Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Mod_security and /tmp

Discussion in 'Security' started by latpanel, Nov 5, 2004.

  1. latpanel

    latpanel Well-Known Member

    Joined:
    Jan 23, 2004
    Messages:
    134
    Likes Received:
    0
    Trophy Points:
    166
    Any body know about a good rules set to use with mod_security? Particularly the rule to protect /temp, or does it protect /temp automatically? :confused:

    Thanks
     
  2. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,366
    Likes Received:
    6
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    Presume you mean /tmp not /temp on a Linux system then mod_security has a rule included for that.
     
  3. latpanel

    latpanel Well-Known Member

    Joined:
    Jan 23, 2004
    Messages:
    134
    Likes Received:
    0
    Trophy Points:
    166
    Of course, I men /tmp (my finger is too quick ;) ).
    And, I suposse I must write this rule in the config file, so which is this rule?

    Thanks
     
  4. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,366
    Likes Received:
    6
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    If you have installed mod_security then look in httpd.conf under the "<IfModule mod_security.c>" section to verify the existing rule set.
     
  5. latpanel

    latpanel Well-Known Member

    Joined:
    Jan 23, 2004
    Messages:
    134
    Likes Received:
    0
    Trophy Points:
    166
    I know where is the file, but....

    :confused: :confused: :confused:
    Yes, I know where are the conf files for mod_security, and I know that in these files there are a lot of rules to filter in and out data, And I know that this is included in http.conf (the config file of apache) by a include sentence. Ok?. :)
    :confused: My question is just which rule can protect /tmp from exe files. . Just this question, I want know just the answer.
    Thanks
     
  6. PbG

    PbG Well-Known Member

    Joined:
    Mar 11, 2003
    Messages:
    246
    Likes Received:
    0
    Trophy Points:
    166
    Here is my rule set:

    <IfModule mod_security.c>
    # Turn the filtering engine On or Off
    SecFilterEngine On

    # Make sure that URL encoding is valid
    SecFilterCheckURLEncoding On

    # This setting should be set to On only if the Web site is
    # using the Unicode encoding. Otherwise it may interfere with
    # the normal Web site operation.
    SecFilterCheckUnicodeEncoding Off

    # Only allow bytes from this range
    SecFilterForceByteRange 1 255

    #Allow CPanel/WHM
    SecFilterSelective REMOTE_ADDR "^127\.0\.0\.1$" nolog,allow

    # The audit engine works independently and
    # can be turned On of Off on the per-server or
    # on the per-directory basis. "On" will log everything,
    # "DynamicOrRelevant" will log dynamic requests or violations,
    # and "RelevantOnly" will only log policy violations
    SecAuditEngine RelevantOnly

    # The name of the audit log file
    SecAuditLog /var/log/httpd/audit_log

    # Should mod_security inspect POST payloads
    SecFilterScanPOST On

    # Require HTTP_USER_AGENT and HTTP_HOST in all requests
    #SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

    # Action to take by default
    SecFilterDefaultAction "deny,log,status:406"

    # Weaker XSS protection but allows common HTML tags
    SecFilter "<[[:space:]]*script"

    # Very crude filters to prevent SQL injection attacks
    SecFilter "delete[[:space:]]+from"
    SecFilter "insert[[:space:]]+into"
    # SecFilter "select.+from"

    # Protecting from XSS attacks through the PHP session cookie
    SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
    SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"

    # WEB-PHP squirrel mail theme arbitrary command attempt
    SecFilterSelective THE_REQUEST "/left_main\.php" chain
    SecFilter "cmdd="

    # WEB-PHP DNSTools administrator authentication byp*** attempt
    SecFilterSelective THE_REQUEST "/dnstools\.php" chain
    SecFilter "user_dnstools_administrator=true"

    # WEB-PHP DNSTools authentication byp*** attempt
    SecFilterSelective THE_REQUEST "/dnstools\.php" chain
    SecFilter "user_logged_in=true"

    # WEB-ATTACKS ps command attempt
    SecFilterSelective THE_REQUEST "/bin/ps"

    # WEB-ATTACKS /bin/ps command attempt
    SecFilterSelective THE_REQUEST "ps\x20"

    # WEB-ATTACKS wget command attempt
    SecFilter "wget\x20"

    # WEB-ATTACKS uname -a command attempt
    SecFilter "uname\x20-a"

    # WEB-ATTACKS /usr/bin/id command attempt
    SecFilterSelective THE_REQUEST "/usr/bin/id"

    # WEB-ATTACKS id command attempt
    SecFilter "\;id"

    # WEB-ATTACKS kill command attempt
    SecFilterSelective THE_REQUEST "/bin/kill"

    # WEB-ATTACKS chsh command attempt
    SecFilterSelective THE_REQUEST "/usr/bin/chsh"

    # WEB-ATTACKS tftp command attempt
    SecFilter "tftp\x20"

    # WEB-ATTACKS .htgroup access
    SecFilterSelective THE_REQUEST "\.htgroup"

    # WEB-CLIENT Javascript URL host spoofing attempt
    SecFilter "javascript\://"

    # WEB-MISC cross site scripting \(img src=javascript\) attempt
    SecFilter "img src=javascript"

    # WEB-MISC /~nobody access
    SecFilterSelective THE_REQUEST "/~nobody"

    # WEB-MISC /~root access
    SecFilterSelective THE_REQUEST "/~root"

    # WEB-MISC /~ftp access
    SecFilterSelective THE_REQUEST "/~ftp"

    # WEB-MISC Apache Chunked-Encoding worm attempt
    SecFilter "CCCCCCC\: AAAAAAAAAAAAAAAAAAA"

    # WEB-MISC Transfer-Encoding\: chunked
    SecFilter "chunked"

    # WEB-MISC .htp***wd access
    #SecFilter "\.htp***wd"

    # WEB-MISC .htaccess access
    SecFilter "\.htaccess"

    # WEB-MISC cd..
    SecFilter "cd\.\."

    # WEB-MISC ///cgi-bin access
    SecFilterSelective THE_REQUEST "///cgi-bin"

    # WEB-MISC /cgi-bin/// access
    SecFilterSelective THE_REQUEST "/cgi-bin///"

    # WEB-MISC htgrep attempt
    SecFilterSelective THE_REQUEST "/htgrep" chain
    SecFilter "hdr=/"

    # WEB-MISC htgrep access
    SecFilterSelective THE_REQUEST "/htgrep" log,pass

    # WEB-MISC .history access
    SecFilterSelective THE_REQUEST "/\.history"

    # WEB-MISC .bash_history access
    SecFilterSelective THE_REQUEST "/\.bash_history"

    # WEB-PHP strings overflow
    SecFilterSelective THE_REQUEST "\?STRENGUR"

    # WEB-PHP PHPLIB remote command attempt
    SecFilter "_PHPLIB\[libdir\]"
    </IfModule>


     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice