The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

suggested mod security rules

Discussion in 'Security' started by Blind Can See, Sep 8, 2006.

  1. Please suggest a powerful but reasonable mod security rules. I'm using eth0's at the moment, but others are saying its too basic. I'm also being told to install mod security manually (anyone have a basic install guideline for manual method)? I tried their official doc for apache 1x, was confusing a bit.

    My Info:

    cpanel latest current
    mysql, apache 1x, postgresql 8x, exim, phpmyadmin, pgmyadmin
    fantastico
    400 domains estimate
    phpsuexec enabled
    spam assassin, clamav

    Security...
    almost all rfx's modules

    mod security:
    'Installed Version: 1.9.1-1.8' of mod-security

    I tried the attached method... which was a mix of eth0's and gotroot but it caused apache to fail
     

    Attached Files:

  2. blenard

    blenard Active Member

    Joined:
    Feb 19, 2004
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    It's one of these

    #Commands, also need a major rework, these also have issues

    #SecFilterSelective REQUEST_URI "\;\x20+?perl\x20+[A-Za-z|0-9]+;"

    #SecFilterSelective THE_REQUEST "echo\x20"

    #SecFilterSelective THE_REQUEST "links -dump "

    #SecFilterSelective THE_REQUEST "links -dump-(charset|width) "

    #SecFilterSelective THE_REQUEST "links (http|https|ftp)\:/"

    #SecFilterSelective THE_REQUEST "links -source "

    #SecFilterSelective THE_REQUEST "mkdir\x20"

    #SecFilterSelective THE_REQUEST "cd\x20/(tmp|/var/tmp)"



    #SecFilterSelective THE_REQUEST "cd \.\."

    #SecFilterSelective THE_REQUEST "/\.(history|bash_history) HTTP\/(0\.9|1\.0|1\.1)$"
     
  3. jsnape

    jsnape Well-Known Member

    Joined:
    Mar 11, 2002
    Messages:
    174
    Likes Received:
    0
    Trophy Points:
    16
    If there is a rule in there apache doesn't like it will usually print the reason. If not try
    service httpd configtest

    Lines starting with "Warning" won't cause it to fail
     
  4. I uninstalled mod sec via cpanel addon modules and installed it manually according to eth0's tutorial. However, as it appears said in his guideline, I pasted his rules inside httpd.conf (is this normal or what?)

    Is his rules fair enough for the specs I mentioned?
     
  5. jsnape

    jsnape Well-Known Member

    Joined:
    Mar 11, 2002
    Messages:
    174
    Likes Received:
    0
    Trophy Points:
    16
    I wouldn't suggest doing it that way.

    Edit: The rules look a little weak.
     
    #5 jsnape, Dec 15, 2006
    Last edited: Dec 15, 2006
  6. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
  7. vince512

    vince512 Active Member

    Joined:
    Nov 16, 2003
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    I implemented all of their rulesets on one of my machines because (except for apache 2.x rules) I was getting reports of XSS attacks using my machine. And I have to say, it is working like a champ....memory runs a bit high at first when I have multiple attacks along with the load going a bit higher(right now maybe .80 higher)...but I have a pretty beefed up machine that can handle it.
     
  8. Patiek

    Patiek Active Member

    Joined:
    May 23, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    Exactly, their rules are ideal. If you find your memory running a little high, try excluding some of the huge rulesets (blacklist.conf and badips.conf for example).

    For those who have really bad resource problems when running these rule sets, you probably did not compile mod_security against PCRE (not sure what the cPanel installer does): visit http://www.modsecurity.org/documentation/modsecurity-apache/1.9.3/modsecurity-manual.html and search for "Compiling the Apache 1.x version against PCRE".
     
Loading...

Share This Page