The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

rules mod_security..what about?

Discussion in 'Security' started by Creazioni, Mar 14, 2005.

  1. Creazioni

    Creazioni Well-Known Member

    Joined:
    Jan 5, 2003
    Messages:
    133
    Likes Received:
    0
    Trophy Points:
    16
    i wanna write a modsec_conf with best rules without problem with FP2000( :( i hate this sw), PERLDESK, MAMBO, other script

    do we write, all togheter, a post with the BEST RULE?
    Every day 2000 site are hacked :(
    80% Homepage defacement (they use -uname,ls,wget,echo,cmd=id, lwp-dpwnload,cmd=find, print, etc......)
    http://www.zone-h.org/en/defacements



    ==========
    # Turn the filtering engine On or Off
    SecFilterEngine On

    # Make sure that URL encoding is valid
    SecFilterCheckURLEncoding On

    # This setting should be set to On only if the Web site is
    # using the Unicode encoding. Otherwise it may interfere with
    # the normal Web site operation.
    SecFilterCheckUnicodeEncoding Off

    # Only allow bytes from this range
    SecFilterForceByteRange 1 255

    # The audit engine works independently and
    # can be turned On of Off on the per-server or
    # on the per-directory basis. "On" will log everything,
    # "DynamicOrRelevant" will log dynamic requests or violations,
    # and "RelevantOnly" will only log policy violations
    SecAuditEngine RelevantOnly

    SecFilter "visualcoders\.net/spy\.gif\?\&cmd"

    # The name of the audit log file
    SecAuditLog /usr/local/apache/logs/audit_log

    # Should mod_security inspect POST payloads
    SecFilterScanPOST On

    # Action to take by default
    SecFilterDefaultAction "deny,log,status:403"

    # Require Content-Length to be provided with
    # every POST request
    SecFilterSelective REQUEST_METHOD "^POST$" chain
    SecFilterSelective HTTP_Content-Length "^$"

    # Don't accept transfer encodings we know we don't handle
    # (and you don't need it anyway)
    SecFilterSelective HTTP_Transfer-Encoding "!^$"


    SecFilterSelective THE_REQUEST "wget "
    SecFilterSelective THE_REQUEST "lynx "
    SecFilterSelective THE_REQUEST "scp "
    SecFilterSelective THE_REQUEST "ftp "
    SecFilterSelective THE_REQUEST "cvs "
    SecFilterSelective THE_REQUEST "rcp "
    SecFilterSelective THE_REQUEST "telnet "
    SecFilterSelective THE_REQUEST "ssh "
    SecFilterSelective THE_REQUEST "echo "
    SecFilterSelective THE_REQUEST "links -dump "
    SecFilterSelective THE_REQUEST "links -dump-charset "
    SecFilterSelective THE_REQUEST "links -dump-width "
    SecFilterSelective THE_REQUEST "links http:// "
    SecFilterSelective THE_REQUEST "links ftp:// "
    SecFilterSelective THE_REQUEST "links -source "
    SecFilterSelective THE_REQUEST "mkdir "
    SecFilterSelective THE_REQUEST "cd /tmp "
    SecFilterSelective THE_REQUEST "cd /var/tmp "
    SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "


    # Very crude filters to prevent SQL injection attacks
    SecFilter "delete[[:space:]]+from"
    SecFilter "insert[[:space:]]+into"

    #Protecting from XSS attacks through the PHP session cookie
    SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
    SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"

    # WEB-ATTACKS ps command attempt
    SecFilterSelective THE_REQUEST "/bin/ps"

    # WEB-ATTACKS /bin/ps command attempt
    SecFilterSelective THE_REQUEST "ps\x20"

    # WEB-ATTACKS wget command attempt
    SecFilter "wget\x20"

    # Web-PHP phpBB Exploit Filter
    SecFilter "chr\(([0-9]{1,3})\)" "deny,log"


    # WEB-ATTACKS uname -a command attempt
    SecFilter "uname\x20-a"

    # WEB-ATTACKS /usr/bin/id command attempt
    SecFilterSelective THE_REQUEST "/usr/bin/id"

    # WEB-ATTACKS id command attempt
    SecFilter "\;id"

    # WEB-ATTACKS chown command attempt
    SecFilter "/bin/chown\x20"


    # WEB-PHP General PHP Exploit Filter
    SecFilterSelective "THE_REQUEST|ARGS_VALUES" "(passthru|shell_exec|proc_open|f open|fwrite)"


