The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mod Security rules

Discussion in 'Security' started by gahelm, Dec 9, 2005.

  1. gahelm

    gahelm Active Member

    Joined:
    Jun 21, 2003
    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Florida
    I tried to add the following rules via the "Edit Config" function in WHM found in the addons section. When I do this it wont let me save the file so I went in via ssh and modified the file directly. After completing the edit Apache failed to start. When I place these rules directly in the modsec.conf file it runs fine. The problem is of course that cpanel will overwrite this file. Any ideas why I cant put this in the modsec.conf.user file?? (By the way I removed the <IfModule mod_security.c> at the begining and the </IfModule> at the end before adding it to the user config file.)

    <IfModule mod_security.c>
    # Turn the filtering engine On or Off
    SecFilterEngine On

    # Change Server: string
    SecServerSignature "Apache 3"


    # This setting should be set to On only if the Web site is
    # using the Unicode encoding. Otherwise it may interfere with
    # the normal Web site operation.
    SecFilterCheckUnicodeEncoding Off

    # The audit engine works independently and
    # can be turned On of Off on the per-server or
    # on the per-directory basis. "On" will log everything,
    # "DynamicOrRelevant" will log dynamic requests or violations,
    # and "RelevantOnly" will only log policy violations
    SecAuditEngine RelevantOnly

    # The name of the audit log file
    SecAuditLog logs/audit_log

    # Should mod_security inspect POST payloads
    SecFilterScanPOST On

    # Action to take by default
    SecFilterDefaultAction "deny,log,status:403"

    ## ## ## ## ## ## ## ## ## ##
    ## ## ## ## ## ## ## ## ## ##

    ####################################
    # FRONTPAGE
    ####################################


    SecFilterSelective THE_REQUEST "/admin/index\.php" pass

    SecFilter "_vti_bin" allow
    SecFilterSelective THE_REQUEST "/fpsrvadm\.exe" pass
    SecFilterSelective THE_REQUEST "/fpremadm\.exe" pass
    SecFilterSelective THE_REQUEST "/admisapi/fpadmin\.htm" pass
    SecFilterSelective THE_REQUEST "/scripts/Fpadmcgi\.exe" pass
    SecFilterSelective THE_REQUEST "/_private/orders\.txt" pass
    SecFilterSelective THE_REQUEST "/_private/form_results\.txt" pass
    SecFilterSelective THE_REQUEST "/_private/registrations\.htm" pass
    SecFilterSelective THE_REQUEST "/cfgwiz\.exe" pass
    SecFilterSelective THE_REQUEST "/authors\.pwd" pass
    SecFilterSelective THE_REQUEST "/_vti_bin/_vti_aut/author\.exe" pass
    SecFilterSelective THE_REQUEST "/administrators\.pwd" pass
    SecFilterSelective THE_REQUEST "/_private/form_results\.htm" pass
    SecFilterSelective THE_REQUEST "/_vti_pvt/access\.cnf" pass
    SecFilterSelective THE_REQUEST "/_private/register\.txt" pass
    SecFilterSelective THE_REQUEST "/_private/registrations\.txt" pass
    SecFilterSelective THE_REQUEST "/_vti_pvt/service\.cnf" pass
    SecFilterSelective THE_REQUEST "/service\.pwd" pass
    SecFilterSelective THE_REQUEST "/_vti_pvt/service\.stp" pass
    SecFilterSelective THE_REQUEST "/_vti_pvt/services\.cnf" pass
    SecFilterSelective THE_REQUEST "/_vti_bin/shtml\.exe" pass
    SecFilterSelective THE_REQUEST "/_vti_pvt/svcacl\.cnf" pass
    SecFilterSelective THE_REQUEST "/users\.pwd" pass
    SecFilterSelective THE_REQUEST "/_vti_pvt/writeto\.cnf" pass
    SecFilterSelective THE_REQUEST "/dvwssr\.dll" pass
    SecFilterSelective THE_REQUEST "/_private/register\.htm" pass
    SecFilterSelective THE_REQUEST "/_vti_bin/" pass
    SecFilterSelective THE_REQUEST "/cgi-bin/tgp/admin/main.cgi" pass,nolog
    SecFilterSelective THE_REQUEST "/admin/index.php" pass,nolog
    #########ALLOW RULES ADDED OCT 12 2005 BY KRIS##

    #generic PHP forum posting exclusion
    <LocationMatch "/posting.php">
    SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog
    </LocationMatch>

    #PhpBB posting
    <LocationMatch "/index.php?name=PNphpBB2&file=posting&mode=reply.*">
    SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog
    </LocationMatch>

    #Postnuke uploads
    <LocationMatch "/modules.php?op=modload&name=Downloads.*">
    SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog
    </LocationMatch>

    #Squirrel mail and Horde postings
    <LocationMatch "/horde/imp/compose.php">
    SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog
    </LocationMatch>

    #Phorum posting
    <LocationMatch "/phorum/post.php">
    SecFilterSelective POST_PAYLOAD "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog
    </LocationMatch>

    <LocationMatch "/tiki-editpage.php">
    SecFilterSelective POST_PAYLOAD "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog
    </LocationMatch>

    <LocationMatch "/misc.php">
    SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog
    </LocationMatch>


    ###########################################
    #Double pipe exclusion rules
    ###########################################
    <LocationMatch "/_vti_bin/fpcount.exe">
    SecFilterSelective THE_REQUEST "\|+.*[\x20].*[\x20].*\|" pass,nolog
    </LocationMatch>

    ###########################################
    #Front page exclusions
    ###########################################
    <LocationMatch "/_vti_bin/_vti_aut/author.exe">
    SecFilterInheritance Off
    </LocationMatch>



