Apache modSecurity. Ασφαλίζοντας τον Apache

Τεχνικές και μόνο Συζητήσεις για WEB hosting servers, Mail servers, DNS servers. Όχι αναζήτηση υπηρεσιών εδώ!

Συντονιστές: WebDev Moderators, Super-Moderators

Απάντηση
Άβαταρ μέλους
cordis
Administrator, [F|H]ounder, [C|S]EO
Δημοσιεύσεις: 27617
Εγγραφή: 09 Οκτ 1999 03:00
Τοποθεσία: Greece
Επικοινωνία:

Apache modSecurity. Ασφαλίζοντας τον Apache

Δημοσίευση από cordis » 11 Μάιος 2006 17:33

Το modSecurity είναι ένα open source module για τον apache που ενεργεί ως fire wall των εισερχόμενων requests πριν αυτά φτάσουν στον web server. Λειτουργεί, δηλαδή ως ενδιάμεσος layer και φιλτράρει την εισερχόμενη κίνηση του http.

Πολλά από τα securities που βάζαμε μέχρι τώρα στο mod_rewrite και το mod_setenvif (είτε μέσα στο conf του apache, είτε στο .htaccess) μπορούμε να τα μεταφέρουμε στο mod_Security. Έτσι επιτυγχάνουμε έλεγχο σε υψηλότερο επίπεδο και γενικά για όλο τον server, μιας και ως γνωστών το mod_rewrite με το mod_setenvif θέλουν ρύθμιση ανά domain (μέσα στο httpd.conf) ή ανά directory tree (μέσα στο .htaccess).

Το configutation αρχείο του mod_Security βρίσκετε στον ίδιο φάκελο με το httpd.conf του apache και ονομάζετε mod_security.conf ή mod_sec.conf

Ένα τυπικό mod_security.conf χωρίς καθόλου περίπλοκους όρους είναι το εξής:

Κώδικας: Επιλογή όλων

 <IfModule mod_security.c>
    # Turn the filtering engine On or Off
    SecFilterEngine On
    
    # Make sure that URL encoding is valid
    SecFilterCheckURLEncoding Off
    
    # Unicode encoding check
    SecFilterCheckUnicodeEncoding Off
    
    # Only allow bytes from this range
    SecFilterForceByteRange 0 255
    
    # Only log suspicious requests
    SecAuditEngine RelevantOnly
    
    # The name of the audit log file
    SecAuditLog logs/audit_log
    # Debug level set to a minimum
    SecFilterDebugLog logs/modsec_debug_log    
    SecFilterDebugLevel 0
    
    # Should mod_security inspect POST payloads
    SecFilterScanPOST On
    
    # By default log and deny suspicious requests
    # with HTTP status 500
    SecFilterDefaultAction "deny,log,status&#58;500"
    
</IfModule> 
Συνήθως θα δείτε το SecFilterCheckURLEncoding ON αλλά έτσι δε θα παίζουν τα URL που περιέχουν ελληνικούς χαρακτήρες, έτσι το βάζουμε OFF.

Από εκεί και πέρα τα βασικά που προθέτουμε στο mod_security.conf είναι αυτά:

Κώδικας: Επιλογή όλων

# Weaker XSS protection but allows common HTML tags
SecFilter "<&#40; |\n&#41;*script"

# Prevent XSS atacks &#40;HTML/Javascript injection&#41;
SecFilter "<&#40;.|\n&#41;+>"

# Require HTTP_USER_AGENT and HTTP_HOST headers
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

# Chunked transfer encoding
SecFilterSelective HTTP_Transfer-Encoding "!^$"

# WEB-ATTACKS wget command attempt
SecFilterSelective THE_REQUEST "wget "

# WEB-ATTACKS uname -a command attempt
SecFilterSelective THE_REQUEST "uname -a"

# WEB-ATTACKS .htgroup access
SecFilterSelective THE_REQUEST "\.htgroup"

# WEB-ATTACKS .htaccess access
SecFilterSelective THE_REQUEST "\.htaccess"

# WEB-CLIENT Javascript URL host spoofing attempt
SecFilter "javascript\&#58;//"

# WEB-MISC cross site scripting \&#40;img src=javascript\&#41; attempt
SecFilter "img src=javascript"

# WEB-MISC cd..
SecFilterSelective THE_REQUEST "cd\.\."

# WEB-MISC ///cgi-bin access
SecFilterSelective THE_REQUEST "///cgi-bin"

# WEB-MISC /cgi-bin/// access
SecFilterSelective THE_REQUEST "/cgi-bin///"

# WEB-MISC /~root access
SecFilterSelective THE_REQUEST "/~root"

# WEB-MISC /~ftp access
SecFilterSelective THE_REQUEST "/~ftp"

# WEB-MISC htgrep attempt
SecFilterSelective THE_REQUEST "/htgrep" chain
SecFilter "hdr=/"

# WEB-MISC htgrep access
SecFilterSelective THE_REQUEST "/htgrep" log,pass

# WEB-MISC .history access
SecFilterSelective THE_REQUEST "/\.history"

# WEB-MISC .bash_history access
SecFilterSelective THE_REQUEST "/\.bash_history"

# WEB-MISC /~nobody access
SecFilterSelective THE_REQUEST "/~nobody"

# WEB-PHP PHP-Wiki cross site scripting attempt
SecFilterSelective THE_REQUEST "<script"

# WEB-PHP strings overflow
SecFilterSelective THE_REQUEST "\?STRENGUR"

# WEB-PHP PHPLIB remote command attempt
SecFilter "_PHPLIB\&#91;libdir\&#93;"

# WEB-ATTACKS curl command attempt
SecFilterSelective THE_REQUEST "curl "

# WEB-ATTACKS perl command attempt
SecFilterSelective THE_REQUEST "perl "

# prevent perl user agent &#40;most often used by santy&#41; 
SecFilterSelective "HTTP_USER_AGENT" "^lwp.*" 

# prevent payloads via Sphider 
SecFilterSelective "HTTP_USER_AGENT" "^lsphider.*" 

# prevent access from santy webworm 
SecFilterSelective "QUERY_STRING" "^&#40;.*&#41;echr&#40;.*&#41;" 
SecFilterSelective "QUERY_STRING" "^&#40;.*&#41;esystem&#40;.*&#41;" 
SecFilterSelective "QUERY_STRING" "^&#40;.*&#41;highlight=\%2527" 
SecFilterSelective "QUERY_STRING" "^&#40;.*&#41;rush=\%65\%63\%68" 
SecFilterSelective "QUERY_STRING" "^&#40;.*&#41;rush=echo"

