I just wanted to confirm if you guys had the same problem. It seems that mod_security with gotroot rules for apache 1.3 is filtering out firefox. Everything works fine with IE. With the latest firefox I get this for any page requested:
mod_security-message: Access denied with code 500. Pattern match "^GET (http|https|ftp):/" at THE_REQUEST [severity "EMERGENCY"]
Im using a vps with centos 5 and cpanel/whm with apache 2.2.
Im tring to figure out how to use the gotroot rules with mod_security. I had enabled mod_security with easy apache. I tried to follow some other post had I found around on other forums with no luck really, with that said I am a linux noob. I had tried to follow the wiki on atomic sites <-- not enof post so I cant do links sorry, but I found it hard to under stand cause I dont have a modsecurity.config file that I can find, also I cant find AddModule mod_security.c in my httpd.config, but I did find this line, Include "/usr/local/apache/conf/modsec2.conf". My thing is im looking for a complete noob guide on how to use gotroot rules with mod_security enabled through easy apache, or would it be easyer to manully install mod_security?
Is it possible to disable a particular mod_security rule for particular directory or the rules are global?
View 4 Replies View RelatedI just installed mod_security via WHM, and want to know what rule should I enter to prevent some URLs from being opened.
For example, if URL contains word "abc" (like domain.com/some_folder/abc/file.php), it should not be opened.
how to set the rules of MOD_Security.
Another question for professionals:
Q: What are the best rules to secure my server? I'd appreciate if you managed to attach these rules to your replies. // FYI, I host VBulletin portals.
make this rules work on apache 2 mod_security 2?
View 4 Replies View RelatedAny good secure rules for mod_security 2 that work well for shared servers?
Can someone share what rules you are using to secure your shared servers. Have tried a few different sets of rules, but a few customers always end up with errors and disabling it for their domain name doesn't sound like a safer option for them or the server.
Share your mod_sec 2 rules.
Is there any difference with the old one?
I have a customized modsecurity.conf file in my old Apache 1.3 server. Is it ok to copy it to new modsec2.conf?
We were recently hacked on our dedicated server and the hacker managed to insert php files that generated thousands of doorway pages in one of our images folder on our site. We have done an extensive cleanup of our site, removing all malicious files and are locking down the server. We have already updated to the latest versions of PHP and Wordpress,not to mention change all database passwords and admin password. My question is about mod_security for apache.
We were told Mod_security can prevent this from happening again but it must be configured correctly.
We have already set rules for mod_security. The rules set up are in the files in the directory, /etc/httpd/modsecurity.d/modsec. We were told that the file 10_asl_rules.conf specifically has filters to prevent SQL injection attacks.
These are are current rules:
----------------------------------------------------------------------
/etc/httpd/modsecurity.d/modsec
# ls
05_asl_exclude.conf 30_asl_antispam.conf domain-blacklist-local.txt malware-blacklist.txt
05_asl_scanner.conf 30_asl_antispam_referrer.conf domain-blacklist.txt sql.txt
10_asl_antimalware.conf 40_asl_apache2-rules.conf domain-spam-whitelist.conf trusted-domains.conf
10_asl_rules.conf 50_asl_rootkits.conf domain-spam-whitelist.txt trusted-domains.txt
11_asl_data_loss.conf 60_asl_recons.conf malware-blacklist-high.txt whitelist.txt
20_asl_useragents.conf 99_asl_exclude.conf malware-blacklist-local.txt
30_asl_antimalware.conf 99_asl_jitp.conf malware-blacklist-low.txt
-----------------------------------------------------------------
I can do to prevent this or tune up apache mod_security from letting this happen again. We are so paranoid that we are now checking our access log files for POST commands every day?
I am having the Modsec 2.5.9 I am using the defaults rules by the cpanel when i try to update the rules along with default rules given by the cpanel i am getting internal server error (500 Error)
The rules i tried to implement are from
Quote:
[url]
How can I update mod_security rules in Cpanel/WHM server from gotroot.com?
View 3 Replies View RelatedI doubt anyone is writing their own rules so what do you think is the best site for mod_security rules which are strong but also do not result in many false positives.
I know of [url] posts rules but is there anyone else worth mentioning?
i want to prevent c99shell scripts from running.
I found this rule to detect URI's for the c99 shell.
#new kit
SecFilterSelective REQUEST_URI "/c99shell.txt"
SecFilterSelective REQUEST_URI "/c99.txt?"
My problem is that the hackers are being more stealthy and calling the
script some random name like .../myphpstuff.php. So the URI no longer helps detect it.
How could I detect "c99shell" in the actual file that apache servers? This assumes that the hacker was successfully in installing it.
my box
Apache 1.3.37
WHM 11.2.0 cPanel 11.11.0-R16983
FEDORA 5 i686 - WHM X v3.1.0
I'm the main author of a control panel, and we are working toward security enforcement. So we are looking at what kinds of rules we can add in mod_security.
The issue is that our control panel is open source, and that, even if I have found some nice mod_security rule sets on the internet (for example at gotroot.com), I need to get some that are FREE (as freedom), and that I can include in our project.
What I am looking for is application specific rules (like the ones preventing phpBB highlight insertions, for example), so having someone using an old version of a given software on his hosting space is not an issue anymore.
I just updated my mod_security rules to version 2 with the new rules from gotroot.com. I simply included them all. I know before with their 1.95 rules I had to sit and delete tons of useless rules as well as having to delete rules that interfered with peoples web apps.
So I figure it may be different with new version. Is anyone here running these rules on a hosting server? Doesn't matter cpanel or whatever, just an average shared server with moistly php/mysql sites.
I'm on IIS6.
The site is open to all via anonymous setting. Everything works.
I turned off anonymous access in a subfolder. Try to view it and I get prompted for login like I should. But no matter what I enter I can't get in. I know I am entering the correct un/pw, but I just keep getting prompted again and again as if it was wrong. If I hit cancel I see either a 401.1 or 401.5 message.
Here's the rub, it used to work. But then I moved the source files to a another machine and changed the site root to the UNC. Did the whole same IUSR in both machines for it to work. Everything went smooth. But now the protected directory keeps asking for login, I can't get acces to it. I have only Integrated Windows Authentication checked.
I'm on W2K3/IIS6.
The site is open to all via anonymous setting. Everything works.
I turned off anonymous access in a subfolder. Try to view it and I get prompted for login like I should. But no matter what I enter I can't get in. I know I am entering the correct un/pw, but I just keep getting prompted again and again as if it was wrong. If I hit cancel I see either a 401.1 or 401.5 message.
Here's the rub, it used to work. But then I moved the source files to a another machine and changed the site root to the UNC. Did the whole same IUSR in both machines for anonymous access to work. Everything went smooth. But now the protected directory keeps asking for login, I can't get acces to it. I have only Integrated Windows Authentication checked. And I am trying to authenticate with admin account which has access to directory.
I had to reinstall a Verisign cert last week. After cleaning out a mess of old certs, keys and csr's I finally got the thing to install properly.
However, I get a "Website Certified by an Unknown Authority Error in Firefox".
Everything including the intermediate crt is installed correctly as far as I can tell and I get no error in any version of IE.
Here from the httpd.comf file:
Code:
<IfDefine SSL>
<VirtualHost IPADDRESS:443>
DocumentRoot /home/myuser/public_html
ServerName www.mysite.com
UserDir public_html
User myuser
Group mygroup
ScriptAlias /cgi-bin/ /home/myuser/public_html/cgi-bin/
SSLEnable
SSLCertificateFile /usr/share/ssl/certs/www.mysite.com.crt
SSLCertificateKeyFile /usr/share/ssl/private/www.mysite.com.key
SSLCACertificateFile /usr/share/ssl/certs/www.mysite.com.cabundle
SSLLogFile /usr/local/apache/domlogs/www.mysite.com-ssl_data_log
CustomLog /usr/local/apache/domlogs/www.mysite.com-ssl_log combined
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
</VirtualHost>
</IfDefine>
The key matches the cert, and the cabundle is directly from Verisign.
Has anyone had a similar problem with getting a Verisign or other intermediate cert to work properly? I've reissued the thing twice and so far nothing has changed. It's like the intermediate cert isn't being sent even though it is installed.
When viewing the cert in firefox the Certificate Hierarchy only shows my domain. In internet explorer is shows Verisign Class 3 Public Primary CA -> Verisign Class 3 Secure Server CA -> My domain.
I understand that in firefox you can
with this setting
about:config
network.http.pipelining.maxrequests
make it so that the browser make so many requests
How does it effect bandwidth of websites and how one can prevent people from coming to your site with so many requests?
When I try to play one of my own camtasia videos in Firefox they just don't work! If I open them in an other browser they play just fine.
If I open the same video on a other server, it starts!
I see the playbar, the buttons, it says it's waiting for the server but they just don't start playing! How weird is that!
I found a great little app called ID Shutdown Manager which bascially lets you do stuff like wake on LAN, Shutdown, Log Off etc.
The App also has a cgi script which you can call from a web server so you get a web interface to the program.
This is exactly my reason for getting the app as I just wanted to host a web page where I could login from the internet and wake on lan my media PC.
Ok so...
The app gives you all the iis or apache setup instructions and tells you to place the cgi script which is actually a .exe into the scripts folder and then enable basic authentication for it.
Done.
So if I navigate to <SERVER>/scripts/sdmancgi.exe its supposed to give me a user / pass prompt and then when login successful I see the app and can wake on lan etc.
ok I have got this to work
on the actual machine where server is running I can access it in IE7 by localhost etc.. and it works
However when I try to access from another PC in my lan by typing <SERVER>/scripts/sdmancgi.exe I get a nice little message saying the content cannot be displayed you may require to insall a program or something to display it.
If I try to access the page from firefox on same remote PC, it works!
I can also access page from outside my LAN, it works on my N95 browser.
Also I have had friends try it from firefox from the Internet and they say it works as well.
Forgot to mention I am running on port 8081 as I already have other servers running on 8080 and 80 (one is my router and the other server installed itself from setup.exe and I dont know what server its using)
I have also tried latest apache server as well as some other free one. Both have the same effect. Ok in firefox, not in IE.
One would think its a problem with the cgi file not compatible with IE7 however, I even tried to go to default page setup in IIS <SERVER>:8081 and I get the same message. So at this point the server hasnt even tried to access CGI or prompt for Basic Authentication.
I tried googling and not much luck. I read something about CSS and when I view source of failed web page from IE7 it mentions something about CSS so dont know if this is it?
I used to have a reseller account and have shifted everything to a dedicated server. I now find that a couple of clients are getting lots of spam when they didn't before.
It seems that the servers used by the reseller account had some level of basic spam filtering installed; my provider suggested I look for a filtering program to install on my server.
There are, of course, dozens of them, so I wondered if anyone has any experience - enough, perhaps, to make a recommendation.
Even though I have temporarily installed Exchange Server on my dedicated server, I still am thinking about using POP3 instead, simply because of multiple email accounts and my outlook client can use multiple email accounts, and setup rules/filters to direct incoming emails to specific recepients to folders, which is what I want.
Sure, in Windows I know how to set up POP3 BUT what security can I setup for POP3 email accounts?
In addition, what about spam/filtering? How would I set that up to stop spam coming in?
I took over some sites that have a Windows hosting package. They're not high-traffic sites and the content is just typical corporate stuff; it's not sensitive information or anything.
Any they are insisting that they filter the IP addresses allowed to use the FTP account. So I have to give them my IP and it adds it to a safe list. this is causing me problems for urgent updates as sometimes I am working at home or somewhere away and my ISP gives me my IP dynamically, although it doesn't change that often.
Is this normal or necessary? I've never come across it before. I think it's overkill personally. What would you do? If they're worried about security should I ask them to set up SFTP and remove the IP filter?
I am having an issue with SPAM and baunced emails.
Spammers are sending out emails to thousands of addresses and putting my email in reply back field so i am getting all complaints/baunced emails etc.
I have DirectAdmin installed which lacks advanced email filtering features and wanted to know how can i setup Exim or what third party software to add to filter all incoming emails based on their subject?
I have Squirrelmail installed and it has these filters but the problem is that it applys its filters only on login and if i am checking email thru POP3 filters dont get applied.
I would like to filter some special mails of mine through an external PHP script. Is this possible? I would like to call the php file everytime a mail arrives, and the php file will make changes to that mail text and save in inbox.
My PHP file is ready but i need to make this work in Exim.
decent spam filtering service that allows you to do multiple domains and charges on a per user basis (with most you have to have the same domain or you have to buy another license pack). Anyway I'm looking to spend around $1-3 per user
View 0 Replies View RelatedDoes anybody know if GD filters email BEFORE it reaches my domain? It surely seems so. I recently moved to GD. I turned off spam filtering and don't receive any spam on accounts that used to receive a lot of spam. The only possible explanation is that they kill it before it reaches my domain.
View 5 Replies View RelatedI am using SA+ClamAV+Qmail now. Is there any better solutions out there? Preferable free s/w.
View 1 Replies View Relatedif anyone may know of a server spam filtering product which has these features....
1. stops identified spam at the server and keeps it for a period of time eg 7 days before dumping it
2. forwards clean mail to end user
3. end user gets daily report via email of mail tagged and kept
4. clickable link in daily email report to 'release' mail and send it
5. auto whitelists released mail (ie adds it to bayesian database / whitelist addresses)
6. configurable to work with either individual end user, or with eg domain sysadmin (who can view / help see mail for all domain users)
7. can be either a hosted service, or server software product; although linux opensource server product would be good.....
8. not hugely expensive :-)
I have been using ASSP for quite some time; and like it's accuracy. So I suppose what ideally I'm looking for is ASSP with Bells and Whistles. On Cpanel I'm using grscripts ASSP deluxe, and this already has some great bells, but lacks a couple of the whistles I'd like (as above).
If anyone has ideas - or can point me to other threads (I did a search here already, but couldn't refine my search enough to find anything relevant)