00 root -> /
-r--r--r-- 1 root root 0 Jul 23 17:00 stat
-r--r--r-- 1 root root 0 Jul 23 17:00 statm
-r--r--r-- 1 root root 0 Jul 23 17:00 status
dr-xr-xr-x 3 root root 0 Jul 23 17:00 task
-r--r--r-- 1 root root 0 Jul 23 17:00 wchan

Netstat:
tcp 0 0 127.0.0.1:783 127.0.0.1:40957
CLOSE_WAIT 28457/spamd child
udp 0 0 xx.xxx.xxx.xx:41008 216.52.190.1:53
ESTABLISHED 28457/spamd child
unix 3 [ ] STREAM CONNECTED 120878416 28457/spamd
child
unix 2 [ ] DGRAM 120872220 28457/spamd
child
unix 2 [ ] STREAM CONNECTED 120847759 28457/spamd
child
unix 2 [ ] STREAM CONNECTED 120832442 28457/spamd
child

Environ:

Process ID: 23944 has been killed
Restuls for PID: 23944
total 0
dr-xr-xr-x 3 nobody nobody 0 Jul 23 16:55 .
dr-xr-xr-x 206 root root 0 Jun 29 11:59 ..
dr-xr-xr-x 2 root root 0 Jul 23 17:00 attr
-r-------- 1 root root 0 Jul 23 17:00 auxv
-r--r--r-- 1 root root 0 Jul 23 16:55 cmdline
lrwxrwxrwx 1 root root 0 Jul 23 17:00 cwd -> /
-r-------- 1 root root 0 Jul 23 17:00 environ
lrwxrwxrwx 1 root root 0 Jul 23 16:55 exe -> /usr/bin/perl-bin
dr-x------ 2 root root 0 Jul 23 17:00 fd
-rw-r--r-- 1 root root 0 Jul 23 17:00 loginuid
-r-------- 1 root root 0 Jul 23 17:00 maps
-rw------- 1 root root 0 Jul 23 17:00 mem
-r--r--r-- 1 root root 0 Jul 23 17:00 mounts
lrwxrwxrwx 1 root root 0 Jul 23 17:00 root -> /
-r--r--r-- 1 root root 0 Jul 23 16:55 stat
-r--r--r-- 1 root root 0 Jul 23 16:55 statm
-r--r--r-- 1 root root 0 Jul 23 16:55 status
dr-xr-xr-x 3 root root 0 Jul 23 17:00 task
-r--r--r-- 1 root root 0 Jul 23 17:00 wchan

Netstat:
tcp 1 0 127.0.0.1:783 127.0.0.1:40955
CLOSE_WAIT 23944/spamd child
udp 0 0 xx.xx.xxx.xxx:55606 216.52.190.1:53
ESTABLISHED 23944/spamd child
unix 3 [ ] STREAM CONNECTED 120847760 23944/spamd
child
unix 2 [ ] STREAM CONNECTED 120832442 23944/spamd
child
unix 2 [ ] DGRAM 120677444 23944/spamd
child

Environ:

View 4 Replies View Related

GoDaddy Masking Is Killing My Site - Alternative?

Apr 12, 2007

So we've got a client setup with 2 domains; 1 main and 1 secondary.

The secondary domain is a 301 redirect with masking through GoDaddy. The reason for the masking is because we need the domain name to stay the same after the redirect. (So people who come in on DomainB will only see DomainB in the url bar.)

The problem: GoDaddy has uses a "zero frame" element to implement the masking and it's messing up the display of our site.

Note: The display only screws up in IE.

Primary domain: www.BristolCountyWomensJournal.com --> (This works fine.)
301 domain: www.WomensJournals.com --> (Check out the messy background!)

Anyone know of alternatives to Domain Masking?

View 0 Replies View Related

Determine What Cron Jobs Are Killing Server And When

Jan 8, 2009

We're running on Linux/Apache/MySQL/RoR and have a number of cron jobs that run throughout the day on our server. We've been noticing lately that at certain times of the day the site becomes really slow. When I'm online with my engineers I can mention this to them and they can check and see and say "Oh yeah, it's job XYZ that's spiking the server load."

That's great but much of the time when I notice the sluggishness my developers are offline (we're in different time zones). I'm wondering if there's a fairly easy way to track this when they're not online so we can say "Yup, last night at 10 PM your time when you noticed that it was job ABC." There has to be something that allows you to do this right?

View 3 Replies View Related

Mod_Security 2.5, Or 2.0?

Apr 21, 2008

I have been using mod_security 1.9.x since it first release on apache 1.3 and apache 2.0.x, rules are great and they work perfect with no issues at all with any php-mysql website. Do you recommend using mod_security 2.0 or 2.5 ? (I do know that 2.5 does not work with apache 1.3).

View 2 Replies View Related

Mod_security Won't Log Anything

Apr 19, 2008

using mod_security, but I believe that I have it installed correctly with some rules that should be generating entries in the security audit log. No matter what I do, I can't seem to get mod_security to generate any sort of log entries.

I am using version 2.1.7. I compiled it with no problems. In my httpd.conf file, I have the following relevant lines:

LoadFile /usr/lib/libxml2.so
LoadModule security2_module modules/mod_security2.so
Include conf/modsecurity/*.conf

I don't think there are any problems here, as I know it is running directives from the configuration file I edited. This is the file I'm working with:

modsecurity_crs_10_config.conf

Here are the relevant lines from the config file:

SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 524288
SecDefaultAction "phase:2,auditlog,log,pass,status:500"
SecAuditEngine On
SecAuditLogType Serial
SecAuditLog logs/modsec_audit.log
SecAuditLogParts "ABIFHZ"
SecRequestBodyInMemoryLimit 131072
SecDebugLog logs/modsec_debug.log
SecDebugLogLevel 3

I know that the config file is being read because when I start apache, the log files (modsec_audit.log and modsec_debug.log) are created. The problem is that the files are empty and remain empty no matter what I do. I have even tried setting permissions on the files to 777.

Here are a couple of rules I created in an attempt to generate log entries:

SecRule REQUEST_BODY "viagra"
SecRule REMOTE_ADDR "^1.1.3.4$" auditlog,phase:1,allow

I put these in the same config file mentioned above. As far as I understand, the first rule should examine the request body (which would include data in POST requests) for the word, "viagra". Since my default action is phase:2,auditlog,log,pass,status:500, such requests should end up in the audit log. However, when I use a form on my site to post the word "viagra", nothing is generated in the log file.

The second rule, as far as I understand, should generate a log entry any time the IP address 1.2.3.4 is sent in the request headers. Instead of 1.2.3.4, of course, I have put in my real IP address. However, when I visit my server and browse pages, nothing is logged. I assume that my requests should generate log entries since I match the IP address.

View 3 Replies View Related

Mod_security

Dec 1, 2007

I am currently running a few small websites that use a CMS. Two are Dragonfly and one is Joomla.

I am getting sporadic errors with both systems that, upon research, seem to be related to Apache and the mod_security module. I am getting the following error:

Code:
Not Acceptable

An appropriate representation of the requested resource /somefolder/index.php could not be found on this server.

Well, I'm no idiot (although some people may tend to disagree ) and after some searching, I found that this most likely points to an Apache error. Most solutions suggest to put the following in my .htacess file for the site:

Code:
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

It was noted that "SecFilterScanPOST Off" may or not be necessary. I have added the above to the .htaccess for each site (all 3 sites are subdomains) and have also added it to the .htaccess that is in the root folder for the site. Nothing has worked.

So my question is, is it possible that my webhost can override my .htaacess settings with their own? This is the only explanation that I can think of. But of course, I am no expert, which is why I turn to you good folks for help once again.

View 0 Replies View Related

Mod_security

Jul 27, 2008

I want to add some more rules to to mod_security, however I am unsure if some of them are already being used.

So would it cause any problems if there are duplicate rules for the time being till I can check through all the rules?

View 2 Replies View Related

Mod_security On RH 5 64

Jul 23, 2007

I am having lots of problems installing mod_security on RH5 64 w/ Plesk.

mainly related to apr0, subversion, and the headers.

Any reason why everyone recommends to use version 1.94 of mod_security rather than the latest version available on www.modsecurity.org?

View 3 Replies View Related

Mod_security

Oct 2, 2007

I've got this:

mod_security: Access denied with code 406. Error normalising REQUEST_URI: Invalid URL encoding detected: invalid characters used [hostname "www.mydomain.com"] [uri "/search/include/js_suggest/suggest.php?type=query&q=%u062E%u0636%u0631%u0627"]

how to disable/exclude this uri in mentioned host from being catched by mod_security?

View 4 Replies View Related

Mod_security 1 Or 2 - What Do You Use?

Mar 29, 2007

how many people are actually using mod_security 2 instead of 1?

And why did you choose the version you did?