# Forbid requests for exploits & annoyances
SecFilterSelective "REQUEST_URI" "^/.*\.printer$"
SecFilterSelective "REQUEST_URI" "^/&#40;MSOffice¦_vti&#41;"
SecFilterSelective "REQUEST_URI" "/&#40;admin¦cmd¦httpodbc¦nsiislog¦root¦shell&#41;\.&#40;dll¦exe&#41;"
SecFilterSelective "REQUEST_URI" "^/&#40;bin/¦cgi/¦cgi\-local/¦sumthin&#41;"
SecFilterSelective "REQUEST_URI" "^/&#40;MSOffice¦_vti&#41;"

# Unknown/mixed
SecFilterSelective "REQUEST_URI" "^/&#40;cltreq.asp¦owssrv.dll&#41;"
SecFilterSelective "REQUEST_URI" "^/_blank"
SecFilterSelective "REQUEST_URI" "^/missing.html"
SecFilterSelective "REQUEST_URI" "^/&#40;cgi\-bin/¦cgi\-local/&#41;\FormMail.&#40;cgi¦php¦pl&#41;"
SecFilterSelective "REQUEST_URI" "^/&#40;cgi\-bin/¦cgi\-local/&#41;\FormMail"
SecFilterSelective "REQUEST_URI" "^/FormMail.&#40;cgi¦php¦pl&#41;"
SecFilterSelective "REQUEST_URI" "^/FormMail"
SecFilterSelective "REQUEST_URI" "^/sumthin"
SecFilterSelective "REQUEST_URI" "^/default.htm"
SecFilterSelective "REQUEST_URI" "^/default.asp"
SecFilterSelective "REQUEST_URI" "/sensepost\.exe"
Που "αποκρούουν" τα βασικά attacks που μπορεί να δεχθεί ένας server που φιλοξενεί διάφορα PHP open source προγράμματα και όχι μόνο.

Από εκεί και πέρα μπορούμε να μεταφέρουμε και την λίστα με τα "κακά" bots/spiders που είχαμε δει πως να τα αποφεύγουμε με το SetEnvIf

