The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

how to install modsecurity and Suhosin from the cpanel

Discussion in 'Security' started by sintman, Jan 9, 2008.

  1. sintman

    sintman Member

    Joined:
    Jun 19, 2007
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    could you please explain and what are the best rules for modsecurity for one site on the server ?
     
  2. nabuhonodozor

    nabuhonodozor Member

    Joined:
    Jun 22, 2007
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Hi,
    It depend on what Apache and mod_secure version You have
    There are rule for apache 1.X and for 2.X and You cannot mix them. Same goes for mod_secure 1.9 and 2.X
    You can find more here: http://www.gotroot.com/
    I personally have apache 1.X and mod_secure 1.x (but I am unsure about mod_sec version) and I am using following rules (You have to restart apache after adding rules)- IT CAN RENDER YOUR APACHE UNUSABLE SO IF YOUR APACHE DONT RESTART REMOVE THOSE RULES AND RESTART AGAIN:

    Code:
    # BEGIN RULES
    # Should mod_security inspect POST payloads
    SecFilterScanPOST On
    
    #
    # Basic rules with arbitrary command detection
    
    SecFilterSelective THE_REQUEST "\.htgroup"
    SecFilterSelective THE_REQUEST "\.htaccess"
    SecFilterSelective THE_REQUEST "cd\.\."
    SecFilterSelective THE_REQUEST "///cgi-bin"
    SecFilterSelective THE_REQUEST "/cgi-bin///"
    SecFilterSelective THE_REQUEST "/~root"
    SecFilterSelective THE_REQUEST "/~ftp"
    SecFilterSelective THE_REQUEST "/htgrep" chain
    SecFilterSelective THE_REQUEST "/htgrep" log,pass
    SecFilterSelective THE_REQUEST "/\.history"
    SecFilterSelective THE_REQUEST "/\.bash_history"
    SecFilterSelective THE_REQUEST "/~nobody"
    SecFilterSelective THE_REQUEST "<script"
    SecFilterSelective THE_REQUEST "psybnc"
    SecFilterSelective THE_REQUEST "cmd=cd\x20/var"
    SecFilterSelective THE_REQUEST "dir=http"
    SecFilterSelective THE_REQUEST "\?STRENGUR"
    SecFilterSelective THE_REQUEST "/etc/motd"
    SecFilterSelective THE_REQUEST "/etc/passwd"
    SecFilterSelective THE_REQUEST "conf/httpd\.conf"
    SecFilterSelective THE_REQUEST "/bin/ps"
    SecFilterSelective THE_REQUEST "bin/tclsh"
    SecFilterSelective THE_REQUEST "tclsh8\x20"
    SecFilterSelective THE_REQUEST "udp\.pl"
    SecFilterSelective THE_REQUEST "linuxdaybot\.txt"
    SecFilterSelective THE_REQUEST "wget\x20"
    SecFilterSelective THE_REQUEST "bin/nasm"
    SecFilterSelective THE_REQUEST "nasm\x20"
    SecFilterSelective THE_REQUEST "/usr/bin/perl"
    SecFilterSelective THE_REQUEST "links -dump "
    SecFilterSelective THE_REQUEST "links -dump-(charset|width) "
    SecFilterSelective THE_REQUEST "links (http|https|ftp)\:/"
    SecFilterSelective THE_REQUEST "links -source "
    SecFilterSelective THE_REQUEST "cd\x20/(tmp|var/tmp|etc/httpd/proxy|dev/shm)" 
    SecFilterSelective THE_REQUEST "cd\.\." 
    SecFilterSelective THE_REQUEST "///cgi-bin" 
    SecFilterSelective THE_REQUEST "/cgi-bin///" 
    SecFilterSelective THE_REQUEST "/~named(/| HTTP\/(0\.9|1\.0|1\.1)$)" 
    SecFilterSelective THE_REQUEST "/~guest(/| HTTP\/(0\.9|1\.0|1\.1)$)" 
    SecFilterSelective THE_REQUEST "/~logs(/| HTTP\/(0\.9|1\.0|1\.1)$)" 
    SecFilterSelective THE_REQUEST "/~sshd(/| HTTP\/(0\.9|1\.0|1\.1)$)" 
    SecFilterSelective THE_REQUEST "/~ftp(/| HTTP\/(0\.9|1\.0|1\.1)$)" 
    SecFilterSelective THE_REQUEST "/~bin(/| HTTP\/(0\.9|1\.0|1\.1)$)" 
    SecFilterSelective THE_REQUEST "/~nobody(/| HTTP\/(0\.9|1\.0|1\.1)$)"  
    SecFilterSelective THE_REQUEST "/\.history HTTP\/(0\.9|1\.0|1\.1)$" 
    SecFilterSelective THE_REQUEST "/\.bash_history HTTP\/(0\.9|1\.0|1\.1)$"
    SecFilterSelective REQUEST_URI "/nessus_is_probing_you_"
    SecFilterSelective REQUEST_URI "/NessusTest"
    SecFilter "javascript\://"
    SecFilter "img src=javascript"
    SecFilter "_PHPLIB\[libdir\]"
    SecFilter "hdr=/"
    
    # BCC form to email manipulation
    SecFilterSelective POST_PAYLOAD "Subject\:" chain
    SecFilterSelective ARG_Bcc ".*\@"
    SecFilterSelective POST_PAYLOAD "Subject\:" chain
    SecFilterSelective POST_PAYLOAD "\s*bcc\:"
    SecFilterSelective ARGS_VALUES "\n\s*bcc\:.*\@"
    
    # Miscellaneous malicious requests
    # These rules can be very effective, however "general" rules such as the following
    # have issues with false positives in some environments. Comment out as needed.
    ##
    
    #XSS attempts for STYLE, VBSCRIPT, JAVASCRIPT, EXPRESSION, and XML
    SecFilterSelective THE_REQUEST "\<IMG.*/\bonerror\b[\s]*=/Ri"
    SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]text\/javascript/i"
    SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]application\/x-javascript/i"
    SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]text\/jscript/i"
    SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]text\/vbscript/i"
    SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]application\/x-vbscript/i"
    SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]text\/ecmascript/i"
    SecFilterSelective THE_REQUEST "STYLE[\s]*=[\s]*[^>]expression[\s]*\(/i"
    SecFilterSelective THE_REQUEST "[\s]*expression[\s]*\([^}]}[\s]*<\/STYLE>/i"
    SecFilterSelective THE_REQUEST "<!\[CDATA\[<\]\]>SCRIPT"
    
    #XSS insertion into Content-Type
    SecFilterSelective THE_REQUEST "Content-Type\:.*(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)"
    #Not included by default for safer config
    #SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain
    #SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)"
    
    #Require Content-Length to be provided with every POST request
    SecFilterSelective REQUEST_METHOD "^POST$" chain
    SecFilterSelective HTTP_Content-Length "^$"
    SecFilterSelective HTTP_Transfer-Encoding "!^$"
    
    #Generic PHP remote file inclusion attack signature
    SecFilter "(cmd|command)=(cd|\;|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"
    #SecFilterSelective REQUEST_URI "\.php\?" chain
    #SecFilter "(http|https|ftp)\:/" chain
    #SecFilter "(cmd|command)=.*(cd|\;|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"
    
    #Specific XML-RPC attacks on xmlrpc.php
    SecFilterSelective THE_REQUEST "(/xmlrpc|.*xmlrpc_services)\.php" chain
    SecFilter "(\<xml|\<.*xml)" chain
    SecFilter "(echo( |\(|\').*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;"
    
    #XML-RPC SQL injection generic signature
    SecFilterSelective THE_REQUEST "(/xmlrpc|.*xmlrpc_services)\.php" chain
    SecFilter "<methodName>.*</methodName>.*<value><string>.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view).*methodName\>"
    
    
    
    # Application specific rules
    # This is a compilation of rulesets made for specific vulnerabilities that exist
    # in out-dated, popular web-applications.
    ###
    
    
    #
    # Mambo: General Defense
    
    #Mambo 'com_contents' Input Validation Hole in 'user_rating' SQL Injection 
    SecFilterSelective REQUEST_URI "/index\.php\?option=com_content&task=vote&id=.*&Itemid=.*&cid=.*&user_rating=.*\((select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+(from|into|table|database|index|view)"
    
    #Mambo "user_rating" SQL Injection Vulnerability
    SecFilterSelective REQUEST_URI "/content\.php" chain
    SecFilterSelective ARG_user_rating ".*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"
    
    #Mambo "register_globals" Emulation Layer Overwrite Vulnerability
    SecFilterSelective ARG_mosConfig_absolute_path "(\.\./\.\.|/|(http|https|ftp)\:/)"
    SecFilterSelective REQUEST_URI "/index(2?)\.php\?.*mosConfig_absolute_path=(http|https|ftp)\:\/"
    SecFilterSelective REQUEST_URI "/emailfriend/(emailarticle|emailfaq|emailnews)\.php\?id=\"(\<script|(http|https|ftp)\:/)"
    
    
    
    #
    # phpMyadmin: general defense
    
    #Parameter Arbitrary Command Execution
    SecFilterSelective REQUEST_URI "calendar\.php\?calbirthdays=.*&action=.*&day=.*&comma=*(cd|\;|perl|python|rpm|yum|apt-get|emerge|lynx|links|mkdir|elinks|cmd|pwd|wget|lwp-(download|request|mirror|rget)|id|uname|cvs|svn|(r|s)sh|(s|r)cp|rexec|smbclient|t?ftp|ncftp|curl|telnet|gcc|cc|g\+\+|\./)"
    SecFilterSelective REQUEST_URI "/calendar\.php\?calbirthdays=.*&action=getday&day=.*&comma=\x22;"
    
    #phpMyAdmin Export.PHP File Disclosure Vulnerability
    SecFilterSelective SCRIPT_FILENAME "export\.php$" chain
    SecFilterSelective ARG_what "\.\."
    
    #phpMyAdmin path vln
    SecFilterSelective REQUEST_URI "/css/phpmyadmin\.css\.php\?GLOBALS\[cfg\]\[ThemePath\]=/etc"
    
    #phpMyAdmin convcharset Parameter Cross Site Scripting
    SecFilterSelective REQUEST_URI "/phpmyadmin/index\.php\?pma_username=*&pma_password=*&server=.*&lang=.*&convcharset=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
    
    
    
    # AWStats: General Defense
    
    #awstats XSS vulnerabilities
    SecFilterSelective THE_REQUEST "awstats" chain
    SecFilterSelective ARGS "(pluginmode|loadplugin|debug|configdir|perl|cgi|chmod|exec|print)"
    SecFilterSelective REQUEST_URI  "/awstats\.pl\?(configdir|update|pluginmode|cgi)=(\||echo|\:system\()"
    SecFilterSelective REQUEST_URI  "/awstats\.pl\?(debug=1|pluginmode=rawlog\&loadplugin=rawlog|update=1\&logfile=\|)"
    SecFilterSelective REQUEST_URI  "/awstats\.pl\?[^\r\n]*logfile=\|"
    SecFilterSelective REQUEST_URI  "/awstats\.pl\?configdir="
    SecFilterSelective REQUEST_URI  "awstats\.pl\?" chain
    SecFilterSelective ARGS "(debug|configdir|perl|chmod|exec|print|cgi)"
    
    #awstats probe
    SecFilterSelective THE_REQUEST  "/awstats\.pl HTTP\/(0\.9|1\.0|1\.1)$"
    
    </IfModule>
    
    
    
    I couldnt paste whole ruleset because of character limitation this forum have.

    As You can see at the beggining theres general rules but later on there are some aplication specific rules. Mod_secure rules can be very sophisticated. Check more at gotroot.
    Best regards,
    Piotr
     
Loading...

Share This Page