Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

mod_security: is the page supposed to load?

Discussion in 'Security' started by dellio, Nov 26, 2008.

  1. dellio

    dellio Member

    Joined:
    Sep 8, 2008
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    51
    mod_security: block web proxy from running?

    Hi,

    I installed mod_security 2, added a simple test:

    SecRule REQUEST_URI "attack"

    then visited a site on the server with ?attack after the URL, I then checked the log at /etc/http/logs/modsec_audit_log...

    It shows up in the log, but yet the request isn't blocked or anything, I can still visit the URL with ?attack in it. Is this normal?
     
    #1 dellio, Nov 26, 2008
    Last edited: Nov 27, 2008
  2. dellio

    dellio Member

    Joined:
    Sep 8, 2008
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    51
    Nevermind, I figured out it has to do with phases. However I'm still somewhat confused about how they work, is the request still blocked?

    If I put it in phase:3, I get a white page, and nothing in the logs, but it does block the request. Does phase:2 (default) still deny the request but load the page as usual?
     
  3. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    you might download some of the rules gotroot.com has to help you out.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. dellio

    dellio Member

    Joined:
    Sep 8, 2008
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    51
    Really what I'm trying to do is block web proxies from running...Sure I can set:

    SecRule REQUEST_URI "q="

    This blocks one of the scripts that I see running, because it uses http://www.proxy.com/?q=LONG-HASH-STRING-HERE

    But nothings to say they can't change the q= to another letter, and it would work again. I'm wondering if theres a more concrete way to stop any proxies from running. I know you can disable http requests in the URI (incase it was ?q=http://www.domainwantedtovisitbehindproxy.com), but it doesn't work when the script is running the URL with a bunch of random letters & numbers

    Is there a way to decode the string, so that it sees the http:// instead of letters and numbers?
     
    #4 dellio, Nov 26, 2008
    Last edited: Nov 26, 2008
  5. dellio

    dellio Member

    Joined:
    Sep 8, 2008
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    51
    Well I'm using this for now:

    SecRule REQUEST_URI "\?[a-zA-Z0-9]=[a-zA-Z0-9]{10}"

    It seems to block it out. Let me know if anyone has any better way of doing this!

    EDIT: After too many false positives, I've resorted back to the [qu] option, still don't like it though, because they can change the letter in the script:
    Still happy to hear if anyone has anything better though!
     
    #5 dellio, Nov 26, 2008
    Last edited: Nov 27, 2008
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice