The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mod_security

Discussion in 'Security' started by procam, Nov 25, 2006.

  1. procam

    procam Well-Known Member

    Joined:
    Nov 24, 2003
    Messages:
    123
    Likes Received:
    0
    Trophy Points:
    16
    Does anyone have anything to add to this that you feel is critically important for mod_security rules ??

    Code:
    # WEB-ATTACKS wget command attempt
    SecFilterSelective THE_REQUEST "wget "
    # WEB-ATTACKS uname -a command attempt
    SecFilterSelective THE_REQUEST "uname -a"
    # WEB-ATTACKS .htgroup access
    SecFilterSelective THE_REQUEST "\.htgroup"
    # WEB-ATTACKS .htaccess access
    SecFilterSelective THE_REQUEST "\.htaccess"
    # WEB-CLIENT Javascript URL host spoofing attempt
    SecFilter "javascript\://"
    # WEB-MISC cross site scripting \(img src=javascript\) attempt
    SecFilter "img src=javascript"
    # WEB-MISC cd..
    SecFilterSelective THE_REQUEST "cd\.\."
    # WEB-MISC ///cgi-bin access
    SecFilterSelective THE_REQUEST "///cgi-bin"
    # WEB-MISC /cgi-bin/// access
    SecFilterSelective THE_REQUEST "/cgi-bin///"
    # WEB-MISC /~root access
    SecFilterSelective THE_REQUEST "/~root"
    # WEB-MISC /~ftp access
    SecFilterSelective THE_REQUEST "/~ftp"
    # WEB-MISC htgrep attempt
    SecFilterSelective THE_REQUEST "/htgrep" chain
    SecFilter "hdr=/"
    # WEB-MISC htgrep access
    SecFilterSelective THE_REQUEST "/htgrep" log,pass
    # WEB-MISC .history access
    SecFilterSelective THE_REQUEST "/\.history"
    # WEB-MISC .bash_history access
    SecFilterSelective THE_REQUEST "/\.bash_history"
    # WEB-MISC /~nobody access
    SecFilterSelective THE_REQUEST "/~nobody"
    # WEB-PHP PHP-Wiki cross site scripting attempt
    SecFilterSelective THE_REQUEST "<script"
    # WEB-PHP strings overflow
    SecFilterSelective THE_REQUEST "\?STRENGUR"
    # WEB-PHP PHPLIB remote command attempt
    SecFilter "_PHPLIB\[libdir\]"
    SecFilterSelective THE_REQUEST "cd /tmp "
    SecFilterSelective THE_REQUEST "cd /var/tmp "
    SecFilterSelective THE_REQUEST "telnet "
    SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "
    SecFilterSelective THE_REQUEST "vi\.recover "
    SecFilterSelective THE_REQUEST "netenberg "
    SecFilterSelective THE_REQUEST "psybnc "
    SecFilterSelective THE_REQUEST "fantastico_de_luxe "
    SecFilterSelective THE_REQUEST "perl (xpl\.pl|kut|viewde|httpd\.txt)"
    SecFilterSelective THE_REQUEST "\./xkernel\;"
    SecFilterSelective THE_REQUEST "/kaiten\.c"
    SecFilterSelective THE_REQUEST "/mampus\?&(cmd|command)"
     
  2. procam

    procam Well-Known Member

    Joined:
    Nov 24, 2003
    Messages:
    123
    Likes Received:
    0
    Trophy Points:
    16

    Thank you~ :cool:
     
  3. Daniel15

    Daniel15 Well-Known Member

    Joined:
    Oct 7, 2006
    Messages:
    84
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    These two rules are really helpful:
    Code:
    SecFilterSelective REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\x20?\?"
    SecFilterSelective REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\?"
    
    They basically block out URI's which have a URL as a GET variable (eg. index.php?file=http://www.example.com/example.txt). This is very useful, as it blocks out most of the recent Mambo exploits

    EDIT: Forgot to write this: I can't take credit for these rules, they are in HostMerit's modsec ruleset: http://hostmerit.com/modsec.user.conf
     
  4. david510

    david510 Well-Known Member

    Joined:
    Aug 22, 2004
    Messages:
    473
    Likes Received:
    0
    Trophy Points:
    16
    You must add mysql injection prevention rules also to this.
     
  5. procam

    procam Well-Known Member

    Joined:
    Nov 24, 2003
    Messages:
    123
    Likes Received:
    0
    Trophy Points:
    16
    These two rules disrupt normal operations of tgp/mgp sites ~~
     
  6. isputra

    isputra Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    576
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Mbelitar
    HI,

    I'm using http://hostmerit.com/modsec.user.conf as my rules but my client can't edit their wordpress theme editor.

    The result always :

    "Error 406, Not Acceptable. An appropriate representation of the requested resource /wp-admin/theme-editor.php could not be found on this server."

    And the log on WHM Modsec link show :

    Access denied with code 406. Pattern match "<script" at POST_PAYLOAD

    So i comment the SecFilter "<script" like below :
    # Weaker XSS protection but allows common HTML tags
    #SecFilter "<script"

    and the theme-editor.php works again.

    Is there any security issue if i comment SecFilter "<script" like above ?
     
    #6 isputra, Feb 10, 2007
    Last edited: Feb 10, 2007
  7. isputra

    isputra Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    576
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Mbelitar
    Anyone ?

    Please give me a clue if i must add the rule again on my conf or maybe change by other rule that not break wordpress theme-editor.php
     
  8. docbreed

    docbreed Well-Known Member

    Joined:
    Jul 18, 2005
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    6
    Im having no luck adding an allow rule. If someone could look over and make sudjestions please.

    url
    Code:
    http://www.domain.com/sm/admin/index.php?p=templates&Action=EditTemplate&TempID=2&Editing=1&SSID=xxvyipsq7igr7czxvo9k03
    audit_log
    Code:
    ==fd043b18==============================
    Request: www.domain.com ip.ip.ip.ip - - [11/Jul/2007:16:05:59 -0500] "POST /sm/admin/index.php?p=templates&Action=EditTemplate&TempID=2&Save=Yes&SSID=xxvyipsq7igr7czxvo9k03 HTTP/1.1" 403 429 "http://www.domain.com/sm/admin/index.php?p=templates&Action=EditTemplate&TempID=2&Editing=1&SSID=xxvyipsq7igr7czxvo9k03" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4" - "-"
    ----------------------------------------
    POST /sm/admin/index.php?p=templates&Action=EditTemplate&TempID=2&Save=Yes&SSID=xxvyipsq7igr7czxvo9k03 HTTP/1.1
    Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    Accept-Encoding: gzip,deflate
    Accept-Language: en-us,en;q=0.5
    Cache-Control: max-age=0
    Connection: keep-alive
    Content-Length: 980
    Content-Type: multipart/form-data; boundary=---------------------------18977768221793
    Host: www.domain.com
    Keep-Alive: 300
    Referer: http://www.domain.com/sm/admin/index.php?p=templates&Action=EditTemplate&TempID=2&Editing=1&SSID=xxvyipsq7igr7czxvo9k03
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4
    mod_security-message: Access denied with code 403. Pattern match "file=http" at POST_PAYLOAD
    mod_security-action: 403
    
    980
    -----------------------------18977768221793
    Content-Disposition: form-data; name="Name"
    
    test
    -----------------------------18977768221793
    Content-Disposition: form-data; name="Format"
    
    2
    -----------------------------18977768221793
    Content-Disposition: form-data; name="TemplateID"
    
    2
    -----------------------------18977768221793
    Content-Disposition: form-data; name="wysiwyg"
    
    <html><head><title></title></head><body>test</body></html>
    -----------------------------18977768221793
    Content-Disposition: form-data; name="HTMLFile"
    
    http://
    -----------------------------18977768221793
    Content-Disposition: form-data; name="HTMLContentFile"; filename=""
    Content-Type: application/octet-stream
    
    
    -----------------------------18977768221793
    Content-Disposition: form-data; name="SubmitButton"
    
    Save
    -----------------------------18977768221793
    Content-Disposition: form-data; name="RandomKey"
    
    t4695377b6caf8
    -----------------------------18977768221793--
    
    
    HTTP/1.1 403 Forbidden
    Keep-Alive: timeout=15, max=99
    Connection: Keep-Alive
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=iso-8859-1
    --fd043b18--
    
    modsec.conf
    Code:
    <IfModule mod_security.c>
    SecFilterEngine On
    SecFilterCheckURLEncoding On
    SecFilterForceByteRange 0 255
    SecAuditEngine RelevantOnly
    SecAuditLog logs/audit_log
    SecFilterDebugLog logs/modsec_debug_log
    SecFilterDebugLevel 0
    SecFilterDefaultAction "deny,log,status:406"
    SecFilterSelective REMOTE_ADDR "^127.0.0.1$" nolog,allow
    Include "/usr/local/apache/conf/modsec.user.conf"
    </IfModule>
    modsec.user.conf
    http://www.hostmerit.com/modsec.user.conf
    with the #SecFilter "file=http" uncommented.
     
    #8 docbreed, Jul 11, 2007
    Last edited: Jul 11, 2007
  9. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Using Pattern match "<script" would not be a good idea for a whole lot of reasons. ;)

    Try this instead as it should help no matter what.

    The last line is all one line.
     
  10. jameshsi

    jameshsi Well-Known Member

    Joined:
    Oct 22, 2001
    Messages:
    347
    Likes Received:
    0
    Trophy Points:
    16
    Is there any rules for cgiemail ?
    I got hackers use my form which using cgiemail to spam all the time.
     
  11. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Personally, I always recommend that 'cgiemail' be disabled.

    With that being said, here are some mod_sec Rules that might help with preventing Spammers from using Form pages (of any kind) to send their Spam.


    ####################################
    # Email Injection Header fix
    ####################################
    SecFilter "bcc:"
    SecFilterSelective THE_REQUEST "bcc:|bcc%3A"
    SecFilterSelective ARG_Bcc ".*\@"
    SecFilterSelective ARGS_VALUES "\n\s*bcc\:.*\@"
     
  12. fenixer

    fenixer Well-Known Member

    Joined:
    Feb 23, 2007
    Messages:
    92
    Likes Received:
    0
    Trophy Points:
    6
    I have seen this rules also at:
    http://www.gotroot.com/downloads/ftp/modsecurity/rootkits.conf

    The question is they are already configured correctly (with so many others) in my modsec.user.conf, but they are useless..... NOT APLYING...

    The 95% of the exploits uploaded and executed in my server proceeds from Joomla / Mambo, with much components (com_*.) that allows uploading files to 777 folder..... Due to the most of the Spammers apps launched at my server, this 95% exploits proceeds from URLs like:

    index.php?file=http://www.example.com/example.txt

    in other words, inyecting an external code to execute into a localhost php code.... in some other cases, downloading a file from an external URL into local folder to execute later...

    I have tried several ways to see if I could get the modsec 403 executing something like index.php?file=http://www.example.com/example.txt into my server, but always allow........ I guess the rules are not being applyed....

    Tried with www, with http, with different extensions.. no nothing, and as I said, 95% problems I am having are coming this way...

    ¿anyone can see this rules running in their machines? Why in my case I have several rules giving 403, but this two famous one does not?? Any idea??? (modsec goes me crazy!) :eek:
     
  13. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,460
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Absolutely, daily.

    Example from the past hour.

    Using rootkits.conf, useragents.conf, and several others.
     
  14. fenixer

    fenixer Well-Known Member

    Joined:
    Feb 23, 2007
    Messages:
    92
    Likes Received:
    0
    Trophy Points:
    6
    Thanks so much infopro...

    If you were so kind, would you let me see your modsec.user.conf... maybe publishing here or sending me an email to modsec@fenixer.com

    Thanks..... the problem is I cannot see this rule running for me at all, although my modsec is running (apache 1.x) and other rules does the same.

    Any idea why these rules just cannot do the trick for my config?
     
  15. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,460
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I think you'd do yourself some good to read up on all of this a bit more. By the time you get thru a few of those you'll find your problem I bet.
    http://www.google.com/search?hl=en&q=cPanel+mod+security

    What works for us may not be what will work for you on yours. As someone posted to a thread on these forums a while back, it's not exactly brain surgery. ;)

    It sounds to me (just guessing) that you may have added the rulesets but forget to 'enable' it by adding what makes it work inside your httpd.conf.

    <IfModule mod_security.c>
    #rulesets called from this location
    </IfModule>

    If you have that what do you have inside it? Don't need to see the entire file but from that area of your httpd.conf there are some things you do need to have for these rules to work at all. And of course if they're remarked out, are #bypassed.

    Additionally, if you use chirpy's CSF you can check your mod sec logs for activity and even edit the rulesets directly from WHM.

    http://www.configserver.com/cp/csf.html

    Hope that helps. ;)
     
  16. fenixer

    fenixer Well-Known Member

    Joined:
    Feb 23, 2007
    Messages:
    92
    Likes Received:
    0
    Trophy Points:
    6
    Sure, thanks infopro for your answer...

    It was not... Modsec was running ok as well as all my rules configured.....

    I thought that rule was not running (only that) because I tried to force it executing a URL expecting a 403, but I was not receiving that...

    Now I can have a look at some logs and see it is applying correctly...... it was simply the way I was trying to force the 403...... certainly, I cannot force it as I thought I should do it.... nothing else.......

    I thought simply executing an http://www.domain.tld/index.php?site=http://www.xxxx.tld would obtain a 403 error, but not........ ¿?¿? but in my case, I have seen some 403 due to this at audit_log, so I guess it is running ok in spite of...

    Sorry too much for wasting your time, but thanks so much for your effort...

    :eek:
     
  17. jameshsi

    jameshsi Well-Known Member

    Joined:
    Oct 22, 2001
    Messages:
    347
    Likes Received:
    0
    Trophy Points:
    16
    Hi!
    I have this rule:
    PHP:

    # Weaker XSS protection but allows common HTML tags
    SecFilter "<script"

    If for some reason, I want to disable this rule for one site, for example, mydomain.com , how should I do ?

    Cause I want to submit a form and in that form, I need to filled in something like :

    PHP:


    <script language="javascript" src="http://mydomain.com/plugins/jf/service/jf_create.php?code=bdbdc9bf9241b99d4c3abd0110aeea86"></script>



    I am thinking either I disable the rule for forbidden the <script for only this site, or I create an allow rule for some patten match the URL of what I need to fill in the form to submit.

    Any suggestion ?
     
  18. jameshsi

    jameshsi Well-Known Member

    Joined:
    Oct 22, 2001
    Messages:
    347
    Likes Received:
    0
    Trophy Points:
    16
    Any suggestion ?
     
  19. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,460
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:

    Only one, reread this thread from the top. The question was already answered properly I believe. ;)
     
Loading...

Share This Page