The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mod_security and /tmp

Discussion in 'Security' started by latpanel, Nov 5, 2004.

  1. latpanel

    latpanel Well-Known Member

    Joined:
    Jan 23, 2004
    Messages:
    134
    Likes Received:
    0
    Trophy Points:
    16
    Any body know about a good rules set to use with mod_security? Particularly the rule to protect /temp, or does it protect /temp automatically? :confused:

    Thanks
     
  2. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Presume you mean /tmp not /temp on a Linux system then mod_security has a rule included for that.
     
  3. latpanel

    latpanel Well-Known Member

    Joined:
    Jan 23, 2004
    Messages:
    134
    Likes Received:
    0
    Trophy Points:
    16
    Of course, I men /tmp (my finger is too quick ;) ).
    And, I suposse I must write this rule in the config file, so which is this rule?

    Thanks
     
  4. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    If you have installed mod_security then look in httpd.conf under the "<IfModule mod_security.c>" section to verify the existing rule set.
     
  5. latpanel

    latpanel Well-Known Member

    Joined:
    Jan 23, 2004
    Messages:
    134
    Likes Received:
    0
    Trophy Points:
    16
    I know where is the file, but....

    :confused: :confused: :confused:
    Yes, I know where are the conf files for mod_security, and I know that in these files there are a lot of rules to filter in and out data, And I know that this is included in http.conf (the config file of apache) by a include sentence. Ok?. :)
    :confused: My question is just which rule can protect /tmp from exe files. . Just this question, I want know just the answer.
    Thanks
     
  6. PbG

    PbG Well-Known Member

    Joined:
    Mar 11, 2003
    Messages:
    241
    Likes Received:
    0
    Trophy Points:
    16
    Here is my rule set:

    <IfModule mod_security.c>
    # Turn the filtering engine On or Off
    SecFilterEngine On

    # Make sure that URL encoding is valid
    SecFilterCheckURLEncoding On

    # This setting should be set to On only if the Web site is
    # using the Unicode encoding. Otherwise it may interfere with
    # the normal Web site operation.
    SecFilterCheckUnicodeEncoding Off

    # Only allow bytes from this range
    SecFilterForceByteRange 1 255

    #Allow CPanel/WHM
    SecFilterSelective REMOTE_ADDR "^127\.0\.0\.1$" nolog,allow

    # The audit engine works independently and
    # can be turned On of Off on the per-server or
    # on the per-directory basis. "On" will log everything,
    # "DynamicOrRelevant" will log dynamic requests or violations,
    # and "RelevantOnly" will only log policy violations
    SecAuditEngine RelevantOnly

    # The name of the audit log file
    SecAuditLog /var/log/httpd/audit_log

    # Should mod_security inspect POST payloads
    SecFilterScanPOST On

    # Require HTTP_USER_AGENT and HTTP_HOST in all requests
    #SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

    # Action to take by default
    SecFilterDefaultAction "deny,log,status:406"

    # Weaker XSS protection but allows common HTML tags
    SecFilter "<[[:space:]]*script"

    # Very crude filters to prevent SQL injection attacks
    SecFilter "delete[[:space:]]+from"
    SecFilter "insert[[:space:]]+into"
    # SecFilter "select.+from"

    # Protecting from XSS attacks through the PHP session cookie
    SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
    SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"

    # WEB-PHP squirrel mail theme arbitrary command attempt
    SecFilterSelective THE_REQUEST "/left_main\.php" chain
    SecFilter "cmdd="

    # WEB-PHP DNSTools administrator authentication byp*** attempt
    SecFilterSelective THE_REQUEST "/dnstools\.php" chain
    SecFilter "user_dnstools_administrator=true"

    # WEB-PHP DNSTools authentication byp*** attempt
    SecFilterSelective THE_REQUEST "/dnstools\.php" chain
    SecFilter "user_logged_in=true"

    # WEB-ATTACKS ps command attempt
    SecFilterSelective THE_REQUEST "/bin/ps"

    # WEB-ATTACKS /bin/ps command attempt
    SecFilterSelective THE_REQUEST "ps\x20"

    # WEB-ATTACKS wget command attempt
    SecFilter "wget\x20"

    # WEB-ATTACKS uname -a command attempt
    SecFilter "uname\x20-a"

    # WEB-ATTACKS /usr/bin/id command attempt
    SecFilterSelective THE_REQUEST "/usr/bin/id"

    # WEB-ATTACKS id command attempt
    SecFilter "\;id"

    # WEB-ATTACKS kill command attempt
    SecFilterSelective THE_REQUEST "/bin/kill"

    # WEB-ATTACKS chsh command attempt
    SecFilterSelective THE_REQUEST "/usr/bin/chsh"

    # WEB-ATTACKS tftp command attempt
    SecFilter "tftp\x20"

    # WEB-ATTACKS .htgroup access
    SecFilterSelective THE_REQUEST "\.htgroup"

    # WEB-CLIENT Javascript URL host spoofing attempt
    SecFilter "javascript\://"

    # WEB-MISC cross site scripting \(img src=javascript\) attempt
    SecFilter "img src=javascript"

    # WEB-MISC /~nobody access
    SecFilterSelective THE_REQUEST "/~nobody"

    # WEB-MISC /~root access
    SecFilterSelective THE_REQUEST "/~root"

    # WEB-MISC /~ftp access
    SecFilterSelective THE_REQUEST "/~ftp"

    # WEB-MISC Apache Chunked-Encoding worm attempt
    SecFilter "CCCCCCC\: AAAAAAAAAAAAAAAAAAA"

    # WEB-MISC Transfer-Encoding\: chunked
    SecFilter "chunked"

    # WEB-MISC .htp***wd access
    #SecFilter "\.htp***wd"

    # WEB-MISC .htaccess access
    SecFilter "\.htaccess"

    # WEB-MISC cd..
    SecFilter "cd\.\."

    # WEB-MISC ///cgi-bin access
    SecFilterSelective THE_REQUEST "///cgi-bin"

    # WEB-MISC /cgi-bin/// access
    SecFilterSelective THE_REQUEST "/cgi-bin///"

    # WEB-MISC htgrep attempt
    SecFilterSelective THE_REQUEST "/htgrep" chain
    SecFilter "hdr=/"

    # WEB-MISC htgrep access
    SecFilterSelective THE_REQUEST "/htgrep" log,pass

    # WEB-MISC .history access
    SecFilterSelective THE_REQUEST "/\.history"

    # WEB-MISC .bash_history access
    SecFilterSelective THE_REQUEST "/\.bash_history"

    # WEB-PHP strings overflow
    SecFilterSelective THE_REQUEST "\?STRENGUR"

    # WEB-PHP PHPLIB remote command attempt
    SecFilter "_PHPLIB\[libdir\]"
    </IfModule>


     
Loading...

Share This Page