    # WEB-ATTACKS kill command attempt
    SecFilterSelective THE_REQUEST "/bin/kill"

    # WEB-ATTACKS chsh command attempt
    SecFilterSelective THE_REQUEST "/usr/bin/chsh"

    # WEB-ATTACKS tftp command attempt
    SecFilter "tftp\x20"

    # WEB-ATTACKS /usr/bin/gcc command attempt
    SecFilterSelective THE_REQUEST "/usr/bin/gcc"


    # WEB-ATTACKS gcc command attempt
    SecFilter "gcc\x20-o"

    # WEB-ATTACKS /usr/bin/cc command attempt
    SecFilterSelective THE_REQUEST "/usr/bin/cc"

    # WEB-ATTACKS cc command attempt
    SecFilter "cc\x20"

    # WEB-ATTACKS /usr/bin/cpp command attempt
    SecFilterSelective THE_REQUEST "/usr/bin/cpp"

    # WEB-ATTACKS cpp command attempt
    SecFilter "cpp\x20"

    # WEB-ATTACKS /usr/bin/g++ command attempt
    SecFilterSelective THE_REQUEST "/usr/bin/g\+\+"

    # WEB-ATTACKS g++ command attempt
    SecFilter "g\+\+\x20"

    # WEB-ATTACKS bin/python access attempt
    SecFilterSelective THE_REQUEST "bin/python"

    # WEB-ATTACKS python access attempt
    SecFilter "python\x20"

    # WEB-ATTACKS bin/tclsh execution attempt
    SecFilter "bin/tclsh"

    # WEB-ATTACKS tclsh execution attempt
    SecFilter "tclsh8\x20"

    # WEB-ATTACKS /bin/SecFilter "ls\x20-l"
    SecFilterSelective THE_REQUEST "/bin/ls"


    SecFilterSelective SCRIPT_FILENAME "viewtopic\.php$" chain
    SecFilterSelective ARG_highlight "%27"

    # WEB-ATTACKS bin/nasm command attempt
    SecFilterSelective THE_REQUEST "bin/nasm"

    # WEB-ATTACKS nasm command attempt
    SecFilter "nasm\x20"

    # WEB-ATTACKS perl execution attempt
    SecFilter "perl\x20"


    header=http:

    # WEB-ATTACKS traceroute command attempt
    SecFilter "traceroute\x20"

    # WEB-ATTACKS ping command attempt
    SecFilterSelective THE_REQUEST "/bin/ping"


    # WEB-ATTACKS nmap command attempt
    SecFilter "nmap\x20"

    # WEB-ATTACKS xterm command attempt
    SecFilterSelective THE_REQUEST "/usr/X11R6/bin/xterm"

    # WEB-ATTACKS X application to remote host attempt
    SecFilter "\x20-display\x20"

    # WEB-ATTACKS lsof command attempt
    SecFilter "lsof\x20"

    # WEB-ATTACKS rm command attempt
    #SecFilter "rm\x20"

    # WEB-ATTACKS mail command attempt
    SecFilterSelective THE_REQUEST "/bin/mail"

    # WEB-ATTACKS /bin/ls command attempt
    SecFilterSelective THE_REQUEST "/bin/ls"

    # WEB-ATTACKS /etc/shadow access
    SecFilter "/etc/shadow"

    # WEB-ATTACKS .htgroup access
    SecFilterSelective THE_REQUEST "\.htgroup"

    # WEB-CGI websitepro path access
    SecFilter " /HTTP/1\."

    # WEB-CGI formmail access
    SecFilterSelective THE_REQUEST "/formmail" log,pass

    # WEB-CGI phf arbitrary command execution attempt
    SecFilterSelective THE_REQUEST "/phf" chain
    SecFilter "\x0a/"

    # WEB-CGI phf access
    SecFilterSelective THE_REQUEST "/phf" log,pass

    # WEB-CGI rksh access
    SecFilterSelective THE_REQUEST "/rksh"

    # WEB-CGI bash access
    SecFilterSelective THE_REQUEST "/bash" log,pass

    # WEB-CGI zsh access
    SecFilterSelective THE_REQUEST "/zsh"

    # WEB-CGI csh access
    SecFilterSelective THE_REQUEST "/csh"

    # WEB-CGI tcsh access
    SecFilterSelective THE_REQUEST "/tcsh"

    # WEB-CGI rsh access
    SecFilterSelective THE_REQUEST "/rsh"

    # WEB-CGI ksh access
    SecFilterSelective THE_REQUEST "/ksh"

    # WEB-CLIENT Javascript URL host spoofing attempt
    SecFilter "javascript\://"


    SecFilter "_vti_bin" allow
    SecFilterSelective THE_REQUEST "/fpsrvadm\.exe" pass
    SecFilterSelective THE_REQUEST "/fpremadm\.exe" pass
    SecFilterSelective THE_REQUEST "/admisapi/fpadmin\.htm" pass
    SecFilterSelective THE_REQUEST "/_vti_bin/shtml\.exe" pass
    SecFilterSelective THE_REQUEST "/_vti_pvt/svcacl\.cnf" pass
    SecFilterSelective THE_REQUEST "/users\.pwd" pass
    SecFilterSelective THE_REQUEST "/_vti_pvt/writeto\.cnf" pass
    SecFilterSelective THE_REQUEST "/dvwssr\.dll" pass
    SecFilterSelective THE_REQUEST "/_private/register\.htm" pass





    # WEB-MISC .htpasswd access
    SecFilter "\.htpasswd"

    # WEB-MISC .htaccess access
    SecFilter "\.htaccess"

    # WEB-MISC cd..
    SecFilter "cd\.\."

    # WEB-MISC ///cgi-bin access
    SecFilterSelective THE_REQUEST "///cgi-bin"

    SecFilterSelective THE_REQUEST "cd /tmp"
    SecFilterSelective THE_REQUEST "cd /var/tmp"
    SecFilterSelective THE_REQUEST "echo "
    SecFilterSelective THE_REQUEST "perl "

    SecFilter "cmdd="
    SecFilter "&cmd=id\x20" "deny,log"



    # WEB-MISC /cgi-bin/// access
    SecFilterSelective THE_REQUEST "/cgi-bin///"

    # WEB-MISC /~root access
    SecFilterSelective THE_REQUEST "/~root"

    # WEB-MISC /~ftp access
    SecFilterSelective THE_REQUEST "/~ftp"

    # WEB-MISC rpm_query access
    SecFilterSelective THE_REQUEST "/rpm_query"

    # WEB-MISC htgrep attempt
    SecFilterSelective THE_REQUEST "/htgrep" chain
    SecFilter "hdr=/"

    # WEB-MISC htgrep access
    SecFilterSelective THE_REQUEST "/htgrep" log,pass

    # WEB-MISC .history access
    SecFilterSelective THE_REQUEST "/\.history"

    # WEB-MISC .bash_history access
    SecFilterSelective THE_REQUEST "/\.bash_history"

    # WEB-MISC /~nobody access
    SecFilterSelective THE_REQUEST "/~nobody"

    # WEB-MISC *%0a.pl access
    SecFilterSelective THE_REQUEST "/*\x0a\.pl"

    # WEB-MISC Apache Chunked-Encoding worm attempt
    SecFilter "CCCCCCC\: AAAAAAAAAAAAAAAAAAA"

    # WEB-MISC Transfer-Encoding\: chunked
    SecFilter "chunked"

    # WEB-PHP squirrel mail theme arbitrary command attempt
    SecFilterSelective THE_REQUEST "/left_main\.php" chain
    SecFilter "cmdd="

    # WEB-PHP DNSTools administrator authentication bypass attempt
    SecFilterSelective THE_REQUEST "/dnstools\.php" chain
    SecFilter "user_dnstools_administrator=true"

    # WEB-PHP DNSTools authentication bypass attempt
    SecFilterSelective THE_REQUEST "/dnstools\.php" chain
    SecFilter "user_logged_in=true"

    # WEB-PHP DNSTools access
    SecFilterSelective THE_REQUEST "/dnstools\.php" log,pass

    # WEB-PHP Blahz-DNS dostuff.php modify user attempt
    SecFilterSelective THE_REQUEST "/dostuff\.php\?action=modify_user"

    # WEB-PHP Blahz-DNS dostuff.php access
    SecFilterSelective THE_REQUEST "/dostuff\.php" log,pass
    ============
     
  2. moFBush

    moFBush Well-Known Member

    Joined:
    Dec 31, 2005
    Messages:
    51
    Likes Received:
    0
    Trophy Points:
    6
    This should be sticky'd :)
     
  3. skyhorse

    skyhorse Active Member

    Joined:
    Aug 18, 2004
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
Loading...

Share This Page