Several ModSecurity rules, what do You think about these?

[postcd]

Hello,

please what do You say about following Mod Security rules application on public shared hosting server, do you find any of them beneficial? Thank You

SQL Injection

SecRule ARGS "unions+select" \
"t:lowercase,deny,msg:'SQL Injection'"
SecRule ARGS "unions+alls+select" \
"t:lowercase,deny,msg:'SQL Injection'"
SecRule ARGS "intos+outfile" \
"t:lowercase,deny,msg:'SQL Injection'"
SecRule ARGS "drops+table" \
"t:lowercase,deny,msg:'SQL Injection'"
SecRule ARGS "alters+table" \
"t:lowercase,deny,msg:'SQL Injection'"
SecRule ARGS "load_file" \
"t:lowercase,deny,msg:'SQL Injection'"
SecRule ARGS "selects+" \
"t:lowercase,deny,msg:'SQL Injection'"

Command Execution

This rule matches too often

SecRule ARGS "^(rm|ls|kill|(send)?mail|cat|echo|/bin/|/etc/|/tmp/)[[:space:]]" \
"deny"


Directory traversal (do NOT worked for me, almost any URL request got banned)

SecRule REQUEST_URI "@streq ../" \
"t:urlDecode,deny"


Some of the rules from: blog.art-of-coding.eu/implementing-a-web-application-firewall/

 

[cPanelMichael]

Hello

You may also want to seek user-feedback from the Mod_Security users mailing list on these custom rules:

mod-security-users Info Page

Thank you.

 

[quizknows]

Directory traversal (do NOT worked for me, almost any URL request got banned)

SecRule REQUEST_URI "@streq ../" \
"t:urlDecode,deny"

I will look at others later if I have time but this one is broken because a single dot serves as a wildcard for any single character unless escaped by a backslash. You want this:

SecRule REQUEST_URI "@streq \.\./" \
"t:urlDecode,deny"

 

[quizknows]

Rules that use ../../ can be very easily evaded by padding in extra slashes. you should use /../ so that things like ..//..// will also match. For example:


SecRule QUERY_STRING "/\.\./" "t:urlDecode,deny"

You can also use a transformation like "normalisePath" to strip extra slashes from requests before processing.