Κώδικας: Επιλογή όλων

# Prevent Site Copiers and Bad Bots
SecFilterSelective "HTTP_USER_AGENT" "^BotRightHere.*"
SecFilterSelective "HTTP_USER_AGENT" "^&#40;W|w&#41;eb&#40;B|b&#41;andit.*"
SecFilterSelective "HTTP_USER_AGENT" "^Alexibot.*"
SecFilterSelective "HTTP_USER_AGENT" "^Aqua_Products.*"
SecFilterSelective "HTTP_USER_AGENT" "^asterias.*"
SecFilterSelective "HTTP_USER_AGENT" "^b2w/0.1.*"
SecFilterSelective "HTTP_USER_AGENT" "^BackDoorBot.*"
SecFilterSelective "HTTP_USER_AGENT" "^Black.Hole.*"
SecFilterSelective "HTTP_USER_AGENT" "^BlackWidow.*"
SecFilterSelective "HTTP_USER_AGENT" "^BlowFish.*"
SecFilterSelective "HTTP_USER_AGENT" "^BlowFish/1.0.*"
SecFilterSelective "HTTP_USER_AGENT" "^Bookmark&#40;.*&#41;search&#40;.*&#41;tool.*"
SecFilterSelective "HTTP_USER_AGENT" "^BotALot.*"
SecFilterSelective "HTTP_USER_AGENT" "^BotRightHere.*"
SecFilterSelective "HTTP_USER_AGENT" "^BuiltBotTough.*"
SecFilterSelective "HTTP_USER_AGENT" "^Bullseye.*"
SecFilterSelective "HTTP_USER_AGENT" "^BunnySlippers.*"
SecFilterSelective "HTTP_USER_AGENT" "^Cegbfeieh.*"
SecFilterSelective "HTTP_USER_AGENT" "^CheeseBot.*"
SecFilterSelective "HTTP_USER_AGENT" "^CherryPicker.*"
SecFilterSelective "HTTP_USER_AGENT" "^ChinaClaw.*"
SecFilterSelective "HTTP_USER_AGENT" "^Copernic.*"
SecFilterSelective "HTTP_USER_AGENT" "^CopyRightCheck.*"
SecFilterSelective "HTTP_USER_AGENT" "^Cosmos.*"
SecFilterSelective "HTTP_USER_AGENT" "^Crescent.*"
SecFilterSelective "HTTP_USER_AGENT" "^Custo.*"
SecFilterSelective "HTTP_USER_AGENT" "^DISCo.*"
SecFilterSelective "HTTP_USER_AGENT" "^DittoSpyder.*"
SecFilterSelective "HTTP_USER_AGENT" "^Download.*"
SecFilterSelective "HTTP_USER_AGENT" "^eCatch.*"
SecFilterSelective "HTTP_USER_AGENT" "^EirGrabber.*"
SecFilterSelective "HTTP_USER_AGENT" "^EmailCollector.*"
SecFilterSelective "HTTP_USER_AGENT" "^EmailSiphon.*"
SecFilterSelective "HTTP_USER_AGENT" "^EmailWolf.*"
SecFilterSelective "HTTP_USER_AGENT" "^EroCrawler.*"
SecFilterSelective "HTTP_USER_AGENT" "^Express.*"
SecFilterSelective "HTTP_USER_AGENT" "^ExtractorPro.*"
SecFilterSelective "HTTP_USER_AGENT" "^EyeNetIE.*"
SecFilterSelective "HTTP_USER_AGENT" "^FairAd&#40;.*&#41;Client.*"
SecFilterSelective "HTTP_USER_AGENT" "^Flaming&#40;.*&#41;AttackBot.*"
SecFilterSelective "HTTP_USER_AGENT" "^FlashGet.*"
SecFilterSelective "HTTP_USER_AGENT" "^Foobot.*"
SecFilterSelective "HTTP_USER_AGENT" "^FrontPage.*"
SecFilterSelective "HTTP_USER_AGENT" "^Gaisbot.*"
SecFilterSelective "HTTP_USER_AGENT" "^GetRight.*"
SecFilterSelective "HTTP_USER_AGENT" "^GetWeb\!.*"
SecFilterSelective "HTTP_USER_AGENT" "^Go\!Zilla.*"
SecFilterSelective "HTTP_USER_AGENT" "^Go-Ahead-Got-It.*"
SecFilterSelective "HTTP_USER_AGENT" "^GrabNet.*"
SecFilterSelective "HTTP_USER_AGENT" "^Grafula.*"
SecFilterSelective "HTTP_USER_AGENT" "^Harvest.*"
SecFilterSelective "HTTP_USER_AGENT" "^hloader.*"
SecFilterSelective "HTTP_USER_AGENT" "^HMView.*"
SecFilterSelective "HTTP_USER_AGENT" "^httplib.*"
SecFilterSelective "HTTP_USER_AGENT" "^HTTrack.*"
SecFilterSelective "HTTP_USER_AGENT" "^humanlinks.*"
SecFilterSelective "HTTP_USER_AGENT" "^Image.*"
SecFilterSelective "HTTP_USER_AGENT" "^Indy.*"
SecFilterSelective "HTTP_USER_AGENT" "^InfoNaviRobot.*"
SecFilterSelective "HTTP_USER_AGENT" "^InterGET.*"
SecFilterSelective "HTTP_USER_AGENT" "^Internet.*"
SecFilterSelective "HTTP_USER_AGENT" "^Iron33/1.0.2.*"
SecFilterSelective "HTTP_USER_AGENT" "^JennyBot.*"
SecFilterSelective "HTTP_USER_AGENT" "^JetCar.*"
SecFilterSelective "HTTP_USER_AGENT" "^JOC.*"
SecFilterSelective "HTTP_USER_AGENT" "^Kenjin.Spider.*"
SecFilterSelective "HTTP_USER_AGENT" "^Keyword&#40;.*&#41;Density/0.9.*"
SecFilterSelective "HTTP_USER_AGENT" "^Keyword.Density.*"
SecFilterSelective "HTTP_USER_AGENT" "^larbin.*"
SecFilterSelective "HTTP_USER_AGENT" "^LexiBot.*"
SecFilterSelective "HTTP_USER_AGENT" "^libWeb/clsHTTP.*"
SecFilterSelective "HTTP_USER_AGENT" "^LinkextractorPro.*"
SecFilterSelective "HTTP_USER_AGENT" "^LinkScan/8.1a.Unix.*"
SecFilterSelective "HTTP_USER_AGENT" "^LinkWalker.*"
SecFilterSelective "HTTP_USER_AGENT" "^LNSpiderguy.*"
SecFilterSelective "HTTP_USER_AGENT" "^lwp-trivial.*"
SecFilterSelective "HTTP_USER_AGENT" "^lwp-trivial/1.34.*"
SecFilterSelective "HTTP_USER_AGENT" "^LWP.*"
SecFilterSelective "HTTP_USER_AGENT" "^lwp.*"
SecFilterSelective "HTTP_USER_AGENT" "^Mass.*"
SecFilterSelective "HTTP_USER_AGENT" "^Mata&#40;.*&#41;Hari.*"
SecFilterSelective "HTTP_USER_AGENT" "^Microsoft&#40;.*&#41;URL&#40;.*&#41;Control.*"
SecFilterSelective "HTTP_USER_AGENT" "^MIDown.*"
SecFilterSelective "HTTP_USER_AGENT" "^MIIxpc.*"
SecFilterSelective "HTTP_USER_AGENT" "^MIIxpc/4.2.*"
SecFilterSelective "HTTP_USER_AGENT" "^Mister.*"
SecFilterSelective "HTTP_USER_AGENT" "^Mister.PiX.*"
SecFilterSelective "HTTP_USER_AGENT" "^moget.*"
SecFilterSelective "HTTP_USER_AGENT" "^moget/2.1.*"
SecFilterSelective "HTTP_USER_AGENT" "^Mozilla.*NEWT.*"
SecFilterSelective "HTTP_USER_AGENT" "^Mozilla/2.*"
SecFilterSelective "HTTP_USER_AGENT" "^Mozilla/3.Mozilla/2.01.*"
SecFilterSelective "HTTP_USER_AGENT" "^Mozilla/4.0&#40;.*&#41;BullsEye.*"
SecFilterSelective "HTTP_USER_AGENT" "^MS&#40;.*&#41;FrontPage.*"
SecFilterSelective "HTTP_USER_AGENT" "^MSIECrawler.*"
SecFilterSelective "HTTP_USER_AGENT" "^MSProxy/2.0.*"
SecFilterSelective "HTTP_USER_AGENT" "^Navroad.*"
SecFilterSelective "HTTP_USER_AGENT" "^NearSite.*"
SecFilterSelective "HTTP_USER_AGENT" "^NetAnts.*"
SecFilterSelective "HTTP_USER_AGENT" "^NetMechanic.*"
SecFilterSelective "HTTP_USER_AGENT" "^NetSpider.*"
SecFilterSelective "HTTP_USER_AGENT" "^NetZIP.*"
SecFilterSelective "HTTP_USER_AGENT" "^NICErsPRO.*"
SecFilterSelective "HTTP_USER_AGENT" "^NPBot.*"
SecFilterSelective "HTTP_USER_AGENT" "^Octopus.*"
SecFilterSelective "HTTP_USER_AGENT" "^Offline.*"
SecFilterSelective "HTTP_USER_AGENT" "^Openbot.*"
SecFilterSelective "HTTP_USER_AGENT" "^Openfind.*"
SecFilterSelective "HTTP_USER_AGENT" "^Oracle&#40;.*&#41;Ultra.*"
SecFilterSelective "HTTP_USER_AGENT" "^PageGrabber.*"
SecFilterSelective "HTTP_USER_AGENT" "^Papa.*"
SecFilterSelective "HTTP_USER_AGENT" "^pavuk.*"
SecFilterSelective "HTTP_USER_AGENT" "^pcBrowser.*"
SecFilterSelective "HTTP_USER_AGENT" "^PerMan.*"
SecFilterSelective "HTTP_USER_AGENT" "^ProPowerBot/2.14.*"
SecFilterSelective "HTTP_USER_AGENT" "^ProWebWalker.*"
SecFilterSelective "HTTP_USER_AGENT" "^psbot.*"
SecFilterSelective "HTTP_USER_AGENT" "^Python-urllib.*"
SecFilterSelective "HTTP_USER_AGENT" "^QueryN.Metasearch.*"
SecFilterSelective "HTTP_USER_AGENT" "^Radiation&#40;.*&#41;Retriever&#40;.*&#41;1.1.*"
SecFilterSelective "HTTP_USER_AGENT" "^ReGet.*"
SecFilterSelective "HTTP_USER_AGENT" "^RepoMonkey.*"
SecFilterSelective "HTTP_USER_AGENT" "^RMA.*"
SecFilterSelective "HTTP_USER_AGENT" "^searchpreview.*"
SecFilterSelective "HTTP_USER_AGENT" "^SiteSnagger.*"
SecFilterSelective "HTTP_USER_AGENT" "^SlySearch.*"
SecFilterSelective "HTTP_USER_AGENT" "^SmartDownload.*"
SecFilterSelective "HTTP_USER_AGENT" "^SpankBot.*"
SecFilterSelective "HTTP_USER_AGENT" "^spanner.*"
SecFilterSelective "HTTP_USER_AGENT" "^SuperBot.*"
SecFilterSelective "HTTP_USER_AGENT" "^SuperHTTP.*"
SecFilterSelective "HTTP_USER_AGENT" "^Surfbot.*"
SecFilterSelective "HTTP_USER_AGENT" "^suzuran.*"
SecFilterSelective "HTTP_USER_AGENT" "^Szukacz/1.4.*"
SecFilterSelective "HTTP_USER_AGENT" "^tAkeOut.*"
SecFilterSelective "HTTP_USER_AGENT" "^Teleport.*"
SecFilterSelective "HTTP_USER_AGENT" "^Telesoft.*"
SecFilterSelective "HTTP_USER_AGENT" "^The&#40;.*&#41;Intraformant.*"
SecFilterSelective "HTTP_USER_AGENT" "^TheNomad.*"
SecFilterSelective "HTTP_USER_AGENT" "^TightTwatBot.*"
SecFilterSelective "HTTP_USER_AGENT" "^Titan.*"
SecFilterSelective "HTTP_USER_AGENT" "^toCrawl/UrlDispatcher.*"
SecFilterSelective "HTTP_USER_AGENT" "^True_Robot.*"
SecFilterSelective "HTTP_USER_AGENT" "^turingos.*"
SecFilterSelective "HTTP_USER_AGENT" "^TurnitinBot.*"
SecFilterSelective "HTTP_USER_AGENT" "^URL&#40;.*&#41;Control.*"
SecFilterSelective "HTTP_USER_AGENT" "^URL_Spider_Pro.*"
SecFilterSelective "HTTP_USER_AGENT" "^VCI&#40;.*&#41;WebViewer.*"
SecFilterSelective "HTTP_USER_AGENT" "^VoidEYE.*"
SecFilterSelective "HTTP_USER_AGENT" "^Web.Image.Collector.*"
SecFilterSelective "HTTP_USER_AGENT" "^WebAuto.*"
SecFilterSelective "HTTP_USER_AGENT" "^WebBandit.*"
SecFilterSelective "HTTP_USER_AGENT" "^WebCapture.*"
SecFilterSelective "HTTP_USER_AGENT" "^WebCopier.*"
SecFilterSelective "HTTP_USER_AGENT" "^WebEMailExtrac.*.*"
SecFilterSelective "HTTP_USER_AGENT" "^WebEnhancer.*"
SecFilterSelective "HTTP_USER_AGENT" "^WebFetch.*"
SecFilterSelective "HTTP_USER_AGENT" "^WebGo.*"
SecFilterSelective "HTTP_USER_AGENT" "^WebLeacher.*"
SecFilterSelective "HTTP_USER_AGENT" "^WebmasterWorldForumBot.*"
SecFilterSelective "HTTP_USER_AGENT" "^WebReaper.*"
SecFilterSelective "HTTP_USER_AGENT" "^WebSauger.*"
SecFilterSelective "HTTP_USER_AGENT" "^Website.*"
SecFilterSelective "HTTP_USER_AGENT" "^Webster.*"
SecFilterSelective "HTTP_USER_AGENT" "^WebStripper.*"
SecFilterSelective "HTTP_USER_AGENT" "^WebWhacker.*"
SecFilterSelective "HTTP_USER_AGENT" "^WebZip.*"
SecFilterSelective "HTTP_USER_AGENT" "^Widow.*"
SecFilterSelective "HTTP_USER_AGENT" "^WWW-Collector-E.*"
SecFilterSelective "HTTP_USER_AGENT" "^WWWOFFLE.*"
SecFilterSelective "HTTP_USER_AGENT" "^Xaldon.*"
SecFilterSelective "HTTP_USER_AGENT" "^Xenus.*"
SecFilterSelective "HTTP_USER_AGENT" "^Xenu's.*"
SecFilterSelective "HTTP_USER_AGENT" "^Zeus.*"
Περισσότερα:
-modSecurity
-Introducing mod_security
-An introduction to mod_security
mod_security rule generator
Δεν απαντάω σε προσωπικά μηνύματα με ερωτήσεις που καλύπτονται από τις ενότητες του forum. Για ο,τι άλλο είμαι εδώ για εσάς.
- follow me @twitter

Άβαταρ μέλους
Cha0s
SysAdmin
Δημοσιεύσεις: 10242
Εγγραφή: 28 Ιούλ 2001 03:00

Apache modSecurity. Ασφαλίζοντας τον Apache

Δημοσίευση από Cha0s » 11 Μάιος 2006 19:53

Προσοχή χρειάζεται μόνο στο πόσα rules θα περάσουμε καθώς μπορεί να βαρύνει αρκετά τον apache και για να σερβίρει μία απλή σελίδα, να ανεβάζει πολύ load στον server.


Απόσο έχω διαβάσει στο site του modsec ετοιμάζουν κάποια νέα έκδοση που θα έχει βελτιώσεις σε αυτό το κομμάτι.
Αναμένουμε :)

Άβαταρ μέλους
Giannis78
Δημοσιεύσεις: 1334
Εγγραφή: 11 Οκτ 2005 12:45
Τοποθεσία: Assigned by DHCP
Επικοινωνία:

Apache modSecurity. Ασφαλίζοντας τον Apache

Δημοσίευση από Giannis78 » 12 Μάιος 2006 12:27

as prostheso kai ego ena arketa polyploko kai kalo config gia to mod_sec


#--------------------------------
#start rules
#--------------------------------
#Enforce proper HTTP requests
SecFilterSelective THE_REQUEST "!HTTP\/(0\.9|1\.0|1\.1)$"

#Web Proxy GET Request
SecFilter "^GET (http|https|ftp)\:/"

#Web Proxy HEAD Request
SecFilter "^HEAD (http|https|ftp)\:/"

#Proxy POST Request
SecFilter "^POST (http|https|ftp)\:/"

#Proxy CONNECT Request
SecFilterSelective THE_REQUEST "^CONNECT "

#generic XSS PHP attack types
SecFilterSelective THE_REQUEST "\.php\?" chain
SecFilter "javascript\:/(.*new\x20ActiveXObject.*Sh\.regwrite|.*window\.opener\.document\.body.\innerHTML=window\.opener\.document\.body\.innerHTML\.replace)"

#Prevent SQL injection in cookies
#SecFilterSelective COOKIE_sessionid ".*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)"

# Generic filter to prevent SQL injection attacks
#please report false positives/negatives
#SecFilter "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)"

#PHP Injection Attack
SecFilterSelective THE_REQUEST "\.php*" chain
SecFilter "(\?(name|path|include_location)=(http|https|ftp)\:/|cmd=(cd|\;|perl|python|rpm|yum|aptget|emerge|lynx|links|mkdir|elinks|cmd|pwd|wget|id|uname|cvs|svn|(s|r)(cp|sh)|rexec|smbclient|t?ftp|ncftp|curl|telnet|gcc|cc|g\+\+|\./))"
SecFilterSelective THE_REQUEST "\.php\?((name|path|include_location)=(http|https|ftp)\:/|cmd=(cd|\;|perl|python|rpm|yum|aptget|emerge|lynx|links|mkdir|elinks|cmd|pwd|wget|id|uname|cvs|svn|(s|r)(cp|sh)|rexec|smbclient|t?ftp|ncftp|curl|telnet|gcc|cc|g\+\+|\./))"

# WEB-ATTACKS uname -a command attempt
SecFilterSelective THE_REQUEST "uname" chain
SecFilter "\x20-a"

# WEB-ATTACKS xterm command attempt
SecFilterSelective THE_REQUEST "/usr/X11R6/bin/xterm"

# WEB-ATTACKS /etc/shadow access
SecFilterSelective THE_REQUEST "/etc/shadow"

# WEB-CGI formmail
SecFilterSelective THE_REQUEST "/(formmail|mailform)\x0a"
SecFilterSelective THE_REQUEST "/(formmail|mailform)\.pl\x0a"

# WEB-CGI FormHandler.cgi external site redirection attempt
SecFilterSelective THE_REQUEST "/FormHandler\.cgi" chain
SecFilter "redirect=http"

# WEB-PHP squirrel mail spell-check arbitrary command attempt
SecFilterSelective THE_REQUEST "/squirrelspell/modules/check_me\.mod\.php" chain
SecFilter "SQSPELL_APP\["

# WEB-PHP squirrel mail theme arbitrary command attempt
SecFilterSelective THE_REQUEST "/left_main\.php" chain
SecFilter "cmdd="

# Exploit phpBB Highlighting Code Execution Attempt
SecFilter "&highlight=\'\.system\("
SecFilterSelective THE_REQUEST "(\;|\&)highlight=\'\.system\("


# Exploit phpBB Highlighting SQL Injection
SecFilter "&highlight=\'\.mysql_query\("

# Exploit phpBB Highlighting Code Execution - Santy.A Worm
SecFilter "&highlight=\'\.fwrite\(fopen\("

# Exploit phpBB Highlight Exploit Attempt
SecFilter "&highlight=\x2527\x252Esystem\("

# WEB-ATTACKS /bin/ps command attempt
SecFilterSelective THE_REQUEST "/bin/ps"

# WEB-ATTACKS /usr/bin/id command attempt
SecFilterSelective THE_REQUEST "/usr/bin/id" chain
SecFilter "\x20"

# WEB-ATTACKS echo command attempt
SecFilterSelective THE_REQUEST "/bin/echo" chain
SecFilter "\x20"

# WEB-ATTACKS kill command attempt
SecFilterSelective THE_REQUEST "/bin/kill" chain
SecFilter "\x20"

# WEB-ATTACKS chmod command attempt
SecFilterSelective THE_REQUEST "/bin/chmod" chain
SecFilter "\x20"

# WEB-ATTACKS chsh command attempt
SecFilterSelective THE_REQUEST "/usr/bin/chsh"

# WEB-ATTACKS gcc command attempt
SecFilterSelective THE_REQUEST "gcc" chain
SecFilter "x20-o"

# WEB-ATTACKS /usr/bin/cc command attempt
SecFilterSelective THE_REQUEST "/usr/bin/cc" chain
SecFilter "\x20"

# WEB-ATTACKS /usr/bin/cpp command attempt
SecFilterSelective THE_REQUEST "/usr/bin/cpp" chain
SecFilter "\x20"

# WEB-ATTACKS /usr/bin/g++ command attempt
SecFilterSelective THE_REQUEST "/usr/bin/g\+\+" chain
SecFilter "\x20"

# WEB-ATTACKS g++ command attempt
SecFilterSelective THE_REQUEST "g\+\+\x20" chain
SecFilter "\x20"

# WEB-ATTACKS bin/python access attempt
SecFilterSelective THE_REQUEST "bin/python" chain
SecFilter "\x20"

# WEB-ATTACKS python access attempt
#SecFilter "python\x20"

# WEB-ATTACKS bin/tclsh execution attempt
SecFilterSelective THE_REQUEST "bin/tclsh"

# WEB-ATTACKS tclsh execution attempt
SecFilterSelective THE_REQUEST "tclsh8\x20"

# WEB-ATTACKS bin/nasm command attempt
SecFilterSelective THE_REQUEST "bin/nasm"

# WEB-ATTACKS nasm command attempt
SecFilterSelective THE_REQUEST "nasm\x20"

# WEB-ATTACKS /usr/bin/perl execution attempt
SecFilterSelective THE_REQUEST "/usr/bin/perl"

# WEB-ATTACKS traceroute command attempt
SecFilterSelective THE_REQUEST "traceroute" chain
SecFilter "\x20([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})"

# WEB-ATTACKS ping command attempt
SecFilterSelective THE_REQUEST "/bin/ping" chain
SecFilter "\x20"

# WEB-ATTACKS X application to remote host attempt
SecFilterSelective THE_REQUEST "\x20-display\x20"

# WEB-ATTACKS mail command attempt
SecFilterSelective THE_REQUEST "/bin/mail" chain
SecFilter "\x20"

# WEB-ATTACKS /bin/ls command attempt
SecFilterSelective THE_REQUEST "/bin/ls" chain
SecFilter "\x20"

# WEB-ATTACKS /etc/inetd.conf access
SecFilterSelective THE_REQUEST "/etc/inetd\.conf"

# WEB-ATTACKS /etc/motd access
SecFilterSelective THE_REQUEST "/etc/motd"
# WEB-ATTACKS conf/httpd.conf attempt
SecFilterSelective THE_REQUEST "conf/httpd\.conf"

# WEB-MISC .htpasswd access
SecFilterSelective THE_REQUEST "\.htpasswd"

# WEB-MISC ls%20-l
SecFilterSelective THE_REQUEST "ls" chain
SecFilter "\x20-l"

# WEB-MISC /~root access
SecFilterSelective THE_REQUEST "/~root"

# WEB-MISC /~ftp access
SecFilterSelective THE_REQUEST "/~ftp"

# WEB-MISC apache directory disclosure attempt
SecFilter "////////"

# WEB-MISC htgrep attempt
SecFilterSelective THE_REQUEST "/htgrep" chain
SecFilter "hdr=/"

# WEB-MISC /~nobody access
SecFilterSelective THE_REQUEST "/~nobody"

# WEB-PHP DNSTools administrator authentication bypass attempt
SecFilterSelective THE_REQUEST "/dnstools\.php" chain
SecFilter "user_dnstools_administrator=true"

# WEB-PHP DNSTools authentication bypass attempt
SecFilterSelective THE_REQUEST "/dnstools\.php" chain
SecFilter "user_logged_in=true"

# WEB-PHP phpbb quick-reply.php arbitrary command attempt
SecFilterSelective THE_REQUEST "/quick-reply\.php" chain
SecFilter "phpbb_root_path="

# WEB-MISC Apache Chunked-Encoding worm attempt
SecFilter "CCCCCCC\: AAAAAAAAAAAAAAAAAAA"

#More PHPBB worms
SecFilter "^/viewtopic\.php\?" chain
SecFilter "chr\(([0-9a-fA-Fx]{1,3})\)"

#block bad PHP functions
SecFilterSelective ARGS "(fwrite|fopen|chr\(|echr\()"
SecFilterSelective ARGS "fwrite"
SecFilterSelective ARGS "fopen"
SecFilterSelective ARGS "chr\("
SecFilterSelective ARGS "echr\("
#SecFilterSelective ARGS "system\("
#Again, this is better protected by removing these functions in php.ini
#SecFilterSelective ARGS "(system|exec|passthru|popen|shell_exec|proc_open|fopen|fwrite)\s*\("
SecFilterSelective ARGS "(passthru|popen|shell_exec|proc_open|fopen|fwrite)\s*\("

#another variation of the PHPBB worm sigs
SecFilterSelective THE_REQUEST "viewtopic\.php" chain
SecFilterSelective "THE_REQUEST|ARG_VALUES" "(passthru|cmd|fopen|exit|fwrite)"
#SecFilterSelective "THE_REQUEST|ARG_VALUES" "(system|passthru|cmd|fopen|exit|fwrite)"
#false alarms on some systems
#A better solution is turn some of these functions off in php.ini, like system, etc.

# Web-attacks chdir
SecFilter "&cmd=chdir\x20"
SecFilterSelective THE_REQUEST "&cmd=chdir\x20"

#SMTP redirects
SecFilterSelective REQUEST_URI ^(http|https)\:/.+:25

#Commands, also need a major rework, these also have issues
#SecFilterSelective THE_REQUEST "perl\x20[A-Za-z|0-9]"
#SecFilterSelective THE_REQUEST "echo\x20"
SecFilterSelective THE_REQUEST "links -dump "
SecFilterSelective THE_REQUEST "links -dump-charset "
SecFilterSelective THE_REQUEST "links -dump-width "
SecFilterSelective THE_REQUEST "links (http|https|ftp)\:/"
SecFilterSelective THE_REQUEST "links -source "
SecFilterSelective THE_REQUEST "mkdir\x20"
SecFilterSelective THE_REQUEST "cd\x20/tmp"
SecFilterSelective THE_REQUEST "cd\x20/var/tmp"
SecFilterSelective THE_REQUEST "cd\.\."
SecFilterSelective THE_REQUEST "///cgi-bin"
SecFilterSelective THE_REQUEST "/cgi-bin///"
SecFilterSelective THE_REQUEST "/~named"
SecFilterSelective THE_REQUEST "/~guest"
SecFilterSelective THE_REQUEST "/~logs"
SecFilterSelective THE_REQUEST "/~sshd"
SecFilterSelective THE_REQUEST "/~ftp"
SecFilterSelective THE_REQUEST "/~bin"
SecFilterSelective THE_REQUEST "/~nobody"
SecFilterSelective THE_REQUEST "/\.history"
SecFilterSelective THE_REQUEST "/\.bash_history"

SecFilterSelective THE_REQUEST "wget "
SecFilterSelective THE_REQUEST "lynx "
SecFilterSelective THE_REQUEST "scp "
SecFilterSelective THE_REQUEST "ftp "
SecFilterSelective THE_REQUEST "cvs "
SecFilterSelective THE_REQUEST "rcp "
SecFilterSelective THE_REQUEST "telnet "
SecFilterSelective THE_REQUEST "ssh "
SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "
#new added
SecFilterSelective THE_REQUEST "/bin/sh"
SecFilterSelective THE_REQUEST "/tmp/\.sesss_"

#generic block for fwrite fopen uploads
SecFilterSelective THE_REQUEST "fwrite" chain
SecFilterSelective THE_REQUEST "fopen"

#phpMyAdmin path vln
SecFilterSelective REQUEST_URI "/phpMyAdmin/css/phpmyadmin\.css\.php\?GLOBALS\[cfg\]\[ThemePath\]=/etc"

#mailman XSS
SecFilterSelective THE_REQUEST "/mailman/.*\?.*info=.*\<script"

#mailman 2.x path recursion attack
SecFilterSelective THE_REQUEST "mailman/private/.*\.\.\./\.\.\.\.///"
SecFilterSelective REQUEST_URI "mailman/private/.*\.\.\./\.\.\.\.///"
SecFilterSelective THE_REQUEST "/mailman/.*\.\.\./"

#phpMyAdmin convcharset Parameter Cross Site Scripting
SecFilterSelective THE_REQUEST "/phpmyadmin/index\.php\?pma_username=*&pma_password=*&server=.*&lang=.*&convcharset=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"

#remote bash shell
SecFilterSelective THE_REQUEST "/shell\.php\&cmd="
SecFilterSelective ARGS "/shell\.php\&cmd="

#cpanel XSS vuln
SecFilterSelective THE_REQUEST "/login\?user=.*<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

#Form Post Hijacking
SecFilterSelective POST_PAYLOAD "Bcc:"
SecFilterSelective POST_PAYLOAD "Bcc:\x20"
SecFilterSelective POST_PAYLOAD "cc:"
SecFilterSelective POST_PAYLOAD "cc:\x20"
SecFilterSelective POST_PAYLOAD "bcc:"
SecFilterSelective POST_PAYLOAD "bcc:\x20"
SecFilterSelective POST_PAYLOAD "bcc: "

SecFilterSelective THE_REQUEST "Bcc:"
SecFilterSelective THE_REQUEST "Bcc:\x20"
SecFilterSelective THE_REQUEST "cc:"
SecFilterSelective THE_REQUEST "cc:\x20"
SecFilterSelective THE_REQUEST "bcc:"
SecFilterSelective THE_REQUEST "bcc:\x20"
SecFilterSelective THE_REQUEST "bcc: "
WebHosting Services
http://www.intechs.gr

ertert
Δημοσιεύσεις: 195
Εγγραφή: 21 Αύγ 2004 16:30

Apache modSecurity. Ασφαλίζοντας τον Apache

Δημοσίευση από ertert » 12 Μάιος 2006 15:25

Poio kalo paidi tha vohthisei ?

Exo ena PHP script poy trexo to exis
$command="php /home/USERNAME/public_html/XX/XX/XX.php > /dev/null &";
exec( $command );

Apo oti fenete to modSecurity me kovei kai den trexei pleon to EXEC
Exo afisei to default config (to paratheto parakato)
poio filtro kovei to EXEC ?

eyxaristo....

Κώδικας: Επιλογή όλων

# WEB-ATTACKS wget command attempt
SecFilterSelective THE_REQUEST "wget "

# WEB-ATTACKS uname -a command attempt
SecFilterSelective THE_REQUEST "uname -a"

# WEB-ATTACKS .htgroup access
SecFilterSelective THE_REQUEST "\.htgroup"

# WEB-ATTACKS .htaccess access
SecFilterSelective THE_REQUEST "\.htaccess"

# WEB-CLIENT Javascript URL host spoofing attempt
SecFilter "javascript\&#58;//"

# WEB-MISC cross site scripting \&#40;img src=javascript\&#41; attempt
SecFilter "img src=javascript"

# WEB-MISC cd..
SecFilterSelective THE_REQUEST "cd\.\."

# WEB-MISC ///cgi-bin access
SecFilterSelective THE_REQUEST "///cgi-bin"

# WEB-MISC /cgi-bin/// access
SecFilterSelective THE_REQUEST "/cgi-bin///"

# WEB-MISC /~root access
SecFilterSelective THE_REQUEST "/~root"

# WEB-MISC /~ftp access
SecFilterSelective THE_REQUEST "/~ftp"

# WEB-MISC htgrep attempt
SecFilterSelective THE_REQUEST "/htgrep" chain
SecFilter "hdr=/"

# WEB-MISC htgrep access
SecFilterSelective THE_REQUEST "/htgrep" log,pass

# WEB-MISC .history access
SecFilterSelective THE_REQUEST "/\.history"

# WEB-MISC .bash_history access
SecFilterSelective THE_REQUEST "/\.bash_history"

# WEB-MISC /~nobody access
SecFilterSelective THE_REQUEST "/~nobody"

# WEB-PHP PHP-Wiki cross site scripting attempt
SecFilterSelective THE_REQUEST "<script"

# WEB-PHP strings overflow
SecFilterSelective THE_REQUEST "\?STRENGUR"

# WEB-PHP PHPLIB remote command attempt
SecFilter "_PHPLIB\&#91;libdir\&#93;"

Άβαταρ μέλους
cordis
Administrator, [F|H]ounder, [C|S]EO
Δημοσιεύσεις: 27617
Εγγραφή: 09 Οκτ 1999 03:00
Τοποθεσία: Greece
Επικοινωνία:

Apache modSecurity. Ασφαλίζοντας τον Apache

Δημοσίευση από cordis » 12 Μάιος 2006 16:56

Δεν ξέρω αν το πρόβλημα είναι από το mod_security. Μιας και αυτό φιλτράρει την εισερχόμενη κίνηση και όχι την εσωτερική που δημιουργείτε από το exec. Μήπως κάνεις κάποια κλήση στον http server από αυτό το php που κάνεις exec;

Δοκίμασε να το τρέξεις αφού θα έχεις αφήσει ένα κενό mod_sec.conf και έχοντας κάνει restart τον httpd. Έτσι θα σιγουρευτείς εάν φταίει κάποιο rule.
Δεν απαντάω σε προσωπικά μηνύματα με ερωτήσεις που καλύπτονται από τις ενότητες του forum. Για ο,τι άλλο είμαι εδώ για εσάς.
- follow me @twitter

ertert
Δημοσιεύσεις: 195
Εγγραφή: 21 Αύγ 2004 16:30

Apache modSecurity. Ασφαλίζοντας τον Apache

Δημοσίευση από ertert » 12 Μάιος 2006 19:15

To script pou kanei to exec(); to trexo meso browser...

H entoli exec kalei tin PHP na trexei to arxeio
/home/USERNAME/public_html/XX/XX/XX.php
(opote pernaei apo http server... (?))

To arxeio XX.php aplos trexei sto background (den emfanizei tipota ston browser) kai diavazei mysql kai stelnei email...

Den dokimasa na afiso keno to Config... alla sigoura einai to mod_security... afou me to pou to evgala ola doulevoun OK...

Entometaxi einai kali lisi na kopseis "perierges kiniseis"... exthes to mod_security ekopse kamia dekaria prospathies me to WGET

Άβαταρ μέλους
soteres2002
S. & H. Moderator
Δημοσιεύσεις: 1524
Εγγραφή: 05 Μαρ 2004 22:17
Τοποθεσία: Ιωάννινα

Apache modSecurity. Ασφαλίζοντας τον Apache

Δημοσίευση από soteres2002 » 12 Μάιος 2006 23:24

xrisimopoiise tin system() anti gia tin exec()

Άβαταρ μέλους
Hermeia
Honorary Member
Δημοσιεύσεις: 987
Εγγραφή: 02 Αύγ 2004 00:14
Τοποθεσία: Αθήνα
Επικοινωνία:

Apache modSecurity. Ασφαλίζοντας τον Apache

Δημοσίευση από Hermeia » 30 Μάιος 2006 01:46

ειμαι ασχετη στο θεμα, αλλα δειχνει να "παιζει" η τελευταια απαγορευση


# WEB-PHP PHPLIB remote command attempt
SecFilter "_PHPLIB\[libdir\]"



απλά μια δοκιμη του αρχειου χωρίς αυτο.. μπορει να σε εξυπηρετησει (ενω ταυτόχρονα εχεις τις άλλες προστασιες..)

καλη τυχη
Hermeia the InfoSharer
Η Γνώση είναι Δύναμη
Εικόνα

ertert
Δημοσιεύσεις: 195
Εγγραφή: 21 Αύγ 2004 16:30

Apache modSecurity. Ασφαλίζοντας τον Apache

Δημοσίευση από ertert » 02 Ιουν 2006 20:19

Hermeia έγραψε:ειμαι ασχετη στο θεμα, αλλα δειχνει να "παιζει" η τελευταια απαγορευση
# WEB-PHP PHPLIB remote command attempt
SecFilter "_PHPLIB\[libdir\]"
...mpa den doylevei
...den mporo na entopiso pio to kovei

Άβαταρ μέλους
cpulse
Script Master
Δημοσιεύσεις: 1527
Εγγραφή: 21 Μαρ 2006 19:30
Τοποθεσία: Αθήνα village
Επικοινωνία:

Apache modSecurity. Ασφαλίζοντας τον Apache

Δημοσίευση από cpulse » 11 Ιουν 2006 11:58

Το "> /dev/null" κόβει το output.. εσυ χρειάζεσαι το output; Και το τελευταίο & το στέλνει στο background.. οπότε εσύ βλέπεις οτι το script έτρεξε αμέσως.

Αν τρέξεις το script από SSH λειτουργεί κανονικά; Αν ναι τότε δες μήπως υπάρχουν θέματα με το safe_mode ή το open_basedir.. τέτοια πράγματα.

Άβαταρ μέλους
lon3wolf
Δημοσιεύσεις: 76
Εγγραφή: 11 Νοέμ 2005 15:05
Τοποθεσία: 127.0.0.1
Επικοινωνία:

Apache modSecurity. Ασφαλίζοντας τον Apache

Δημοσίευση από lon3wolf » 14 Φεβ 2008 15:23

Παιδια μια βοηθεια και sorry για το "ξεθαψιμο" του post.
Στηνω νεο server και προσπαθω να περασω καποια rules απο τον παλιο. Μηπως ξερει κανεις το
SecFilterSelective THE_REQUEST "wget "
απο mod_security 1.9 σε 2.x πως μεταφραζετε;
SecRule τι;

thanks
When I die, I want to go peacefully like my Grandfather did, in his sleep -- not screaming, like the passengers in his car.

Απάντηση

Επιστροφή στο “Apache, IIS, DNS Servers”

Μέλη σε σύνδεση

Μέλη σε αυτήν τη Δ. Συζήτηση: Δεν υπάρχουν εγγεγραμμένα μέλη και 0 επισκέπτες