Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Mod_Sec

Discussion in 'General Discussion' started by jackal, Sep 10, 2005.

  1. jackal

    jackal Well-Known Member
    PartnerNOC

    Joined:
    Feb 23, 2002
    Messages:
    708
    Likes Received:
    0
    Trophy Points:
    316
    We have had someone uploading eggdrops on one of our servers in this location.

    /usr/local/apache/proxy/

    Anyone know of a rule we could place in mod sec to stop this from happening?

    Jackal
     
  2. panayot

    panayot Well-Known Member

    Joined:
    Nov 18, 2004
    Messages:
    126
    Likes Received:
    0
    Trophy Points:
    166
    Here are my rules for mod_security. I believe this mostly stops any uploads. You can also chmod wget, ftp, etc. to be rwx only by root
    Code:
    # WEB-ATTACKS uname -a command attempt
    SecFilterSelective THE_REQUEST "uname -a"
    
    # WEB-ATTACKS .htgroup access
    SecFilterSelective THE_REQUEST "\.htgroup"
    
    # WEB-ATTACKS .htaccess access
    SecFilterSelective THE_REQUEST "\.htaccess"
    
    # WEB-CLIENT Javascript URL host spoofing attempt
    SecFilter "javascript\://"
    
    # WEB-MISC cross site scripting \(img src=javascript\) attempt
    SecFilter "img src=javascript"
    
    # WEB-MISC cd..
    SecFilterSelective THE_REQUEST "cd\.\."
    
    # WEB-MISC ///cgi-bin access
    SecFilterSelective THE_REQUEST "///cgi-bin"
    
    # WEB-MISC /cgi-bin/// access
    SecFilterSelective THE_REQUEST "/cgi-bin///"
    
    # WEB-MISC /~root access
    SecFilterSelective THE_REQUEST "/~root"
    
    # WEB-MISC /~ftp access
    SecFilterSelective THE_REQUEST "/~ftp"
    
    # WEB-MISC htgrep attempt
    SecFilterSelective THE_REQUEST "/htgrep" chain
    SecFilter "hdr=/"
    
    # WEB-MISC htgrep access
    SecFilterSelective THE_REQUEST "/htgrep" log,pass
    
    # WEB-MISC .history access
    SecFilterSelective THE_REQUEST "/\.history"
    
    # WEB-MISC .bash_history access
    SecFilterSelective THE_REQUEST "/\.bash_history"
    
    # WEB-MISC /~nobody access
    SecFilterSelective THE_REQUEST "/~nobody"
    
    # WEB-PHP PHP-Wiki cross site scripting attempt
    SecFilterSelective THE_REQUEST "<script"
    
    # WEB-PHP strings overflow
    SecFilterSelective THE_REQUEST "\?STRENGUR"
    
    # WEB-PHP PHPLIB remote command attempt
    SecFilter "_PHPLIB\[libdir\]"
    
    ## From eth0 --------------------------------------------
    
    # Change Server: string
    SecServerSignature "Apache"
    
    # Should mod_security inspect POST payloads
    SecFilterScanPOST On
    
    # Require Content-Length to be provided with every POST request
    SecFilterSelective REQUEST_METHOD "^POST$" chain
    SecFilterSelective HTTP_Content-Length "^$"
    
    # Don't accept transfer encodings we know we don't handle (and you don't need it anyway)
    SecFilterSelective HTTP_Transfer-Encoding "!^$"
    
    # Protecting from XSS attacks through the PHP session cookie
    SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
    SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
    
    SecFilter "viewtopic\.php\?" chain
    SecFilter "chr\(([0-9]{1,3})\)" "deny,log"
    
    # Block various methods of downloading files to a server
    SecFilterSelective THE_REQUEST "wget "
    SecFilterSelective THE_REQUEST "lynx "
    SecFilterSelective THE_REQUEST "scp "
    SecFilterSelective THE_REQUEST "ftp "
    SecFilterSelective THE_REQUEST "cvs "
    SecFilterSelective THE_REQUEST "rcp "
    SecFilterSelective THE_REQUEST "curl "
    SecFilterSelective THE_REQUEST "telnet "
    SecFilterSelective THE_REQUEST "ssh "
    SecFilterSelective THE_REQUEST "echo "
    SecFilterSelective THE_REQUEST "links -dump "
    SecFilterSelective THE_REQUEST "links -dump-charset "
    SecFilterSelective THE_REQUEST "links -dump-width "
    SecFilterSelective THE_REQUEST "links http:// "
    SecFilterSelective THE_REQUEST "links ftp:// "
    SecFilterSelective THE_REQUEST "links -source "
    SecFilterSelective THE_REQUEST "mkdir "
    SecFilterSelective THE_REQUEST "cd /tmp "
    SecFilterSelective THE_REQUEST "cd /var/tmp "
    SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "
    SecFilterSelective THE_REQUEST "system\("
    SecFilterSelective THE_REQUEST "exec\("
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice