The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel and mod_security

Discussion in 'Security' started by Slatko, Jan 21, 2011.

  1. Slatko

    Slatko Member

    Joined:
    Jan 21, 2011
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Hello
    I have to try install ModSecurity.

    In EPEL Repo it is.
    So
    Code:
    yum install mod_security
    gives me
    Code:
    Loaded plugins: fastestmirror, rhnplugin
    Loading mirror speeds from cached hostfile
     * epel: ftp.tlk-l.net
    Excluding Packages in global exclude list
    Finished
    Setting up Install Process
    Resolving Dependencies
    --> Running transaction check
    ---> Package mod_security.x86_64 0:2.5.12-1.el5 set to be updated
    --> Processing Dependency: httpd-mmn = 20051115 for package: mod_security
    --> Processing Dependency: httpd for package: mod_security
    --> Processing Dependency: liblua-5.1.so()(64bit) for package: mod_security
    --> Processing Dependency: libapr-1.so.0()(64bit) for package: mod_security
    --> Running transaction check
    ---> Package apr.x86_64 0:1.2.7-11.el5_5.3 set to be updated
    ---> Package lua.x86_64 0:5.1.4-4.el5 set to be updated
    ---> Package mod_security.x86_64 0:2.5.12-1.el5 set to be updated
    --> Processing Dependency: httpd-mmn = 20051115 for package: mod_security
    --> Processing Dependency: httpd for package: mod_security
    --> Finished Dependency Resolution
    mod_security-2.5.12-1.el5.x86_64 from epel has depsolving problems
      --> Missing Dependency: httpd is needed by package mod_security-2.5.12-1.el5.x86_64 (epel)
    mod_security-2.5.12-1.el5.x86_64 from epel has depsolving problems
      --> Missing Dependency: httpd-mmn = 20051115 is needed by package mod_security-2.5.12-1.el5.x86_64 (epel)
    Error: Missing Dependency: httpd is needed by package mod_security-2.5.12-1.el5.x86_64 (epel)
    Error: Missing Dependency: httpd-mmn = 20051115 is needed by package mod_security-2.5.12-1.el5.x86_64 (epel)
     You could try using --skip-broken to work around the problem
     You could try running: package-cleanup --problems
                            package-cleanup --dupes
                            rpm -Va --nofiles --nodigest
    
    
    Than i has recompile Apache "easy-apace" with modsecurity. No errors.
    But how can i check that modsecurity is now running?
    Where can i upload rules which directory?
    Can i control ModSecurity now with the CSF Modsecurity tool?
    thx
     
  2. studmf

    studmf Registered

    Joined:
    Jan 21, 2011
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    I am having issues getting this to work as well. I installed mod security thru easyapache, but need to update the rules (Delayed preferred)

    I used http://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules#Installing_the_rules to attempt to use ASL and ASL lite, but could not get either to run and ended up getting a refund. I want to atleast get my rules updated manually so I found in http://forums.cpanel.net/f5/mod-security-conf-58326-p2.html from randomuser
    "Do: add your rules to /usr/local/apache/conf/modsec.user.conf
    Don't: add your rules to /usr/local/apache/conf/modsec.conf (cPanel will happily overwrite this now and again) "
    Do I simply copy paste the rules I need from http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/all-rules.conf

    I really need some guidance on this, any help is greatly appreciated.

    The instructions http://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules#Installing_the_rules are really confusing and the cPanel specific section
    confuses me even further. Why would they say for cPanel users not using ASL when ASL does not work with cPanel, then they go thru the ASL Lite install for cPanel and the forums there congratulate someone for being the FIRST to get it to work. Thanks in advance!

    TLDR: I want to update my mod security rules
     
  3. lbeachmike

    lbeachmike Well-Known Member

    Joined:
    Dec 27, 2001
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Long Beach, NY
    cPanel Access Level:
    Root Administrator
    I remain surprised that cpanel has not yet stepped forward to provide clarification on the proper methodology for utilizing the gotroot rulesets with cpanel's current (2.5.13) mod_security module.

    It is perhaps one of the best security tools available, and yet just about everybody appears confused as to how to properly make use of it with conflicting information provided from Atomic Corp and from Sergio Cabrera.

    It would be nice if there was a definitive reference and one which cpanel could put their blessing on, or one provided from cpanel directly.

    Thanks.

