Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: mod_security new install just passes code |
|
| Author |
|
rbramble
Joined: 12 Aug 2009
Posts: 2
Location: Ellsworth, KS
|
 Posted: Wed 12 Aug '09 17:37 Post subject: mod_security new install just passes code |
 |
|
Hello,
I have just stumbled across mod_security,
It looks like it is working.
I have a webserver that is running Apache 2.2.4 and PHP and mysql etc.
It was made with web-developer 1.95.
Error logs show that mod_security is running but the site was injected with SQL errors.
I want to setup a new one but need to know that this one is protected.
I am using Wampserver 2.0i and it is running Apache 2.2.11. (mod_security 2.5.9)
Doing a info.php shows that mod_security is running and installed,
however when I go to http://myserver-name/?highlight=%27 (from the localhost) it just allows it to go through.
I used the modsecurity.conf-minimal and it just allowed through to the page.
When I used the very quick start as my conf it blocked the traffic.
How do I go about setting this up and getting a basic set of rules to block the very bad stuff and get this site setup securely?
Ron |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
|
| Back to top |
|
rbramble
Joined: 12 Aug 2009
Posts: 2
Location: Ellsworth, KS
|
| Posted: Wed 12 Aug '09 22:29 Post subject: |
|
|
I followed this information from this fourum
http://www.apachelounge.com/viewtopic.php?t=1281
I created a modsecurity.conf and called it from the http.conf and then loaded the rules from http://www.gotroot.com/mod_security+rules
I loaded each rule that I could find 1 at a time.
How do I know this will catch the bad stuff now?
Mod_Security is running but I need to know that it will be running and secure the network. |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Wed 12 Aug '09 23:19 Post subject: |
|
|
try throwing bad stuff at it.
As of this point i cannot say anything about the gotroot rules cause i've never used them. I am confident with the breech core rules as I have used them and I see the polution they leave in my error log. The lastest round of crap being thrown at me is
[Wed Aug 12 05:53:37 2009] [error] [client 94.102.63.13] ModSecurity: Warning. Pattern match "(?:[\\\\(\\)\\%#]|--)" at REQUEST_HEADERS:User-Agent. [file "/usr/Apache/core_rules/modsecurity_crs_40_generic_attacks.conf"] [line "78"] [id "959905"] [msg "SQL Injection Attack"] [data "update"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [hostname "www.mydomain.com"] [uri "/YaBB.pl"] [unique_id "SoK7UQoAAAIAAAgQ4i8AAAA-"]
You should be able to figure out what you need to try by looking at a rule, for instance the PHPbb one would be easy, send some \x27 in the query and see what all happens. Hopefully I do not set of mod_sec here when I post this.
The hard part is, you almost have to be a hacker to know how to guard against other hackers and run exploit poc's against your own server. |
|
| Back to top |
|
|
|
|
|
|
