mod_security 2 rules

Portal Home > Knowledgebase > Articles Database > mod_security 2 rules

Posted by WireNine, 12-17-2008, 10:39 PM
mod_security 2 rules Any good secure rules for mod_security 2 that work well for shared servers? Can someone share what rules you are using to secure your shared servers. Have tried a few different sets of rules, but a few customers always end up with errors and disabling it for their domain name doesn't sound like a safer option for them or the server. Share your mod_sec 2 rules. __________________Ã¢ÂÂ WireNine.com Ã¢ÂÂ¢ Superior Hosting Solutions Ã¢ÂÂ¢ 24/7 Support
Posted by jinjo, 12-18-2008, 03:37 AM
Here is a minimal set of rules for you to start with .. Check under "Individual Ruleset downloads for modsec 2.5" at gotroot.com for more specific rules. SecFilterEngine On SecFilterCheckURLEncoding On SecFilterForceByteRange 0 255 SecAuditEngine RelevantOnly SecAuditLog logs/audit_log SecFilterDebugLog logs/modsec_debug_log SecFilterDebugLevel 0 SecFilterDefaultAction "deny,log,status:406" SecFilterSelective REMOTE_ADDR "^127.0.0.1$" nolog,allow # WEB-ATTACKS wget command attempt SecFilterSelective THE_REQUEST "wget " # WEB-ATTACKS uname -a command attempt SecFilterSelective THE_REQUEST "uname -a" # WEB-ATTACKS .htgroup access SecFilterSelective THE_REQUEST "\.htgroup" # WEB-ATTACKS .htaccess access SecFilterSelective THE_REQUEST "\.htaccess" # WEB-CLIENT Javascript URL host spoofing attempt SecFilter "javascript\://" # WEB-MISC cross site scripting $img src=javascript$ attempt SecFilter "img src=javascript" # WEB-MISC cd.. SecFilterSelective THE_REQUEST "cd\.\." # WEB-MISC ///cgi-bin access SecFilterSelective THE_REQUEST "///cgi-bin" # WEB-MISC /cgi-bin/// access SecFilterSelective THE_REQUEST "/cgi-bin///" # WEB-MISC /~root access SecFilterSelective THE_REQUEST "/~root" # WEB-MISC /~ftp access SecFilterSelective THE_REQUEST "/~ftp" # WEB-MISC htgrep attempt SecFilterSelective THE_REQUEST "/htgrep" chain SecFilter "hdr=/" # WEB-MISC htgrep access SecFilterSelective THE_REQUEST "/htgrep" log,pass # WEB-MISC .history access SecFilterSelective THE_REQUEST "/\.history" # WEB-MISC .bash_history access SecFilterSelective THE_REQUEST "/\.bash_history" # WEB-MISC /~nobody access SecFilterSelective THE_REQUEST "/~nobody" # WEB-PHP PHP-Wiki cross site scripting attempt SecFilterSelective THE_REQUEST "
Posted by karem, 12-18-2008, 11:33 PM
fake server banner - NOYB used - no one needs to know what we are using SecServerSignature "Secured By Tl4s.Com" # Check Content-Length and reject all non numeric ones SecRule REQUEST_HEADERS:Content-Length "!^\d+$" "deny,log,auditlog,msg:'Content-Length HTTP header is not numeric', severity:'2',id:'960016'" # Do not accept GET or HEAD requests with bodies SecRule REQUEST_METHOD "^(GET|HEAD)$" "chain,deny,log,auditlog,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011'" SecRule REQUEST_HEADERS:Content-Length "!^0?$" # Require Content-Length to be provided with every POST request. SecRule REQUEST_METHOD "^POST$" "chain,deny,log,auditlog,msg:'POST request must have a Content-Length header',id:'960012',severity:'4'" SecRule " SecRule REQUEST_URI "\;(\s|\t)*perl .*\.pl" SecRule REQUEST_URI|REQUEST_BODY "perl (xpl\.pl|kut|viewde|httpd\.txt)" # For deny Shells opening SecRule REQUEST_FILENAME "/(r0nin|TrYaG|TrYg|m0rtix|r57shell|c99shell|phpshell|void\.ru|phpremoteview|directmail|bash_history|\.ru/|brute|c991)\.php" SecRule REQUEST_FILENAME "\.pl" SecRule REQUEST_FILENAME "perl .*\.pl(\s|\t)*\;" SecRule REQUEST_FILENAME "\;(\s|\t)*perl .*\.pl" SecRule RESPONSE_BODY "TrYaG" SecRule RESPONSE_BODY "SnIpEr_SA" SecRule RESPONSE_BODY "Sniper" SecRule RESPONSE_BODY "shell" SecRule REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache _chi ld_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)" chain SecRule REQUEST_BODY "^PHP\:*((cd|mkdir)[[pace:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])" SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI ".htaccess" SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "sql_passwd" SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "config" SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "public_html" SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/etc" SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/root" SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/usr" SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/boot" SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/var" SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/bin" SecRule PATH_INFO "^/(bin|etc|sbin|opt|usr)" #Generic PHP exploit signatures SecRule REQUEST_BODY "(chr|fwrite|fopen|system|e?chr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apach e_ch ild_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)$.*$\;" "id:330001,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'" #Generic PHP exploit signatures SecRule REQUEST_BODY|REQUEST_URI "<\?php (chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_chil d_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)$.*$\;" "id:330002,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'" #slightly tighter rules with narrower focus SecRule REQUEST_URI|REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache _chi ld_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)$.*$\;" "id:300008,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'" #Prevent SQL injection in cookies SecRule REQUEST_COOKIES "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[pace:]]+[A-Z|a-z|0-9|\*| |\,]+[[pace:]]+(from|into|table|database|index|view)[[pace:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" "id:300011,rev:1,severity:2,msg:'Generic SQL injection in cookie'" #Genenric PHP body attack SecRule REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache _chi ld_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)" chain SecRule REQUEST_BODY "^PHP\:*((cd|mkdir)[[pace:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])" #Generic PHP remote file injection SecRule REQUEST_URI "!(/do_command)" chain SecRule REQUEST_URI "\.php\?.*=(https?|ftp)\:/.*(cmd|command)=" #script, perl, etc. code in HTTP_Referer string SecRule HTTP_Referer "\#\!.*/" #wormsign SecRule REQUEST_URI "Hacked.*by.*member.*of.*SCC" __________________Arabian Linux administratoregyhaty@gmail.com

Add to Favourites Print this Article

Knowledgebase

mod_security 2 rules

Our Services

Client Menu

Legal