The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Several ModSecurity rules, what do You think about these?

Discussion in 'Security' started by postcd, Apr 12, 2016.

  1. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    620
    Likes Received:
    6
    Trophy Points:
    18
    Hello,

    please what do You say about following Mod Security rules application on public shared hosting server, do you find any of them beneficial? Thank You

    SQL Injection

    SecRule ARGS "unions+select" \
    "t:lowercase,deny,msg:'SQL Injection'"
    SecRule ARGS "unions+alls+select" \
    "t:lowercase,deny,msg:'SQL Injection'"
    SecRule ARGS "intos+outfile" \
    "t:lowercase,deny,msg:'SQL Injection'"
    SecRule ARGS "drops+table" \
    "t:lowercase,deny,msg:'SQL Injection'"
    SecRule ARGS "alters+table" \
    "t:lowercase,deny,msg:'SQL Injection'"
    SecRule ARGS "load_file" \
    "t:lowercase,deny,msg:'SQL Injection'"
    SecRule ARGS "selects+" \
    "t:lowercase,deny,msg:'SQL Injection'"

    Command Execution

    This rule matches too often

    SecRule ARGS "^(rm|ls|kill|(send)?mail|cat|echo|/bin/|/etc/|/tmp/)[[:space:]]" \
    "deny"


    Directory traversal (do NOT worked for me, almost any URL request got banned)

    SecRule REQUEST_URI "@streq ../" \
    "t:urlDecode,deny"


    Some of the rules from: blog.art-of-coding.eu/implementing-a-web-application-firewall/
     
    #1 postcd, Apr 12, 2016
    Last edited: Apr 12, 2016
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    I will look at others later if I have time but this one is broken because a single dot serves as a wildcard for any single character unless escaped by a backslash. You want this:

    Code:
    SecRule REQUEST_URI "@streq \.\./" \
    "t:urlDecode,deny"
    
     
  4. jwillberg

    jwillberg Registered

    Joined:
    Jul 23, 2016
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Finalnd
    cPanel Access Level:
    DataCenter Provider
    Another alternative - Removed -

    We using these rules over 25 servers protect our customers websites.

    That directory traversal is too generic and every URI have these ../../images.jpg or something else.

    Better is use QUERY STRING example which not cause false:

    Code:
    SecRule QUERY_STRING                    "\.\./\.\./\.\." "t:urlDecode,deny"
     
    #4 jwillberg, Aug 20, 2016
    Last edited by a moderator: Aug 31, 2016
  5. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Rules that use ../../ can be very easily evaded by padding in extra slashes. you should use /../ so that things like ..//..// will also match. For example:


    SecRule QUERY_STRING "/\.\./" "t:urlDecode,deny"

    You can also use a transformation like "normalisePath" to strip extra slashes from requests before processing.
     
Loading...

Share This Page