Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: Mod Security 2 and GotRoot Rules |
|
Author |
|
strigoi
Joined: 15 Dec 2005 Posts: 36
|
Posted: Thu 18 Jan '07 22:40 Post subject: Mod Security 2 and GotRoot Rules |
|
|
There seems to be alot of confusion surrounding the rules to be used in mod_security. so ive decided to make this post for mod_security beginners who need decent rules from the start, and also give them time to read documentation to understand how to write there rules, and tweak them.
im going to assume you have mod_security up and running, if you dont please search this forum.
first we need to make a new folder, ive chosen to make in it apache's conf folder, naming it security2.
now well visit gotroot and grab the latest mod_security Rules
Be Carefull to grab the appropriate rules, if your using mod security 1x's then use those.
extract the files into the newly created security2 folder.
there are 9 config files that we need to Include into mod_security.
here is how this is accomplished.
<IfModule mod_security2.c>
SecRuleEngine On
SecDefaultAction log,auditlog,deny,status:403,phase:2,t:lowercase,t:replaceNulls,t:compressWhitespace
SecAuditEngine RelevantOnly
SecAuditLogType Serial
SecAuditLog logs/mod_security2.log
## -- General rules --------------------
SecRule ARGS "c:/" t:normalisePathWin
SecRule ARGS "\.\./" t:normalisePathWin
SecRule ARGS "d:/" t:normalisePathWin
## -- phpBB attack --------------------
SecRule ARGS:highlight "(\x27|%27|\x2527|%2527)"
#GotRoot Exclude rules
Include conf/security2/exclude.conf
#GotRoot apache2 rules
Include conf/security2/apache2-rules.conf
#GotRoot blacklist rules
Include conf/security2/blacklist.conf
#GotRoot blacklist2 rules
Include conf/security2/blacklist2.conf
#GotRoot jitp rules
Include conf/security2/jitp.conf
#GotRoot recons rules
Include conf/security2/recons.conf
#GotRoot rootkits rules
Include conf/security2/rootkits.conf
#GotRoot rules
Include conf/security2/rules.conf
#GotRoot useragents rules
Include conf/security2/useragents.conf
</IfModule>
Exclude.conf MUST be loaded first per GotRoots instructions, ive left Stephans Default Rules in also.
this is just how easy it is to add some comprehensive rules to mod security 2 from the get go.
what this is NOT is universal, these rules may block legitimate traffic to your website, as ALL websites are not the same. you may need to adjust the rules and or exclude some.
as we cannot possibly go over every rule on a per site basis, if you run into an issue, look at the security log, then comment out the rule that is affecting legitimate traffic in its conf file, simply add a # in front to negate that rule, its just that simple.
also keep in mind memory and resource usage, for low resource systems, you may want to just use these.
exclude.conf
apache2-rules.conf
jitp.conf
recons.conf
rootkits.conf
rules.conf
useragents.conf
my server has 16 gigs memory, and dual 3.0Ghz xeons
so i prefer to run them all and hand edit the files.
i would like to thank Steffan for this very helpfull site, and all the contributors who took the time to post tutorials, and help others, ive learned far more then i ever expected from this site.
Vlad Tepes
President, PC-FX LLC. |
|
Back to top |
|
asdfgqw
Joined: 21 Jan 2007 Posts: 12
|
Posted: Sun 21 Jan '07 14:49 Post subject: |
|
|
But you know that these rules are not even used by the Deutsche Bank or SUN for their servers. Yes i know they don´t use phpBB forums
I am running a Windows Webserver for about 8 years, without mod_security and only protected with a Unix firwall and they never hacked my sites and actually i am running four Joomla CMSs and two phpBB boards which are hackers best friends
OK there have been attemps through the tor net or the german JAP, but you can block that with a firewall and not with mod_security.
P.S: Don´t use the rules on a Pentium III or older plus php, it would slow down the machine drastically. |
|
Back to top |
|
strigoi
Joined: 15 Dec 2005 Posts: 36
|
Posted: Mon 22 Jan '07 6:52 Post subject: correct |
|
|
admittedly these rules may be extreeme overkill in many situations, and all rules will not be needed, any rules need to be looked at on a per site/webserver basis.
i also filter traffic thru a linux firewall, namely smoothwall with many mods.
what my post was not meant to be, was the end all be all solution to mod_security rules, as i stated. |
|
Back to top |
|
wesleywillians
Joined: 06 Jun 2008 Posts: 1
|
Posted: Fri 06 Jun '08 18:21 Post subject: r57shell |
|
|
Hi folks,
I followed the instructions and my apache is running with mod_security2.
But I can see that i dont have anything writed in my mod_sec.log.
I upload a malicious script called r57shell to see if mod_security would block it. But I can execute this one normaly.
How do I know if my mod_security is working correctly. Why my logs are empty.
Kind Regards,
Wesley |
|
Back to top |
|
glsmith Moderator
Joined: 16 Oct 2007 Posts: 2268 Location: Sun Diego, USA
|
Posted: Fri 06 Jun '08 19:03 Post subject: |
|
|
I find these littering my Apache error.log file
[Fri Jun 06 07:13:02 2008] [error] [client 143.167.169.10] ModSecurity: Access denied with code 500 (phase 2). Pattern match -snip- at REQUEST_BASENAME. -snip- [msg "URL file extension is restricted by policy" [tag "POLICY/EXT_RESTRICTED"] [hostname "www.mydomain.com"] [uri "/_vti_bin/owssvr.dll"] -snip-
This tells me that in my case it is working. |
|
Back to top |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3094 Location: Hilversum, NL, EU
|
Posted: Fri 06 Jun '08 20:17 Post subject: |
|
|
To check your mod_security, see few posts below the rule:
Call your site with:
http://www.xxxx.com/?abc=../../
You should get a access denied and in the log:
Code: |
[Fri Jun 06 20:14:52 2008] [error] [client 77.250.60.183] ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\.\\./" at ARGS:abc. [file "D:/servers/apache/conf/httpd.conf"] [line "580"] [id "99999"] [msg "Drive Access"] [severity "WARNING"] [hostname "www.apachelounge.com"] [uri "/"] [unique_id "cCs1fsCoAAEAAAVkhmwAAABT"] |
I go to update the readme in the download with above check.
Steffen
Last edited by Steffen on Sun 05 Dec '10 23:47; edited 1 time in total |
|
Back to top |
|
glsmith Moderator
Joined: 16 Oct 2007 Posts: 2268 Location: Sun Diego, USA
|
Posted: Sun 05 Dec '10 22:59 Post subject: |
|
|
shouldn't this rule have a deny in it?
I was just testing 2.5.13 on Apache 2.3.10-dev and without the deny it lets the request pass.
Granted, I've hacked the mod to work with 2.3.x so I tested on a unhacked module on 2.2.17, same result, no 403, nothing in error log.
However, on both 2.2.17 & 2.3.10-dev, this does as it should, 403s and logs the error
SecRule ARGS "\.\./" "t:normalisePathWin,id:99999,severity:4,log,deny,msg:'Drive Access'"
2.2
[Sun Dec 05 12:37:16 2010] [error] [client ::1] ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\.\\./" at ARGS:abc. [file "C:/Apache22sni6/conf/extra/httpd-security.conf"] [line "40"] [id "99999"] [msg "Drive Access"] [severity "WARNING"] [hostname "localhost"] [uri "/"] [unique_id "TPv3-AoAAAMAABVMA3AAAAA9"]
2.3
[Sun Dec 05 13:35:29.534700 2010] [security2:error] [pid 840:tid 1112] [client ::1] ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\.\\./" at ARGS:abc. [file "C:/Apache2x/conf/extra/httpd-security.conf"] [line "65"] [id "99999"] [msg "Drive Access"] [severity "WARNING"] [hostname "localhost"] [uri "/"] [unique_id "TPwFoQoAAAMAAANIAFYAAAA7"]
Last edited by glsmith on Sun 05 Dec '10 23:45; edited 1 time in total |
|
Back to top |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3094 Location: Hilversum, NL, EU
|
Posted: Sun 05 Dec '10 23:32 Post subject: |
|
|
Do you have as in the readme:
SecDefaultAction log,auditlog,deny,status:403,phase:2,t:lowercase,t:replaceNulls,t:compressWhitespace
There is the deny.
Stefffen |
|
Back to top |
|
glsmith Moderator
Joined: 16 Oct 2007 Posts: 2268 Location: Sun Diego, USA
|
Posted: Sun 05 Dec '10 23:41 Post subject: |
|
|
No, I don't. I wanted to test the module so knowing this thread is here, I came to it, copied and pasted that one single line.
Maybe you should edit the post above to include that tidbit of info?
People coming from google probably have not downloaded the module to read that in the included readme. |
|
Back to top |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3094 Location: Hilversum, NL, EU
|
Posted: Sun 05 Dec '10 23:45 Post subject: |
|
|
The complete quick start:
SecRuleEngine On
SecDefaultAction log,auditlog,deny,status:403,phase:2,t:lowercase,t:replaceNulls,t:compressWhitespace
SecAuditEngine RelevantOnly
SecAuditLogType Serial
SecAuditLog logs/mod_security2.log
## -- General rules --------------------
SecRule ARGS "c:/" t:normalisePathWin
SecRule ARGS "\.\./" "t:normalisePathWin,id:99999,severity:4,msg:'Drive Access'"
SecRule ARGS "d:/" t:normalisePathWin
## -- phpBB attack --------------------
SecRule ARGS:highlight "(\x27|%27|\x2527|%2527)"
To check your mod_security, add the rule:
Call your site with:
http://www.xxxxcom/?abc=../../
You should get a access denied,
this triggered by the above rule SecRule ARGS "\.\./" t:normalisePathWin |
|
Back to top |
|
glsmith Moderator
Joined: 16 Oct 2007 Posts: 2268 Location: Sun Diego, USA
|
Posted: Sun 05 Dec '10 23:46 Post subject: |
|
|
thank you |
|
Back to top |
|
|
|
|
|
|