Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

rules mod_security..what about?

Discussion in 'Security' started by Creazioni, Mar 14, 2005.

  1. Creazioni

    Creazioni Well-Known Member

    Joined:
    Jan 5, 2003
    Messages:
    133
    Likes Received:
    0
    Trophy Points:
    166
    i wanna write a modsec_conf with best rules without problem with FP2000( :( i hate this sw), PERLDESK, MAMBO, other script

    do we write, all togheter, a post with the BEST RULE?
    Every day 2000 site are hacked :(
    80% Homepage defacement (they use -uname,ls,wget,echo,cmd=id, lwp-dpwnload,cmd=find, print, etc......)
    http://www.zone-h.org/en/defacements



    ==========
    # Turn the filtering engine On or Off
    SecFilterEngine On

    # Make sure that URL encoding is valid
    SecFilterCheckURLEncoding On

    # This setting should be set to On only if the Web site is
    # using the Unicode encoding. Otherwise it may interfere with
    # the normal Web site operation.
    SecFilterCheckUnicodeEncoding Off

    # Only allow bytes from this range
    SecFilterForceByteRange 1 255

    # The audit engine works independently and
    # can be turned On of Off on the per-server or
    # on the per-directory basis. "On" will log everything,
    # "DynamicOrRelevant" will log dynamic requests or violations,
    # and "RelevantOnly" will only log policy violations
    SecAuditEngine RelevantOnly

    SecFilter "visualcoders\.net/spy\.gif\?\&cmd"

    # The name of the audit log file
    SecAuditLog /usr/local/apache/logs/audit_log

    # Should mod_security inspect POST payloads
    SecFilterScanPOST On

    # Action to take by default
    SecFilterDefaultAction "deny,log,status:403"

    # Require Content-Length to be provided with
    # every POST request
    SecFilterSelective REQUEST_METHOD "^POST$" chain
    SecFilterSelective HTTP_Content-Length "^$"

    # Don't accept transfer encodings we know we don't handle
    # (and you don't need it anyway)
    SecFilterSelective HTTP_Transfer-Encoding "!^$"


    SecFilterSelective THE_REQUEST "wget "
    SecFilterSelective THE_REQUEST "lynx "
    SecFilterSelective THE_REQUEST "scp "
    SecFilterSelective THE_REQUEST "ftp "
    SecFilterSelective THE_REQUEST "cvs "
    SecFilterSelective THE_REQUEST "rcp "
    SecFilterSelective THE_REQUEST "telnet "
    SecFilterSelective THE_REQUEST "ssh "
    SecFilterSelective THE_REQUEST "echo "
    SecFilterSelective THE_REQUEST "links -dump "
    SecFilterSelective THE_REQUEST "links -dump-charset "
    SecFilterSelective THE_REQUEST "links -dump-width "
    SecFilterSelective THE_REQUEST "links http:// "
    SecFilterSelective THE_REQUEST "links ftp:// "
    SecFilterSelective THE_REQUEST "links -source "
    SecFilterSelective THE_REQUEST "mkdir "
    SecFilterSelective THE_REQUEST "cd /tmp "
    SecFilterSelective THE_REQUEST "cd /var/tmp "
    SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "


    # Very crude filters to prevent SQL injection attacks
    SecFilter "delete[[:space:]]+from"
    SecFilter "insert[[:space:]]+into"

    #Protecting from XSS attacks through the PHP session cookie
    SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
    SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"

    # WEB-ATTACKS ps command attempt
    SecFilterSelective THE_REQUEST "/bin/ps"

    # WEB-ATTACKS /bin/ps command attempt
    SecFilterSelective THE_REQUEST "ps\x20"

    # WEB-ATTACKS wget command attempt
    SecFilter "wget\x20"

    # Web-PHP phpBB Exploit Filter
    SecFilter "chr\(([0-9]{1,3})\)" "deny,log"


    # WEB-ATTACKS uname -a command attempt
    SecFilter "uname\x20-a"

    # WEB-ATTACKS /usr/bin/id command attempt
    SecFilterSelective THE_REQUEST "/usr/bin/id"

    # WEB-ATTACKS id command attempt
    SecFilter "\;id"

    # WEB-ATTACKS chown command attempt
    SecFilter "/bin/chown\x20"


    # WEB-PHP General PHP Exploit Filter
    SecFilterSelective "THE_REQUEST|ARGS_VALUES" "(passthru|shell_exec|proc_open|f open|fwrite)"


    # WEB-ATTACKS kill command attempt
    SecFilterSelective THE_REQUEST "/bin/kill"

    # WEB-ATTACKS chsh command attempt
    SecFilterSelective THE_REQUEST "/usr/bin/chsh"

    # WEB-ATTACKS tftp command attempt
    SecFilter "tftp\x20"

    # WEB-ATTACKS /usr/bin/gcc command attempt
    SecFilterSelective THE_REQUEST "/usr/bin/gcc"


    # WEB-ATTACKS gcc command attempt
    SecFilter "gcc\x20-o"

    # WEB-ATTACKS /usr/bin/cc command attempt
    SecFilterSelective THE_REQUEST "/usr/bin/cc"

    # WEB-ATTACKS cc command attempt
    SecFilter "cc\x20"

    # WEB-ATTACKS /usr/bin/cpp command attempt
    SecFilterSelective THE_REQUEST "/usr/bin/cpp"

    # WEB-ATTACKS cpp command attempt
    SecFilter "cpp\x20"

    # WEB-ATTACKS /usr/bin/g++ command attempt
    SecFilterSelective THE_REQUEST "/usr/bin/g\+\+"

    # WEB-ATTACKS g++ command attempt
    SecFilter "g\+\+\x20"

    # WEB-ATTACKS bin/python access attempt
    SecFilterSelective THE_REQUEST "bin/python"

    # WEB-ATTACKS python access attempt
    SecFilter "python\x20"

    # WEB-ATTACKS bin/tclsh execution attempt
    SecFilter "bin/tclsh"

    # WEB-ATTACKS tclsh execution attempt
    SecFilter "tclsh8\x20"

    # WEB-ATTACKS /bin/SecFilter "ls\x20-l"
    SecFilterSelective THE_REQUEST "/bin/ls"


    SecFilterSelective SCRIPT_FILENAME "viewtopic\.php$" chain
    SecFilterSelective ARG_highlight "%27"

    # WEB-ATTACKS bin/nasm command attempt
    SecFilterSelective THE_REQUEST "bin/nasm"

    # WEB-ATTACKS nasm command attempt
    SecFilter "nasm\x20"

    # WEB-ATTACKS perl execution attempt
    SecFilter "perl\x20"


    header=http:

    # WEB-ATTACKS traceroute command attempt
    SecFilter "traceroute\x20"

    # WEB-ATTACKS ping command attempt
    SecFilterSelective THE_REQUEST "/bin/ping"


    # WEB-ATTACKS nmap command attempt
    SecFilter "nmap\x20"

    # WEB-ATTACKS xterm command attempt
    SecFilterSelective THE_REQUEST "/usr/X11R6/bin/xterm"

    # WEB-ATTACKS X application to remote host attempt
    SecFilter "\x20-display\x20"

    # WEB-ATTACKS lsof command attempt
    SecFilter "lsof\x20"

    # WEB-ATTACKS rm command attempt
    #SecFilter "rm\x20"

    # WEB-ATTACKS mail command attempt
    SecFilterSelective THE_REQUEST "/bin/mail"

    # WEB-ATTACKS /bin/ls command attempt
    SecFilterSelective THE_REQUEST "/bin/ls"

    # WEB-ATTACKS /etc/shadow access
    SecFilter "/etc/shadow"

    # WEB-ATTACKS .htgroup access
    SecFilterSelective THE_REQUEST "\.htgroup"

    # WEB-CGI websitepro path access
    SecFilter " /HTTP/1\."

    # WEB-CGI formmail access
    SecFilterSelective THE_REQUEST "/formmail" log,pass

    # WEB-CGI phf arbitrary command execution attempt
    SecFilterSelective THE_REQUEST "/phf" chain
    SecFilter "\x0a/"

    # WEB-CGI phf access
    SecFilterSelective THE_REQUEST "/phf" log,pass

    # WEB-CGI rksh access
    SecFilterSelective THE_REQUEST "/rksh"

    # WEB-CGI bash access
    SecFilterSelective THE_REQUEST "/bash" log,pass

    # WEB-CGI zsh access
    SecFilterSelective THE_REQUEST "/zsh"

    # WEB-CGI csh access
    SecFilterSelective THE_REQUEST "/csh"

    # WEB-CGI tcsh access
    SecFilterSelective THE_REQUEST "/tcsh"

    # WEB-CGI rsh access
    SecFilterSelective THE_REQUEST "/rsh"

    # WEB-CGI ksh access
    SecFilterSelective THE_REQUEST "/ksh"

    # WEB-CLIENT Javascript URL host spoofing attempt
    SecFilter "javascript\://"


    SecFilter "_vti_bin" allow
    SecFilterSelective THE_REQUEST "/fpsrvadm\.exe" pass
    SecFilterSelective THE_REQUEST "/fpremadm\.exe" pass
    SecFilterSelective THE_REQUEST "/admisapi/fpadmin\.htm" pass
    SecFilterSelective THE_REQUEST "/_vti_bin/shtml\.exe" pass
    SecFilterSelective THE_REQUEST "/_vti_pvt/svcacl\.cnf" pass
    SecFilterSelective THE_REQUEST "/users\.pwd" pass
    SecFilterSelective THE_REQUEST "/_vti_pvt/writeto\.cnf" pass
    SecFilterSelective THE_REQUEST "/dvwssr\.dll" pass
    SecFilterSelective THE_REQUEST "/_private/register\.htm" pass





    # WEB-MISC .htpasswd access
    SecFilter "\.htpasswd"

    # WEB-MISC .htaccess access
    SecFilter "\.htaccess"

    # WEB-MISC cd..
    SecFilter "cd\.\."

    # WEB-MISC ///cgi-bin access
    SecFilterSelective THE_REQUEST "///cgi-bin"

    SecFilterSelective THE_REQUEST "cd /tmp"
    SecFilterSelective THE_REQUEST "cd /var/tmp"
    SecFilterSelective THE_REQUEST "echo "
    SecFilterSelective THE_REQUEST "perl "

    SecFilter "cmdd="
    SecFilter "&cmd=id\x20" "deny,log"



    # WEB-MISC /cgi-bin/// access
    SecFilterSelective THE_REQUEST "/cgi-bin///"

    # WEB-MISC /~root access
    SecFilterSelective THE_REQUEST "/~root"

    # WEB-MISC /~ftp access
    SecFilterSelective THE_REQUEST "/~ftp"

    # WEB-MISC rpm_query access
    SecFilterSelective THE_REQUEST "/rpm_query"

    # WEB-MISC htgrep attempt
    SecFilterSelective THE_REQUEST "/htgrep" chain
    SecFilter "hdr=/"

    # WEB-MISC htgrep access
    SecFilterSelective THE_REQUEST "/htgrep" log,pass

    # WEB-MISC .history access
    SecFilterSelective THE_REQUEST "/\.history"

    # WEB-MISC .bash_history access
    SecFilterSelective THE_REQUEST "/\.bash_history"

    # WEB-MISC /~nobody access
    SecFilterSelective THE_REQUEST "/~nobody"

    # WEB-MISC *%0a.pl access
    SecFilterSelective THE_REQUEST "/*\x0a\.pl"

    # WEB-MISC Apache Chunked-Encoding worm attempt
    SecFilter "CCCCCCC\: AAAAAAAAAAAAAAAAAAA"

    # WEB-MISC Transfer-Encoding\: chunked
    SecFilter "chunked"

    # WEB-PHP squirrel mail theme arbitrary command attempt
    SecFilterSelective THE_REQUEST "/left_main\.php" chain
    SecFilter "cmdd="

    # WEB-PHP DNSTools administrator authentication bypass attempt
    SecFilterSelective THE_REQUEST "/dnstools\.php" chain
    SecFilter "user_dnstools_administrator=true"

    # WEB-PHP DNSTools authentication bypass attempt
    SecFilterSelective THE_REQUEST "/dnstools\.php" chain
    SecFilter "user_logged_in=true"

    # WEB-PHP DNSTools access
    SecFilterSelective THE_REQUEST "/dnstools\.php" log,pass

    # WEB-PHP Blahz-DNS dostuff.php modify user attempt
    SecFilterSelective THE_REQUEST "/dostuff\.php\?action=modify_user"

    # WEB-PHP Blahz-DNS dostuff.php access
    SecFilterSelective THE_REQUEST "/dostuff\.php" log,pass
    ============
     
  2. moFBush

    moFBush Well-Known Member

    Joined:
    Dec 31, 2005
    Messages:
    51
    Likes Received:
    0
    Trophy Points:
    156
    This should be sticky'd :)
     
  3. skyhorse

    skyhorse Active Member

    Joined:
    Aug 18, 2004
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    151
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice