The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mod_Sec

Discussion in 'General Discussion' started by jackal, Sep 10, 2005.

  1. jackal

    jackal Well-Known Member
    PartnerNOC

    Joined:
    Feb 23, 2002
    Messages:
    708
    Likes Received:
    0
    Trophy Points:
    16
    We have had someone uploading eggdrops on one of our servers in this location.

    /usr/local/apache/proxy/

    Anyone know of a rule we could place in mod sec to stop this from happening?

    Jackal
     
  2. panayot

    panayot Well-Known Member

    Joined:
    Nov 18, 2004
    Messages:
    125
    Likes Received:
    0
    Trophy Points:
    16
    Here are my rules for mod_security. I believe this mostly stops any uploads. You can also chmod wget, ftp, etc. to be rwx only by root
    Code:
    # WEB-ATTACKS uname -a command attempt
    SecFilterSelective THE_REQUEST "uname -a"
    
    # WEB-ATTACKS .htgroup access
    SecFilterSelective THE_REQUEST "\.htgroup"
    
    # WEB-ATTACKS .htaccess access
    SecFilterSelective THE_REQUEST "\.htaccess"
    
    # WEB-CLIENT Javascript URL host spoofing attempt
    SecFilter "javascript\://"
    
    # WEB-MISC cross site scripting \(img src=javascript\) attempt
    SecFilter "img src=javascript"
    
    # WEB-MISC cd..
    SecFilterSelective THE_REQUEST "cd\.\."
    
    # WEB-MISC ///cgi-bin access
    SecFilterSelective THE_REQUEST "///cgi-bin"
    
    # WEB-MISC /cgi-bin/// access
    SecFilterSelective THE_REQUEST "/cgi-bin///"
    
    # WEB-MISC /~root access
    SecFilterSelective THE_REQUEST "/~root"
    
    # WEB-MISC /~ftp access
    SecFilterSelective THE_REQUEST "/~ftp"
    
    # WEB-MISC htgrep attempt
    SecFilterSelective THE_REQUEST "/htgrep" chain
    SecFilter "hdr=/"
    
    # WEB-MISC htgrep access
    SecFilterSelective THE_REQUEST "/htgrep" log,pass
    
    # WEB-MISC .history access
    SecFilterSelective THE_REQUEST "/\.history"
    
    # WEB-MISC .bash_history access
    SecFilterSelective THE_REQUEST "/\.bash_history"
    
    # WEB-MISC /~nobody access
    SecFilterSelective THE_REQUEST "/~nobody"
    
    # WEB-PHP PHP-Wiki cross site scripting attempt
    SecFilterSelective THE_REQUEST "<script"
    
    # WEB-PHP strings overflow
    SecFilterSelective THE_REQUEST "\?STRENGUR"
    
    # WEB-PHP PHPLIB remote command attempt
    SecFilter "_PHPLIB\[libdir\]"
    
    ## From eth0 --------------------------------------------
    
    # Change Server: string
    SecServerSignature "Apache"
    
    # Should mod_security inspect POST payloads
    SecFilterScanPOST On
    
    # Require Content-Length to be provided with every POST request
    SecFilterSelective REQUEST_METHOD "^POST$" chain
    SecFilterSelective HTTP_Content-Length "^$"
    
    # Don't accept transfer encodings we know we don't handle (and you don't need it anyway)
    SecFilterSelective HTTP_Transfer-Encoding "!^$"
    
    # Protecting from XSS attacks through the PHP session cookie
    SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
    SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
    
    SecFilter "viewtopic\.php\?" chain
    SecFilter "chr\(([0-9]{1,3})\)" "deny,log"
    
    # Block various methods of downloading files to a server
    SecFilterSelective THE_REQUEST "wget "
    SecFilterSelective THE_REQUEST "lynx "
    SecFilterSelective THE_REQUEST "scp "
    SecFilterSelective THE_REQUEST "ftp "
    SecFilterSelective THE_REQUEST "cvs "
    SecFilterSelective THE_REQUEST "rcp "
    SecFilterSelective THE_REQUEST "curl "
    SecFilterSelective THE_REQUEST "telnet "
    SecFilterSelective THE_REQUEST "ssh "
    SecFilterSelective THE_REQUEST "echo "
    SecFilterSelective THE_REQUEST "links -dump "
    SecFilterSelective THE_REQUEST "links -dump-charset "
    SecFilterSelective THE_REQUEST "links -dump-width "
    SecFilterSelective THE_REQUEST "links http:// "
    SecFilterSelective THE_REQUEST "links ftp:// "
    SecFilterSelective THE_REQUEST "links -source "
    SecFilterSelective THE_REQUEST "mkdir "
    SecFilterSelective THE_REQUEST "cd /tmp "
    SecFilterSelective THE_REQUEST "cd /var/tmp "
    SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "
    SecFilterSelective THE_REQUEST "system\("
    SecFilterSelective THE_REQUEST "exec\("
     

Share This Page