Topic: Mod Security 2 and GotRoot Rules

[strigoi]

There seems to be alot of confusion surrounding the rules to be used in mod_security. so ive decided to make this post for mod_security beginners who need decent rules from the start, and also give them time to read documentation to understand how to write there rules, and tweak them.

im going to assume you have mod_security up and running, if you dont please search this forum.

first we need to make a new folder, ive chosen to make in it apache's conf folder, naming it security2.

now well visit gotroot and grab the latest mod_security Rules

Be Carefull to grab the appropriate rules, if your using mod security 1x's then use those.

extract the files into the newly created security2 folder.

there are 9 config files that we need to Include into mod_security.

here is how this is accomplished.

<IfModule mod_security2.c>

SecRuleEngine On
SecDefaultAction log,auditlog,deny,status:403,phase:2,t:lowercase,t:replaceNulls,t:compressWhitespace

SecAuditEngine RelevantOnly
SecAuditLogType Serial
SecAuditLog logs/mod_security2.log


## -- General rules --------------------

SecRule ARGS "c:/" t:normalisePathWin
SecRule ARGS "\.\./" t:normalisePathWin
SecRule ARGS "d:/" t:normalisePathWin

## -- phpBB attack --------------------
SecRule ARGS:highlight "(\x27|%27|\x2527|%2527)"

#GotRoot Exclude rules
Include conf/security2/exclude.conf

#GotRoot apache2 rules
Include conf/security2/apache2-rules.conf

#GotRoot blacklist rules
Include conf/security2/blacklist.conf

#GotRoot blacklist2 rules
Include conf/security2/blacklist2.conf

#GotRoot jitp rules
Include conf/security2/jitp.conf

#GotRoot recons rules
Include conf/security2/recons.conf

#GotRoot rootkits rules
Include conf/security2/rootkits.conf

#GotRoot rules
Include conf/security2/rules.conf

#GotRoot useragents rules
Include conf/security2/useragents.conf

</IfModule>

Exclude.conf MUST be loaded first per GotRoots instructions, ive left Stephans Default Rules in also.

this is just how easy it is to add some comprehensive rules to mod security 2 from the get go.

what this is NOT is universal, these rules may block legitimate traffic to your website, as ALL websites are not the same. you may need to adjust the rules and or exclude some.

as we cannot possibly go over every rule on a per site basis, if you run into an issue, look at the security log, then comment out the rule that is affecting legitimate traffic in its conf file, simply add a # in front to negate that rule, its just that simple.

also keep in mind memory and resource usage, for low resource systems, you may want to just use these.

exclude.conf
apache2-rules.conf
jitp.conf
recons.conf
rootkits.conf
rules.conf
useragents.conf

my server has 16 gigs memory, and dual 3.0Ghz xeons
so i prefer to run them all and hand edit the files.

i would like to thank Steffan for this very helpfull site, and all the contributors who took the time to post tutorials, and help others, ive learned far more then i ever expected from this site.

Vlad Tepes

President, PC-FX LLC.

[asdfgqw]

But you know that these rules are not even used by the Deutsche Bank or SUN for their servers. Yes i know they don´t use phpBB forums

I am running a Windows Webserver for about 8 years, without mod_security and only protected with a Unix firwall and they never hacked my sites and actually i am running four Joomla CMSs and two phpBB boards which are hackers best friends

OK there have been attemps through the tor net or the german JAP, but you can block that with a firewall and not with mod_security.

P.S: Don´t use the rules on a Pentium III or older plus php, it would slow down the machine drastically.

[strigoi]

admittedly these rules may be extreeme overkill in many situations, and all rules will not be needed, any rules need to be looked at on a per site/webserver basis.

i also filter traffic thru a linux firewall, namely smoothwall with many mods.

what my post was not meant to be, was the end all be all solution to mod_security rules, as i stated.

[wesleywillians]

Hi folks,

I followed the instructions and my apache is running with mod_security2.
But I can see that i dont have anything writed in my mod_sec.log.

I upload a malicious script called r57shell to see if mod_security would block it. But I can execute this one normaly.

How do I know if my mod_security is working correctly. Why my logs are empty.

Kind Regards,
Wesley

[glsmith]

I find these littering my Apache error.log file

[Fri Jun 06 07:13:02 2008] [error] [client 143.167.169.10] ModSecurity: Access denied with code 500 (phase 2). Pattern match -snip- at REQUEST_BASENAME. -snip- [msg "URL file extension is restricted by policy" [tag "POLICY/EXT_RESTRICTED"] [hostname "www.mydomain.com"] [uri "/_vti_bin/owssvr.dll"] -snip-

This tells me that in my case it is working.

[Steffen]

To check your mod_security, see few posts below the rule:


Call your site with:

http://www.xxxx.com/?abc=../../

You should get a access denied and in the log:

[glsmith]

shouldn't this rule have a deny in it?
I was just testing 2.5.13 on Apache 2.3.10-dev and without the deny it lets the request pass.

Granted, I've hacked the mod to work with 2.3.x so I tested on a unhacked module on 2.2.17, same result, no 403, nothing in error log.

However, on both 2.2.17 & 2.3.10-dev, this does as it should, 403s and logs the error

SecRule ARGS "\.\./" "t:normalisePathWin,id:99999,severity:4,log,deny,msg:'Drive Access'"

2.2
[Sun Dec 05 12:37:16 2010] [error] [client ::1] ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\.\\./" at ARGS:abc. [file "C:/Apache22sni6/conf/extra/httpd-security.conf"] [line "40"] [id "99999"] [msg "Drive Access"] [severity "WARNING"] [hostname "localhost"] [uri "/"] [unique_id "TPv3-AoAAAMAABVMA3AAAAA9"]

2.3
[Sun Dec 05 13:35:29.534700 2010] [security2:error] [pid 840:tid 1112] [client ::1] ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\.\\./" at ARGS:abc. [file "C:/Apache2x/conf/extra/httpd-security.conf"] [line "65"] [id "99999"] [msg "Drive Access"] [severity "WARNING"] [hostname "localhost"] [uri "/"] [unique_id "TPwFoQoAAAMAAANIAFYAAAA7"]

[Steffen]

Do you have as in the readme:


SecDefaultAction log,auditlog,deny,status:403,phase:2,t:lowercase,t:replaceNulls,t:compressWhitespace


There is the deny.

Stefffen

[glsmith]

No, I don't. I wanted to test the module so knowing this thread is here, I came to it, copied and pasted that one single line.

Maybe you should edit the post above to include that tidbit of info?
People coming from google probably have not downloaded the module to read that in the included readme.

[Steffen]

The complete quick start:

SecRuleEngine On
SecDefaultAction log,auditlog,deny,status:403,phase:2,t:lowercase,t:replaceNulls,t:compressWhitespace

SecAuditEngine RelevantOnly
SecAuditLogType Serial
SecAuditLog logs/mod_security2.log


## -- General rules --------------------

SecRule ARGS "c:/" t:normalisePathWin
SecRule ARGS "\.\./" "t:normalisePathWin,id:99999,severity:4,msg:'Drive Access'"
SecRule ARGS "d:/" t:normalisePathWin

## -- phpBB attack --------------------
SecRule ARGS:highlight "(\x27|%27|\x2527|%2527)"



To check your mod_security, add the rule:

Call your site with:

http://www.xxxxcom/?abc=../../

You should get a access denied,
this triggered by the above rule SecRule ARGS "\.\./" t:normalisePathWin

[glsmith]

thank you