    # Require HTTP_USER_AGENT and HTTP_HOST in all requests
    # SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

    # Require Content-Length to be provided with
    # every POST request
    SecFilterSelective REQUEST_METHOD "^POST$" chain
    SecFilterSelective HTTP_Content-Length "^$"

    # Don't accept transfer encodings we know we don't handle
    # (and you don't need it anyway)
    SecFilterSelective HTTP_Transfer-Encoding "!^$"

    # Protecting from XSS attacks through the PHP session cookie
    SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
    SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"

    SecFilter "viewtopic\.php\?" chain
    SecFilter "chr\(([0-9]{1,3})\)" "deny,log"

    SecFilter "cgitelnet"
    SecFilter "nstview\.php"
    SecFilter "shell\.pl"
    SecFilter "shell\.php"
    SecFilter "nph-proxy"
    SecFilter "proxy\.cgi"
    SecFilter "proxy\.pl"
    SecFilter "000100A"
    SecFilter "http/www\."
    SecFilter "adxmlrpc.php"
    SecFilter "lupii"
    SecFilter "/cgi-bin/awstats/"
    SecFilter "/scgi-bin/awstats/"
    SecFilter "/cgi/awstats/"
    SecFilter "/scgi/awstats/"
    SecFilter "nph-proxy"
    SecFilter "fetch\x20"
    #Added Nov 23 2005
    SecFilter "proxy\.php"
    SecFilter "perl\x20kut"
    #SecFilter "/scripts/"
    SecFilter "/cgi-bin/stats/"
    SecFilter "/scgi-bin/stats/"
    #SecFilter "/stats/"
    #SecFilter "xmlrpc.php"
    SecFilter "xmlrpc"
    SecFilter "xml_rpc"
    SecFilter "xml-rpc"
    SecFilter "/cgi-bin/includer.cgi"
    SecFilter "/sgi-cgi/includer.cgi"
    SecFilter "/includer/cgi"
    SecFilter "/cgi-bin/include/includer\.cgi"
    SecFilter "/scgi-bin/include/includer\.cgi"
    SecFilter "/cgi-bin/inc/includer\.cgi"
    SecFilter "/scgi-bin/inc/includer\.cgi"
    SecFilter "/cgi-local/includer\.cgi"
    SecFilter "/scgi-local/includer\.cgi"
    SecFilter "/cgi/includer\.cgi"
    SecFilter "/scgi/includer\.cgi"
    SecFilter "/hints\.pl"
    SecFilter "/cgi/hints\.pl"
    SecFilter "/scgi/hints\.pl"
    SecFilter "/cgi-bin/hints\.pl"
    SecFilter "/scgi-bin/hints\.pl"
    SecFilter "/hints/hints\.pl"
    SecFilter "/cgi-bin/webhints/hints\.pl"
    SecFilter "/scgi-bin/webhints/hints\.pl"
    SecFilter "hints\.cgi"

    # Block various methods of downloading files to a server

    SecFilterSelective THE_REQUEST "wget "
    SecFilterSelective THE_REQUEST "lynx "
    SecFilterSelective THE_REQUEST "scp "
    SecFilterSelective THE_REQUEST "ftp "
    SecFilterSelective THE_REQUEST "cvs "
    SecFilterSelective THE_REQUEST "rcp "
    SecFilterSelective THE_REQUEST "perl "
    SecFilterSelective THE_REQUEST "curl "
    SecFilterSelective THE_REQUEST "telnet "
    #SecFilterSelective THE_REQUEST "echo "
    SecFilterSelective THE_REQUEST "links -dump "
    SecFilterSelective THE_REQUEST "links -dump-charset "
    SecFilterSelective THE_REQUEST "links -dump-width "
    SecFilterSelective THE_REQUEST "links http:// "
    SecFilterSelective THE_REQUEST "links ftp:// "
    SecFilterSelective THE_REQUEST "links -source "
    SecFilterSelective THE_REQUEST "mkdir "
    SecFilterSelective THE_REQUEST "cd /tmp "
    SecFilterSelective THE_REQUEST "cd /var/spool "
    SecFilterSelective THE_REQUEST "&highlight=%2527%252E "
    SecFilterSelective THE_REQUEST "changedir=%2Ftmp%2F.php "
    SecFilterSelective THE_REQUEST "cd /dev/shm "
    SecFilterSelective THE_REQUEST "cd /var/tmp "
    SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "
    SecFilterSelective THE_REQUEST "awstats\.pl?configdir"
    SecFilter "awstats\.pl"
    SecFilterSelective THE_REQUEST "/config\.php?v=1&DIR "
    SecFilterSelective THE_REQUEST "/../../ "
    SecFilterSelective THE_REQUEST "&highlight=%2527%252E "
    SecFilterSelective THE_REQUEST "changedir=%2Ftmp%2F\.php "
    #

    The rest was removed to shorten the message....
     
  2. neonix

    neonix Well-Known Member

    Joined:
    Oct 21, 2004
    Messages:
    124
    Likes Received:
    2
    Trophy Points:
    0
    /usr/local/apache/bin/apachectl configtest
    will show you why apache failed to start.



    root@pac3 [/etc/httpd/conf]# cat /usr/local/apache/conf/modsec.conf

    <IfModule mod_security.c>
    SecFilterEngine On
    SecFilterCheckURLEncoding On
    SecFilterForceByteRange 0 255
    SecAuditEngine RelevantOnly
    SecAuditLog logs/audit_log
    SecFilterDebugLog logs/modsec_debug_log
    SecFilterDebugLevel 0
    SecFilterDefaultAction "deny,log,status:406"
    SecFilterSelective REMOTE_ADDR "^127.0.0.1$" nolog,allow
    Include "/usr/local/apache/conf/modsec.user.conf"
    </IfModule>
     
Loading...

Share This Page