rules mod_security..what about?

[Creazioni]

i wanna write a modsec_conf with best rules without problem with FP2000( i hate this sw), PERLDESK, MAMBO, other script

do we write, all togheter, a post with the BEST RULE?
Every day 2000 site are hacked
80% Homepage defacement (they use -uname,ls,wget,echo,cmd=id, lwp-dpwnload,cmd=find, print, etc......)
http://www.zone-h.org/en/defacements



==========
# Turn the filtering engine On or Off
SecFilterEngine On

# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On

# This setting should be set to On only if the Web site is
# using the Unicode encoding. Otherwise it may interfere with
# the normal Web site operation.
SecFilterCheckUnicodeEncoding Off

# Only allow bytes from this range
SecFilterForceByteRange 1 255

# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis. "On" will log everything,
# "DynamicOrRelevant" will log dynamic requests or violations,
# and "RelevantOnly" will only log policy violations
SecAuditEngine RelevantOnly

SecFilter "visualcoders\.net/spy\.gif\?\&cmd"

# The name of the audit log file
SecAuditLog /usr/local/apache/logs/audit_log

# Should mod_security inspect POST payloads
SecFilterScanPOST On

# Action to take by default
SecFilterDefaultAction "deny,log,status:403"

# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"

# Don't accept transfer encodings we know we don't handle
# (and you don't need it anyway)
SecFilterSelective HTTP_Transfer-Encoding "!^$"


SecFilterSelective THE_REQUEST "wget "
SecFilterSelective THE_REQUEST "lynx "
SecFilterSelective THE_REQUEST "scp "
SecFilterSelective THE_REQUEST "ftp "
SecFilterSelective THE_REQUEST "cvs "
SecFilterSelective THE_REQUEST "rcp "
SecFilterSelective THE_REQUEST "telnet "
SecFilterSelective THE_REQUEST "ssh "
SecFilterSelective THE_REQUEST "echo "
SecFilterSelective THE_REQUEST "links -dump "
SecFilterSelective THE_REQUEST "links -dump-charset "
SecFilterSelective THE_REQUEST "links -dump-width "
SecFilterSelective THE_REQUEST "links http:// "
SecFilterSelective THE_REQUEST "links ftp:// "
SecFilterSelective THE_REQUEST "links -source "
SecFilterSelective THE_REQUEST "mkdir "
SecFilterSelective THE_REQUEST "cd /tmp "
SecFilterSelective THE_REQUEST "cd /var/tmp "
SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "


# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"

#Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"

# WEB-ATTACKS ps command attempt
SecFilterSelective THE_REQUEST "/bin/ps"

# WEB-ATTACKS /bin/ps command attempt
SecFilterSelective THE_REQUEST "ps\x20"

# WEB-ATTACKS wget command attempt
SecFilter "wget\x20"

# Web-PHP phpBB Exploit Filter
SecFilter "chr\(([0-9]{1,3})\)" "deny,log"


# WEB-ATTACKS uname -a command attempt
SecFilter "uname\x20-a"

# WEB-ATTACKS /usr/bin/id command attempt
SecFilterSelective THE_REQUEST "/usr/bin/id"

# WEB-ATTACKS id command attempt
SecFilter "\;id"

# WEB-ATTACKS chown command attempt
SecFilter "/bin/chown\x20"


# WEB-PHP General PHP Exploit Filter
SecFilterSelective "THE_REQUEST|ARGS_VALUES" "(passthru|shell_exec|proc_open|f open|fwrite)"


# WEB-ATTACKS kill command attempt
SecFilterSelective THE_REQUEST "/bin/kill"

# WEB-ATTACKS chsh command attempt
SecFilterSelective THE_REQUEST "/usr/bin/chsh"

# WEB-ATTACKS tftp command attempt
SecFilter "tftp\x20"

# WEB-ATTACKS /usr/bin/gcc command attempt
SecFilterSelective THE_REQUEST "/usr/bin/gcc"


# WEB-ATTACKS gcc command attempt
SecFilter "gcc\x20-o"

# WEB-ATTACKS /usr/bin/cc command attempt
SecFilterSelective THE_REQUEST "/usr/bin/cc"

# WEB-ATTACKS cc command attempt
SecFilter "cc\x20"

# WEB-ATTACKS /usr/bin/cpp command attempt
SecFilterSelective THE_REQUEST "/usr/bin/cpp"

# WEB-ATTACKS cpp command attempt
SecFilter "cpp\x20"

# WEB-ATTACKS /usr/bin/g++ command attempt
SecFilterSelective THE_REQUEST "/usr/bin/g\+\+"

# WEB-ATTACKS g++ command attempt
SecFilter "g\+\+\x20"

# WEB-ATTACKS bin/python access attempt
SecFilterSelective THE_REQUEST "bin/python"

# WEB-ATTACKS python access attempt
SecFilter "python\x20"

# WEB-ATTACKS bin/tclsh execution attempt
SecFilter "bin/tclsh"

# WEB-ATTACKS tclsh execution attempt
SecFilter "tclsh8\x20"

# WEB-ATTACKS /bin/SecFilter "ls\x20-l"
SecFilterSelective THE_REQUEST "/bin/ls"


SecFilterSelective SCRIPT_FILENAME "viewtopic\.php$" chain
SecFilterSelective ARG_highlight "%27"

# WEB-ATTACKS bin/nasm command attempt
SecFilterSelective THE_REQUEST "bin/nasm"

# WEB-ATTACKS nasm command attempt
SecFilter "nasm\x20"

# WEB-ATTACKS perl execution attempt
SecFilter "perl\x20"


header=http:

# WEB-ATTACKS traceroute command attempt
SecFilter "traceroute\x20"

# WEB-ATTACKS ping command attempt
SecFilterSelective THE_REQUEST "/bin/ping"


# WEB-ATTACKS nmap command attempt
SecFilter "nmap\x20"

# WEB-ATTACKS xterm command attempt
SecFilterSelective THE_REQUEST "/usr/X11R6/bin/xterm"

# WEB-ATTACKS X application to remote host attempt
SecFilter "\x20-display\x20"

# WEB-ATTACKS lsof command attempt
SecFilter "lsof\x20"

# WEB-ATTACKS rm command attempt
#SecFilter "rm\x20"

# WEB-ATTACKS mail command attempt
SecFilterSelective THE_REQUEST "/bin/mail"

# WEB-ATTACKS /bin/ls command attempt
SecFilterSelective THE_REQUEST "/bin/ls"

# WEB-ATTACKS /etc/shadow access
SecFilter "/etc/shadow"

# WEB-ATTACKS .htgroup access
SecFilterSelective THE_REQUEST "\.htgroup"

# WEB-CGI websitepro path access
SecFilter " /HTTP/1\."

# WEB-CGI formmail access
SecFilterSelective THE_REQUEST "/formmail" log,pass

# WEB-CGI phf arbitrary command execution attempt
SecFilterSelective THE_REQUEST "/phf" chain
SecFilter "\x0a/"

# WEB-CGI phf access
SecFilterSelective THE_REQUEST "/phf" log,pass

# WEB-CGI rksh access
SecFilterSelective THE_REQUEST "/rksh"

# WEB-CGI bash access
SecFilterSelective THE_REQUEST "/bash" log,pass

# WEB-CGI zsh access
SecFilterSelective THE_REQUEST "/zsh"

# WEB-CGI csh access
SecFilterSelective THE_REQUEST "/csh"

# WEB-CGI tcsh access
SecFilterSelective THE_REQUEST "/tcsh"

# WEB-CGI rsh access
SecFilterSelective THE_REQUEST "/rsh"

# WEB-CGI ksh access
SecFilterSelective THE_REQUEST "/ksh"

# WEB-CLIENT Javascript URL host spoofing attempt
SecFilter "javascript\://"


SecFilter "_vti_bin" allow
SecFilterSelective THE_REQUEST "/fpsrvadm\.exe" pass
SecFilterSelective THE_REQUEST "/fpremadm\.exe" pass
SecFilterSelective THE_REQUEST "/admisapi/fpadmin\.htm" pass
SecFilterSelective THE_REQUEST "/_vti_bin/shtml\.exe" pass
SecFilterSelective THE_REQUEST "/_vti_pvt/svcacl\.cnf" pass
SecFilterSelective THE_REQUEST "/users\.pwd" pass
SecFilterSelective THE_REQUEST "/_vti_pvt/writeto\.cnf" pass
SecFilterSelective THE_REQUEST "/dvwssr\.dll" pass
SecFilterSelective THE_REQUEST "/_private/register\.htm" pass





# WEB-MISC .htpasswd access
SecFilter "\.htpasswd"

# WEB-MISC .htaccess access
SecFilter "\.htaccess"

# WEB-MISC cd..
SecFilter "cd\.\."

# WEB-MISC ///cgi-bin access
SecFilterSelective THE_REQUEST "///cgi-bin"

SecFilterSelective THE_REQUEST "cd /tmp"
SecFilterSelective THE_REQUEST "cd /var/tmp"
SecFilterSelective THE_REQUEST "echo "
SecFilterSelective THE_REQUEST "perl "

SecFilter "cmdd="
SecFilter "&cmd=id\x20" "deny,log"



# WEB-MISC /cgi-bin/// access
SecFilterSelective THE_REQUEST "/cgi-bin///"

# WEB-MISC /~root access
SecFilterSelective THE_REQUEST "/~root"

# WEB-MISC /~ftp access
SecFilterSelective THE_REQUEST "/~ftp"

# WEB-MISC rpm_query access
SecFilterSelective THE_REQUEST "/rpm_query"

# WEB-MISC htgrep attempt
SecFilterSelective THE_REQUEST "/htgrep" chain
SecFilter "hdr=/"

# WEB-MISC htgrep access
SecFilterSelective THE_REQUEST "/htgrep" log,pass

# WEB-MISC .history access
SecFilterSelective THE_REQUEST "/\.history"

# WEB-MISC .bash_history access
SecFilterSelective THE_REQUEST "/\.bash_history"

# WEB-MISC /~nobody access
SecFilterSelective THE_REQUEST "/~nobody"

# WEB-MISC *%0a.pl access
SecFilterSelective THE_REQUEST "/*\x0a\.pl"

# WEB-MISC Apache Chunked-Encoding worm attempt
SecFilter "CCCCCCC\: AAAAAAAAAAAAAAAAAAA"

# WEB-MISC Transfer-Encoding\: chunked
SecFilter "chunked"

# WEB-PHP squirrel mail theme arbitrary command attempt
SecFilterSelective THE_REQUEST "/left_main\.php" chain
SecFilter "cmdd="

# WEB-PHP DNSTools administrator authentication bypass attempt
SecFilterSelective THE_REQUEST "/dnstools\.php" chain
SecFilter "user_dnstools_administrator=true"

# WEB-PHP DNSTools authentication bypass attempt
SecFilterSelective THE_REQUEST "/dnstools\.php" chain
SecFilter "user_logged_in=true"

# WEB-PHP DNSTools access
SecFilterSelective THE_REQUEST "/dnstools\.php" log,pass

# WEB-PHP Blahz-DNS dostuff.php modify user attempt
SecFilterSelective THE_REQUEST "/dostuff\.php\?action=modify_user"

# WEB-PHP Blahz-DNS dostuff.php access
SecFilterSelective THE_REQUEST "/dostuff\.php" log,pass
============

[moFBush]

This should be sticky'd

[skyhorse]

I find gotroot.com 's rules pretty decent, why dont you use them?

There's a mailing list for discussion on what needs to be included in them and there's also a script to auto-update (or manually) the rules... (http://www.skyhorse.org/web-server-a...ules-modsecsh/)