View 4 Replies View Related

Mod_security & C99shell Anyone Help Please ?

Jun 5, 2007

I installed modsecurity from Addone module in Cpanel

When I try to apply phpshell woork good without a mistakes and I can do anything despite of the presence of protection modsecurity and disable_functions in php.ini.

Is there a particular settings add to the httpd.conf to prevent application phpshell or prevent upload it to the site?

View 14 Replies View Related

Mod_security And Mod_filter

May 11, 2009

I tried using mod_security and mod_filter together. However, when I try to filter js files, I noticed that certain pages stop working, especially those using ajax.

View 2 Replies View Related

Mod_Security Configuration

Jul 24, 2009

I installed Mod_Security on my Cent OS server today and having some problem in configurating it.

Problem -

I have added this module in 'httpd.conf' file

Code:
<IfModule mod_security.c>
SecFilterEngine On

SecServerSignature "Apache"
SecFilterCheckUnicodeEncoding Off
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log
SecFilterScanPOST On

SecFilterDefaultAction "deny,log,status:403"

SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"

SecFilterSelective HTTP_Transfer-Encoding "!^$"

SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
SecFilter "../"

SecFilter "viewtopic.php?" chain
SecFilter "chr(([0-9]{1,3}))" "deny,log"

SecFilterSelective THE_REQUEST "wget "
SecFilterSelective THE_REQUEST "lynx "
SecFilterSelective THE_REQUEST "scp "
SecFilterSelective THE_REQUEST "ftp "
SecFilterSelective THE_REQUEST "cvs "
SecFilterSelective THE_REQUEST "rcp "
SecFilterSelective THE_REQUEST "curl "
SecFilterSelective THE_REQUEST "telnet "
SecFilterSelective THE_REQUEST "ssh "
SecFilterSelective THE_REQUEST "echo "
SecFilterSelective THE_REQUEST "links -dump "
SecFilterSelective THE_REQUEST "links -dump-charset "
SecFilterSelective THE_REQUEST "links -dump-width "
SecFilterSelective THE_REQUEST "links http:// "
SecFilterSelective THE_REQUEST "links ftp:// "
SecFilterSelective THE_REQUEST "links -source "
SecFilterSelective THE_REQUEST "mkdir "
SecFilterSelective THE_REQUEST "cd /tmp "
SecFilterSelective THE_REQUEST "cd /var/tmp "
SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "
SecFilterSelective THE_REQUEST "/config.php?v=1&DIR "
SecFilterSelective THE_REQUEST "/../../ "
SecFilterSelective THE_REQUEST "&highlight=%2527%252E "
SecFilterSelective THE_REQUEST "changedir=%2Ftmp%2F.php "

# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"

# Weaker XSS protection but allows common HTML tags
SecFilter "<[[:space:]]*script"

# Prevent XSS atacks (HTML/Javascript injection)
SecFilter "<(.|n)+>"
</IfModule>

But my website is multi forum hosting and requires 'index.php' file to pass parameter to make it work.

Example -

[url]
[url]
[url]

So i had to delete below mention code from above module.

Code:
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"

SecFilterSelective HTTP_Transfer-Encoding "!^$"

SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
SecFilter "../"

View 0 Replies View Related

Mod_security Rules

May 25, 2009

Is it possible to disable a particular mod_security rule for particular directory or the rules are global?

View 4 Replies View Related

Mod_security Rules In WHM

Aug 15, 2008

I just installed mod_security via WHM, and want to know what rule should I enter to prevent some URLs from being opened.

For example, if URL contains word "abc" (like domain.com/some_folder/abc/file.php), it should not be opened.

View 4 Replies View Related

Mod_security And ISPConfig3

May 20, 2009

I have installed a new server with debian lenny 5, ISPConfig 3.0.1.1 and the newest mod_security and implemented the default rules.

I deactivated the rule detecting IP in pageheaders.

Then I got another problem. Some actions of ISPConfig are detected as "remote file access attempt", severity "critical", tag "web attack/file injection" data "/etc/"

detected by rule file crs_40 line 114, id 950005

question: how do I authorize ISPConfig and only ISPConfig to perform such requests on the server?

View 4 Replies View Related

How To Set The Rules Of MOD_Security

Jun 4, 2008

how to set the rules of MOD_Security.

Another question for professionals:

Q: What are the best rules to secure my server? I'd appreciate if you managed to attach these rules to your replies. // FYI, I host VBulletin portals.

View 3 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved