The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

mod_security: is the page supposed to load?

Discussion in 'Security' started by dellio, Nov 26, 2008.

  1. dellio

    dellio Member

    Joined:
    Sep 8, 2008
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    mod_security: block web proxy from running?

    Hi,

    I installed mod_security 2, added a simple test:

    SecRule REQUEST_URI "attack"

    then visited a site on the server with ?attack after the URL, I then checked the log at /etc/http/logs/modsec_audit_log...

    It shows up in the log, but yet the request isn't blocked or anything, I can still visit the URL with ?attack in it. Is this normal?
     
    #1 dellio, Nov 26, 2008
    Last edited: Nov 27, 2008
  2. dellio

    dellio Member

    Joined:
    Sep 8, 2008
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Nevermind, I figured out it has to do with phases. However I'm still somewhat confused about how they work, is the request still blocked?

    If I put it in phase:3, I get a white page, and nothing in the logs, but it does block the request. Does phase:2 (default) still deny the request but load the page as usual?
     
  3. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    you might download some of the rules gotroot.com has to help you out.
     
  4. dellio

    dellio Member

    Joined:
    Sep 8, 2008
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Really what I'm trying to do is block web proxies from running...Sure I can set:

    SecRule REQUEST_URI "q="

    This blocks one of the scripts that I see running, because it uses http://www.proxy.com/?q=LONG-HASH-STRING-HERE

    But nothings to say they can't change the q= to another letter, and it would work again. I'm wondering if theres a more concrete way to stop any proxies from running. I know you can disable http requests in the URI (incase it was ?q=http://www.domainwantedtovisitbehindproxy.com), but it doesn't work when the script is running the URL with a bunch of random letters & numbers

    Is there a way to decode the string, so that it sees the http:// instead of letters and numbers?
     
    #4 dellio, Nov 26, 2008
    Last edited: Nov 26, 2008
  5. dellio

    dellio Member

    Joined:
    Sep 8, 2008
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Well I'm using this for now:

    SecRule REQUEST_URI "\?[a-zA-Z0-9]=[a-zA-Z0-9]{10}"

    It seems to block it out. Let me know if anyone has any better way of doing this!

    EDIT: After too many false positives, I've resorted back to the [qu] option, still don't like it though, because they can change the letter in the script:
    Still happy to hear if anyone has anything better though!
     
    #5 dellio, Nov 26, 2008
    Last edited: Nov 27, 2008
Loading...

Share This Page