suggested mod security rules

Blind Can See · Sep 8, 2006

Please suggest a powerful but reasonable mod security rules. I'm using eth0's at the moment, but others are saying its too basic. I'm also being told to install mod security manually (anyone have a basic install guideline for manual method)? I tried their official doc for apache 1x, was confusing a bit.

My Info:

cpanel latest current
mysql, apache 1x, postgresql 8x, exim, phpmyadmin, pgmyadmin
fantastico
400 domains estimate
phpsuexec enabled
spam assassin, clamav

Security...
almost all rfx's modules

mod security:
'Installed Version: 1.9.1-1.8' of mod-security

I tried the attached method... which was a mix of eth0's and gotroot but it caused apache to fail

blenard · Sep 9, 2006

It's one of these

#Commands, also need a major rework, these also have issues

#SecFilterSelective REQUEST_URI "\;\x20+?perl\x20+[A-Za-z|0-9]+;"

#SecFilterSelective THE_REQUEST "echo\x20"

#SecFilterSelective THE_REQUEST "links -dump "

#SecFilterSelective THE_REQUEST "links -dump-(charset|width) "

#SecFilterSelective THE_REQUEST "links (http|https|ftp)\:/"

#SecFilterSelective THE_REQUEST "links -source "

#SecFilterSelective THE_REQUEST "mkdir\x20"

#SecFilterSelective THE_REQUEST "cd\x20/(tmp|/var/tmp)"

#SecFilterSelective THE_REQUEST "cd \.\."

#SecFilterSelective THE_REQUEST "/\.(history|bash_history) HTTP\/(0\.9|1\.0|1\.1)$"

jsnape · Sep 9, 2006

If there is a rule in there apache doesn't like it will usually print the reason. If not try
service httpd configtest

Lines starting with "Warning" won't cause it to fail

Blind Can See · Sep 10, 2006

I uninstalled mod sec via cpanel addon modules and installed it manually according to eth0's tutorial. However, as it appears said in his guideline, I pasted his rules inside httpd.conf (is this normal or what?)

Is his rules fair enough for the specs I mentioned?

jsnape · Dec 15, 2006

I wouldn't suggest doing it that way.

Edit: The rules look a little weak.

Spiral · Dec 15, 2006

http://www.gotroot.com

vince512 · Dec 30, 2006

Spiral said:
http://www.gotroot.com

I implemented all of their rulesets on one of my machines because (except for apache 2.x rules) I was getting reports of XSS attacks using my machine. And I have to say, it is working like a champ....memory runs a bit high at first when I have multiple attacks along with the load going a bit higher(right now maybe .80 higher)...but I have a pretty beefed up machine that can handle it.

Patiek · Dec 30, 2006

Spiral said:
http://www.gotroot.com

Exactly, their rules are ideal. If you find your memory running a little high, try excluding some of the huge rulesets (blacklist.conf and badips.conf for example).

For those who have really bad resource problems when running these rule sets, you probably did not compile mod_security against PCRE (not sure what the cPanel installer does): visit http://www.modsecurity.org/documentation/modsecurity-apache/1.9.3/modsecurity-manual.html and search for "Compiling the Apache 1.x version against PCRE".

Thread starter	Similar threads	Forum	Replies	Date
K	HTTP ERROR 500 - security2:error - ModSecurity	Security	2	Wednesday at 10:28 PM
G	Frequent Server Reboots Suggested	Security	1	Feb 3, 2018
I	Website defacement, suggested fixes?	Security	1	Jun 13, 2014
S	Suggested max upload_max_filesize and post_max_size php.ini file ?	Security	3	Jul 19, 2013
S	suggested configuration for apf's anti-dos?	Security	3	Mar 19, 2005

Search

Search

suggested mod security rules

Blind Can See

Guest

Attachments

blenard

Active Member

jsnape

Well-Known Member

Blind Can See

Guest

jsnape

Well-Known Member

Spiral

BANNED

vince512

Active Member

Patiek

Active Member