    Mike
     
  4. markb14391

    markb14391 Well-Known Member

    Joined:
    Jun 9, 2008
    Messages:
    305
    Likes Received:
    2
    Trophy Points:
    18
    +1. Would really appreciate some guidance here. Great tools but no definitive instructions on how to use them together.

    cPanel? Bueller? Anyone?

    ;-)
     
  5. Slatko

    Slatko Member

    Joined:
    Jan 21, 2011
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Yes 100% Agree
    I have only problems with this rules to get it right working.
    When i use all gotroot rules its nothing allowed :eek::eek: realy nothing!
    Hard to find an good Tutorial for it.
    This here was the best what i find: /http://freehostblog.info/?p=19
    But dont understand why this rules allowed nothing!
     
  6. Tearabite

    Tearabite Member

    Joined:
    Nov 28, 2010
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    I'm no expert.. but i was able to figure out how to get ModSecurity working with both cPanel and CSF.. I dont remember all the steps/details on updating rules, but basically i download the new rules from GotRoot and place them in my modsecurity directory which on my server is at /etc/modsecurity ..
    There are some references in the rules which may point to files that do not exist ('whitelist' comes to mind) that you may need to create - and there are some other references that you may have to adjust the path on based on where your modsec is installed. Again - i am no expert (by far), but i've got mine up and running so if anyone has specific questions i'll be happy to (try) and help.

    AFTER you get Modsecurity running - if you find that it's blocking too much (or everything) - there is a decent rule-troubleshooting guide here: /http://success.grownupgeek.com/index.php/2011/01/08/how-troubleshoot-mod_security-rules/
     
  7. mikegotroot

    mikegotroot Well-Known Member

    Joined:
    Apr 29, 2008
    Messages:
    85
    Likes Received:
    1
    Trophy Points:
    8
    There are cpanel users using ASL now, we just don't support cpanel right now. We are planning to support ASL with cpanel in Q3.

    I'm not sure I understand the second part of your question, you couldn't get our modsecurity rules to load with cpanel? Theres no difference between the two, cpanel uses modsecurity, our rules are written for modsecurity and cpanel users are using our modsecurity rules now, they work quite well.

    So, what error(s) did you get when you tried to load the rules? Perhaps we can help you.
     
  8. ModServ

    ModServ Well-Known Member

    Joined:
    Oct 17, 2006
    Messages:
    332
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Egypt
    cPanel Access Level:
    Root Administrator
    You can install ModSecurity, Make it work on cPanel, Revise logs just by doing those steps below:

    Install APR:
    Code:
    wget http://mirror.metrocast.net/apache//apr/apr-1.4.2.tar.gz
    tar -xzf apr-1.4.2.tar.gz
    cd apr*
    ./configure
    make
    make test
    make install
    Install PCRE:
    Code:
    wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.10.tar.gz
    tar -xzf pcre-8.10.tar.gz
    cd pcre*
    ./configure
    make
    make test
    make install
    Install ModSecurity:
    Code:
    wget http://www.modsecurity.org/download/modsecurity-apache_2.5.13.tar.gz
    tar -xzf modsecurity-apache_2.5.13.tar.gz
    cd modsecurity*/apache2
    ./configure --with-apu=/usr/local/apache/bin/apu-1-config
    make
    make test
    make install
    Done!

    You can put the rules here:
    Code:
    /usr/local/apache/conf/modsec2.user.conf
    You can get the logs from inside cPanel or by installing CMC (ConfigServer ModSecurity Control) recommended:
    Code:
    rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/addon_cmc.cgi
    rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/cmcversion.txt
    rm -Rfv /usr/local/cpanel/whostmgr/docroot/cgi/cmc/
    wget http://www.configserver.com/free/cmc.tgz
    tar -xzf cmc.tgz
    cd cmc
    sh install.sh
    Hope all of that help you and answer your question.
     
  9. crazyaboutlinux

    crazyaboutlinux Well-Known Member

    Joined:
    Nov 3, 2007
    Messages:
    938
    Likes Received:
    0
    Trophy Points:
    16
    Ah Great Answer
     
  10. Tecnoman

    Tecnoman Active Member

    Joined:
    Oct 23, 2006
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
  11. ModServ

    ModServ Well-Known Member

    Joined:
    Oct 17, 2006
    Messages:
    332
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Egypt
    cPanel Access Level:
    Root Administrator
    Just if you want, Here are my rules I use on 12 servers:

    Code:
    SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI ".htaccess"
    SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "sql_passwd"
    
    
    #Master list of known malware script file names
    #SecRule REQUEST_URI "(?:ogg|gopher|zlib|(?:ht|f)tps?)\:/" \
    #"capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390500,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - Malware Script Blacklist: Malware Script detected in URL',logdata:'%{TX.0}'"
    #SecRule REQUEST_URI "@pmFromFile malware_scripts.txt"
    
    #SecRule ARGS|REQUEST_FILENAME "@pmFromFile malware_scripts.txt" \ "capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390501,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - Malware Script Blacklist: Malware Script detected in ARGS',logdata:'%{TX.0}'"
    
    SecDefaultAction "log,deny,auditlog,phase:2,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace"
    
    SecRule REQUEST_URI "!(horde/services/go\.php|tiki-view_cache\.php|event\.ng/type=click|^/\?out=http://.*/.*\?ref=.*|^event\.ng/|^/hiphop2/=http|homeCounter\.php\?offerid=.*&ureferrer=http)" \
            "capture,chain,id:390144,rev:16,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Command shell attack: Generic Attempt to remote include command shell',logdata:'%{TX.0}'"
    
    SecRule ARGS|!ARGS:message  "(?:\.(?:dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(?:cmd|inc|name)=|/trf/traf\.php)" \
    
    #rootkit patterns
    SecRule REQUEST_URI "!(?:/event\.ng/|horde/services/go\.php|tiki-view_cache\.php|^/\?out=http://|homecounter\.php\?offerid=.*ureferrer=http|__utm\.gif\?)" \
            "capture,chain,id:390145,rev:6,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Rootkit attack: Generic Attempt to install rootkit',logdata:'%{TX.0}'"
    
    
    #c99 rootshell
    SecRule REQUEST_URI "(?:\.php\?act=(chmod&f|cmd|ls|f&f)|cx529\.php|\.php\?(?:phpinfo|mtnf|p0k3r)|/shell[0-9]?\.php|/\.get\.php)" \
    
    # known PHP attack shells
    SecRule REQUEST_URI   "(?:wiki_up/(?:(?:gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)|.*\.(?:php(3|4)?|tml|cgi|sh))|(?:/|^)phpterm|(?:c(?:99|100)|c(?:99|100)shell)\.(txt|php)\?|iblis\.htm\?|/gif\.gif\?|/go\.php\.txt\?|sh[0-9]\.(gif|jpe?g|txt|bmp|png)\?|iys\.(gif|jpe?g|txt|bmp|png)\?|shell[0-9]\.(gif|jpe?g|txt|bmp|png)\?|zehir\.asp|aflast\.txt\?|sikat\.txt\?&cmd|/lukka\?&|btn_lists\.(gif|jpe?g|txt|bmp|png)\?|dsoul/tool\?|phpbb2?_patch\?&|anggands\.(gif|jpe?g|txt|bmp|png)\?|newfile[0-9]\.(gif|jpe?g|txt|bmp|png)\?|/vsf\.vsf\?&|\.k4ka\.txt\?|(?:php|test|sql)\.txt\?|/oops?&|/maint64/index.php|/fx29sh/|fx29id[0-9]|fx29sh_update|/cyberz\.txt|/pshyco\.txt)" \
    "capture,id:390147,rev:9,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Rootkit attack: Known rootkit or remote shell',logdata:'%{TX.0}'"
    
    #|temp)/(?:(?:gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)|.*\.(?:php(3|4)?|tml|cgi|sh))
    
    #URI sigs
    SecRule REQUEST_URI "/(?:(?:cse|cmd)\.(?:c|dat|gif|jpe?g|png|sh|txt|bmp|dat|txt|js|tmp|php(?:3|4|5)?|asp)|(?:terminatorX-?exp|[a-z](?:cmd|command)[0-9]?)\.(?:gif|jpe?g|txt|bmp|php(?:3|4|5)?|png)\?|cmd(?:\.php(?:3|4|5)?|dat)|/(?:a|ijoo|oinc|s|sep|ipn|pro18|(php(?:3|4|5)?)?|shell|(?:o|0|p)wn(?:e|3)d|xpl|ssh2|too20|php(?:3|4|5)?backdoor|dblib|sfdg2)\.(?:c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php(?:3|4|5)?|asp)\?&(?:command|cmd)=|\.it/viewde|/(?:gif|jpe?g|ion|lala|shell|/ipn|php(?:3|4|5)?shell)\.(?:php?(?:3|4|5)?|tml)|tool[12][0-9]?\.(?:ph(?:p(?:3|4|5)?|tml)|js)\?|therules25?\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?|\.dump/(bash|httpd)\.(?:txt|php?(?:3|4|5)?|gif|jpe?g|dat|bmp|png|\;| )|suntzu\.php?(?:3|4|5)?\?cmd|proxysx\.(?:gif|jpe?g|bmp|txt|asp|png)\?|shell.txt|scan1\.0/scan/|(?:/bind|/juax|linuxdaybot)\.(gif|jpe?g|txt|bmp|png)|docLib/cmd\.asp)" \
            "capture,id:390800,rev:3,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible Rootkit attack: Generic Attempt to run rootkit',logdata:'%{TX.0}'"
    
    
    SecRule REQUEST_URI "/(?:(?:linuxdaybot|suntzu|shell_vup|shell|(?:o|0|p)wn(?:e|3)d|xpl|ssh2?|too20|backdoor|terminatorx-?exp)\.(?:dat|gif|jpe?g|png|sh|txt|bmp|dat|txt|js|s?html?|tmp|php(?:3|4|5)?|asp)|(?:r57|fx29|c(?:99|100))\.(?:txt|php))" \
            "capture,id:390148,rev:12,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible Rootkit attack: Generic Attempt to run rootkit',logdata:'%{TX.0}'"
    
    #Request Body patterns
    #trick them with a 404
    SecRule RESPONSE_BODY "(?:(?:<title>[^<]*?(?:\b(?:(?:c(?:ehennemden|gi-telnet)|gamma web shell)\b|imhabirligi phpftp)|(?:r(?:emote explorer|57 ?shell)|aventis klasvayv|zehir)\b|\.::(?:news remote php shell injection::\.| rhtools\b)|ph(?:p(?:(?: commander|-terminal)\b|remoteview)|vayv)|myshell)|\b(?:(?:(?:microsoft windows\b.{,10}?\bversion\b.{,20}?\(c\) copyright 1985-.{,10}?\bmicrosoft corp|ntdaddy v[0-9]\.[0-9] - obzerve \| fux0r inc)\.|(?:www\.sanalteror\.org - indexer and read|haxplor)er|php(?:konsole| ?shell)|(c99|c100|r57) ?shell)\b|aventgrup\.<br>|drwxr| - n3t))|This is (an|a)? exploit from < ?a|php ?(4|5).+ safe_mode ?(\&|/|and)? ?open_basedir ?bypass|feelcomzfeelcomz|id: feelcomz|shirohigeshirohige|lusif3r_666|was here \.\..*uname.*uid.*gid.*free.*used|b\.o\.v sience 20[0-1][0-9]|emp3ror undetectable|(o|0)wned by hacker|feelcomz rfi scanner|by pshyco, آ. 2008 error|safemodeexecdir|sh-(inf|err): )" \
            "phase:4,t:none,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Backdoor access',id:'390149',rev:11,severity:'2'"
    
    #ASP sigs
    SecRule REQUEST_URI   "\.asp\?(?:.*theact=inject&thepath=|pagename=appfileexplorer|.*showupload&thepath=)" \
            "capture,id:390150,rev:5,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Rootkit attack: ASP rootkit attempt',logdata:'%{TX.0}'"
    
    #generic payload
    #if (isset($_GET['cmd']))          passthru(stripslashes($_GET['cmd']));
    SecRule REQUEST_URI|ARGS|REQUEST_BODY   "(?:<\? ?php (echo ?\"hi ?master |.*(system|passthru|shell_exec|exec) ?\()|error_reporting\(.*\) ?\; ?if ?\(isset ?\(.*\) ?\) (system|passthru|shell_exec|exec) ?\(|(stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\()" \
    "capture,id:390801,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible Rootkit attack: Generic Attempt to insert rootkit code',logdata:'%{TX.0}'"
    SecRule REQUEST_URI|ARGS|REQUEST_BODY   "(?:<\? ?php (echo ?\"hi ?master|.*(system|passthru|shell_exec|exec) ?\()|error_reporting\(.*\) ?\; ?if ?\(isset ?\(.*\) ?\) (system|passthru|shell_exec|exec) ?\(|(stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\()" \
    "capture,t:hexDecode,id:390801,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible Rootkit attack: Generic Attempt to insert rootkit code',logdata:'%{TX.0}'"
    SecRule REQUEST_URI|ARGS|REQUEST_BODY   "(?:<\? ?php (echo ?\"hi ?master|.*(system|passthru|shell_exec|exec) ?\()|error_reporting\(.*\) ?\; ?if ?\(isset ?\(.*\) ?\) (system|passthru|shell_exec|exec) ?\(|(stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\()" \
    "capture,t:base64Decode,id:390801,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible Rootkit attack: Generic Attempt to insert rootkit code',logdata:'%{TX.0}'"
    
    
    #some broken attack program
    SecRule REQUEST_URI|ARGS|REQUEST_BODY "(?:_@@rndstr@@|netenberg |psybnc |fantastico_de_luxe |arta\.zip )" \
    "capture,id:390803,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Known Wormsign',logdata:'%{TX.0}'"
    
    #wormsign sigs
    
    #New SEL attack seen
    SecRule REQUEST_URI|ARGS|REQUEST_BODY "(?:select.*from.*information_schema\.tables|and.+char\(.*\).+user.+char\(.*\))" \
    "capture,id:390804,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Known rootkit SQL payload',logdata:'%{TX.0}'"
    
    SecRule RESPONSE_BODY "(?:add (?:new emailbases to database|high prioritet emails))" \
            "phase:4,t:none,t:lowercase,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible spamtool installed on system',id:'390150',severity:'2'"
    
    #Rapid Leech blocks
    SecRule RESPONSE_BODY "(?:<b>rapidleech checker script|rapidleech plugmod - auto download|<title>rapidleech|You are not allowed to leech from|alt=\"rapidleech plugmod|<center>.*<a href=http://www\.rapidleech\.com>rapidleech</a>|src=\"http://www\.rapidleech\.com/logo\.gif)" \
            "phase:4,t:lowercase,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Unauthorized Download Client - Rapidleech',id:'390900',rev:8,severity:'2'"
    SecRule RESPONSE_HEADERS:WWW-Authenticate "basic realm.*rapidleech" \
            "capture,phase:3,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Unauthorized Download Client - Rapidleech',id:'390903',rev:1,severity:'2',logdata:'%{TX.0}'"
    
    SecRule ARGS_POST "^(ht|f)tps?://([a-z0-9_\.?]+\.)?((rapidshare|mega(?:upload|shares?)|filefactory|mediafire|depositfiles|sendspace|badongo|uploading|savefile|cocshare|axifile|turboupload|gigasize|ziddu|uploadpalace|filefront|momupload|speedyshare|rnbload|adrive|easy-share|megarotic|egoshare)\.com|ifolder\.ru|files\.to|cocoshare\.cc|(?:usaupload|bitroad)\.net|netload\.in|rapidshare\.de)/.+" \
    "capture,id:390902,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible Unauthorized Download Client',logdata:'%{TX.0}'"
    #SecRule ARGS_POST "^http://(rapidshare|megaupload)\.com.+" \
    #"capture,id:390901,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Unauthorized Download Client - Rapidleech',logdata:'%{TX.0}'"
    
    
    #WWW-Authenticate: Basic realm=\"RAPIDLEECH PLUGMOD
    SecRule ARGS:cmd "(?:ls -|find /|mysqldump |ifconfig |php |echo |perl |killall |kill |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |wget |lwp-(?:download|request|mirror|rget) |uname |cvs |svn |(?:s|r)(?:cp|sh) |net(?:stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |g?cc |cpp |g\+\+ |/s?bin/(?:xterm|id|bash|sh|echo|kill|chmod|ch?sh|python|perl|nasm|ping|mail|ssh|netstat|php|route))" \
    "capture,id:390904,rev:4,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible PHP Shell Command Attempt',logdata:'%{TX.0}'"
    SecRule ARGS:ev "^print [0-9];" \
    "capture,id:390905,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible PHP Shell Command Attempt',logdata:'%{TX.0}'"
    
    <LocationMatch homeCounter.php>
      SecRuleRemoveById 390144
      SecRuleRemoveById 390145
    </LocationMatch>
    <LocationMatch moderation.php>
      SecRuleRemoveById 390148
    </LocationMatch>
    <LocationMatch /paadmin/file_manager.php>
      SecRuleRemoveById 390149
    </LocationMatch>
    <LocationMatch /__utm.gif>
      SecRuleRemoveById 390144
    </LocationMatch>
    <LocationMatch /administrator/index.php>
      SecRuleRemoveById 390149
    </LocationMatch>
    <LocationMatch /ota/admin/file_manager.php>
      SecRuleRemoveById 390149
    </LocationMatch>
    <LocationMatch /admin/shop_file_manager.php>
      SecRuleRemoveById 390149
    </LocationMatch>
    <LocationMatch /admin/file_manager.php>
      SecRuleRemoveById 390149
    </LocationMatch>
    <LocationMatch /modules/mod_oneononechat/chatfiles/*>
      SecRuleRemoveById 390147
    </LocationMatch>
    <LocationMatch /fud/adm/admbrowse.php>
      SecRuleRemoveById 390149
    </LocationMatch>
    <LocationMatch /wp-cron.php>
      SecRuleRemoveById 390147
    </LocationMatch>
    <LocationMatch /admin/mods/easymod/easymod_install.php>
      SecRuleRemoveById 390149
    </LocationMatch>
    <LocationMatch /e107_plugins/autogallery/autogallery.php>
      SecRuleRemoveById 390149
    </LocationMatch>
    <LocationMatch /alfresco/scripts/onload.js>
      SecRuleRemoveById 390149
    </LocationMatch>
    <LocationMatch /e107_plugins/autogallery/autogallery.php>
      SecRuleRemoveById 390149
    </LocationMatch>
    <LocationMatch /assets/Files/who/>
      SecRuleRemoveById 390147
    </LocationMatch>
    <LocationMatch /forum/viewtopic.php>
      SecRuleRemoveById 390149
    </LocationMatch>
    <LocationMatch /setup/>
      SecRuleRemoveById 390149
    </LocationMatch>
    <LocationMatch /administrator/index2.php>
      SecRuleRemoveById 390149
    </LocationMatch>
    <LocationMatch /sales/soap.php>
      SecRuleRemoveById 390149
    </LocationMatch>
    <LocationMatch /twg177/admin/>
      SecRuleRemoveById 390149
    </LocationMatch>
    <LocationMatch /images/smilies/>
      SecRuleRemoveById 390148
    </LocationMatch>
    <LocationMatch /admin/dogen_display.php>
      SecRuleRemoveById 390801
    </LocationMatch>
    <LocationMatch /horde/themes/graphics/>
      SecRuleRemoveById 390148
    </LocationMatch>
    <LocationMatch /whois/quick.php>
      SecRuleRemoveById 390145
    </LocationMatch>
    <LocationMatch /ubbthreads.php>
      SecRuleRemoveById 390902
    </LocationMatch>
    I knew its old, But it do what I need without problem in any scripts.
     
  12. rip_curl

    rip_curl Well-Known Member

    Joined:
    Jan 30, 2005
    Messages:
    81
    Likes Received:
    0
    Trophy Points:
    6
    Hello 2 all.
    I know, this question about modsec was here a billion times, but I didn't find answer for it - all solutions doesn't work for me.

    How to disable mod_sec for specific user/website?
    I've added /etc/httpd/conf/userdata/std/2/USERNAME/WEBSITE/mod_security.conf
    with this records
    <IfModule mod_security.c>
    SecRuleEngine Off
    </IfModule>[
    but nothing happens, mod_sec is blocking some parts of the site still.
    Is any idea admins?
     
  13. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,471
    Likes Received:
    199
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  14. rip_curl

    rip_curl Well-Known Member

    Joined:
    Jan 30, 2005
    Messages:
    81
    Likes Received:
    0
    Trophy Points:
    6
    Thanx a lot Infopro, that's helped me
     
  15. mikegotroot

    mikegotroot Well-Known Member

    Joined:
    Apr 29, 2008
    Messages:
    85
    Likes Received:
    1
    Trophy Points:
    8
    Yes, here is the recommended configuration for our rules with cpanel:

    https://www.atomicorp.com/wiki/inde...#Special_notes_for_CPANEL_users_not_using_ASL

    And if you are interested in using our full security suite with cpanel, send me an email at mike AT atomicorp DOT com for our private beta. If you help us beta test the cpanel version of ASL you'll get a free one year license for ASL.

    And remember, ASL-Lite is available for cpanel now!
     
  16. gkgcpanel

    gkgcpanel Well-Known Member

    Joined:
    Jun 6, 2007
    Messages:
    217
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider


    Yes, they do work quite well. We have successfully installed mod_security on all our cPanel servers and are using the rules from gotroot.com.

    I have a suggestion for a new rule I would like to see. First a little explanation.

    We have noticed that in our error log file, there will sometimes be one or two IP addresses that are
    hammering the server looking for a particular page on a customers site that no longer exists.

    In 2 days, we noticed 3 IP's that have hit the same page and received a 404 error
    over 740 thousand times.

    Running a query such as:

    Code:
    cat /usr/local/apache/logs/error_log | awk '{print $8}' | sort | uniq -c | sort -n 
    will produce results similar to this:
    ...

    22353 xxx.xxx.x.x]
    216689 xx.xxx.xx.xx]
    501219 xx.xxx.xx.xxx]

    The number on the left is the number of times that IP address on the right (designated by x's) has hit a certain page.

    I'm wondering if there is a rule that can be created that would look for 404 errors and if the number of 404 errors from a single IP address reaches let's say 1000, it blocks the IP?

    Thanks.
    Peter
     
  17. gkgcpanel

    gkgcpanel Well-Known Member

    Joined:
    Jun 6, 2007
    Messages:
    217
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    An update on this... Yesterday, we had to reboot the server because it again had an attack on one particular site that caused 404 errors...
    This time, over a million hits in less than 20 minutes... There has to be something that can stop these types of attacks dead in their tracks. I seriously believe that a limit on the number of 404 hits a single IP can hit, will stop these.
     
  18. mikegotroot

    mikegotroot Well-Known Member

    Joined:
    Apr 29, 2008
    Messages:
    85
    Likes Received:
    1
    Trophy Points:
    8
    Good question, so two answers - ASL can do this now (which I know doesnt help you right now, unless you want to run the ASL Beta for cpanel). ASL will detect multiple 404s and will firewall off the offending IP. So, when ASL for cpanel comes out, you are set. :)

    If you can't use ASL, then its a little more complicated but potentially possible and something we are looking into.
    So detecting the 404s is trivially easy, thats a can do now. The real work is in preventing false positives, you dont want to block future connections without a little more analysis, what if its a website with a bunch of missing images? You might lock out all your customers, which no one likes. ASL does this marvelously, modsec its possible but a bit more work and sort of reinventing the wheel (and maybe not even the wheel, might just be a horse...)

    So, modsec is a bit of a square peg for this one - but it may be doable. Because ASL already does this we havent bothered (why do something suboptimally when you already have a solution that works), but we realize not everyone can use ASL so we're looking a solution that will be reasonably good at this. We dont like to put out rules with high FPs, so a little testing is in order first.

    So yes, long road to this - you can do this now with ASL, for non-ASL systems we're looking into using the state engine in modsec to do some http only blocking. Its not needed for ASL, for non-ASL systems yep - looking into a solution.

    If you can, free to send us your logs for the 404 probes, real world data is always helpful - email them to support AT atomicorp DOT com.
     
  19. augiem

    augiem Member

    Joined:
    Mar 27, 2011
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    A couple of Q's:
    I just installed the latest free rules for CentOS Cpanel based on: http://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules

    I noticed a few things while going through the process that I'd like to get clarified:
    Under the CPanel set up section, there are inconsistent numbers for PCRE values:
    In the sample values for modsec2.user.conf:
    SecPcreMatchLimit 50000
    SecPcreMatchLimitRecursion 5000

    Below that a couple of paragraphs:
    1. Add to your PHP.INI the following commands:
    pcre.backtrack_limit = 50000
    pcre.recursion_limit = 50000

    2. And make sure your MODSEC2.USER.CONF file contains following commands:
    SecPcreMatchLimit 5000
    SecPcreMatchLimitRecursion 5000

    So the first instance says 50,000 5,000, 2nd instance says 50,000 50,000, 3rd instance says 5000 5000. Which values should I be using?

    Question 2: Testing to see if the rules are loaded.
    wget http://localhost/foo.php?foo=http://fakeattacker.com

    Substituting correct values for localhost and foo.php, I get 404 error, not 403. Removing the =http://fakeattacker.com, the file downloads properly. Should it be giving a 403 like the docs say or a 404 like I'm getting?

    Thanks!
     
  20. nobodyk

    nobodyk Well-Known Member

    Joined:
    Aug 1, 2010
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    why not use csf to stop these attacks?
     
Loading...

Share This Page