The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Several ModSecurity rules, what do You think about these?

Discussion in 'Security' started by postcd, Apr 12, 2016.

  1. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    644
    Likes Received:
    11
    Trophy Points:
    18
    Hello,

    please what do You say about following Mod Security rules application on public shared hosting server, do you find any of them beneficial? Thank You

    SQL Injection

    SecRule ARGS "unions+select" \
    "t:lowercase,deny,msg:'SQL Injection'"
    SecRule ARGS "unions+alls+select" \
    "t:lowercase,deny,msg:'SQL Injection'"
    SecRule ARGS "intos+outfile" \
    "t:lowercase,deny,msg:'SQL Injection'"
    SecRule ARGS "drops+table" \
    "t:lowercase,deny,msg:'SQL Injection'"
    SecRule ARGS "alters+table" \
    "t:lowercase,deny,msg:'SQL Injection'"
    SecRule ARGS "load_file" \
    "t:lowercase,deny,msg:'SQL Injection'"
    SecRule ARGS "selects+" \
    "t:lowercase,deny,msg:'SQL Injection'"

    Command Execution

    This rule matches too often

    SecRule ARGS "^(rm|ls|kill|(send)?mail|cat|echo|/bin/|/etc/|/tmp/)[[:space:]]" \
    "deny"


    Directory traversal (do NOT worked for me, almost any URL request got banned)

    SecRule REQUEST_URI "@streq ../" \
    "t:urlDecode,deny"


    Some of the rules from: blog.art-of-coding.eu/implementing-a-web-application-firewall/
     
    #1 postcd, Apr 12, 2016
    Last edited: Apr 12, 2016
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    34,401
    Likes Received:
    1,005
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    966
    Likes Received:
    69
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    I will look at others later if I have time but this one is broken because a single dot serves as a wildcard for any single character unless escaped by a backslash. You want this:

    Code:
    SecRule REQUEST_URI "@streq \.\./" \
    "t:urlDecode,deny"
    
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    966
    Likes Received:
    69
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Rules that use ../../ can be very easily evaded by padding in extra slashes. you should use /../ so that things like ..//..// will also match. For example:


    SecRule QUERY_STRING "/\.\./" "t:urlDecode,deny"

    You can also use a transformation like "normalisePath" to strip extra slashes from requests before processing.
     
Loading...

Share This Page