Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: mod_sec rules issue |
|
| Author |
|
rebelo
Joined: 06 May 2007
Posts: 6
|
 Posted: Mon 21 Jan '08 21:04 Post subject: mod_sec rules issue |
 |
|
Hi.
Trying to upgrade mod_sec from 1.9.4 to 2.1 but unable to restart Apache and not even getting an error that could help.
Have done some digging and believe it´s due to some rules that are different for the 2.1.
Have so far discovered that SecFilterEngine On should be SecRuleFilter On
Anyone would mind to take a look and help in other changes to be done im modsec.conf ?
Tks in advance.
SecFilterEngine On
# Reject requests with status 406
SecFilterDefaultAction "deny,log,status:406"
# Some sane defaults
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat On
SecFilterCheckUnicodeEncoding Off
SecFilterNormalizeCookies On
# Enable version 1 (RFC 2965) cookies
SecFilterCookieFormat 1
# If you want to scan the output, uncomment these
#SecFilterScanOutput On
#SecFilterOutputMimeTypes "(null) text/html text/plain"
# Accept almost all byte values
SecFilterForceByteRange 1 255
# Server masking is optional
# Fake server banner - NOYB used - no one needs to know what we are using
SecServerSignature "Apache"
#SecUploadDir /htdocs/tmp
SecUploadKeepFiles Off
# Only record the interesting stuff
SecAuditEngine RelevantOnly
#SecAuditLog logs/modsec_audit.log
# You normally won't need debug logging
#SecFilterDebugLevel 0
#SecFilterDebugLog logs/modsec_debug.log |
|
| Back to top |
|
rebelo
Joined: 06 May 2007
Posts: 6
|
| Posted: Mon 21 Jan '08 21:42 Post subject: |
|
|
Ok, got it.
Have changed rules to:
-----------------------------------------
SecRuleEngine On
SecDefaultAction "deny,phase:1,status:403"
SecRule REQUEST_URI ^http:/ "id:60014,severity:2,msg:'http Proxy access attempt'"
# Do not accept GET or HEAD requests with bodies
SecRule REQUEST_METHOD "^(GET|HEAD)$" "chain,id:60011,severity:2,msg:'GET or HEAD requests with bodies'"
SecRule REQUEST_HEADERS:Content-Length "!^0?$"
# Restrict which request methods can be used
SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|HEAD))$" "phase:1,id:60032,severity:2,msg:'Method is not allowed by policy'"
# Restrict protocol versions.
SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$" "id:60034,severity:2,msg:'HTTP protocol version is not allowed by policy'"
# Don't accept transfer encodings we know we don't know how to handle
SecRule HTTP_Transfer-Encoding "!^$" "id:60013,severity:1,msg:'ModSecurity does not support transfer encodings'"
SecDefaultAction "deny,phase:2,status:403,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
SecRule ARGS:page "^http" "id:90000,severity:4,msg:'Arg_page with http'"
SecRule ARGS_NAMES "configdir" "id:90001,severity:4,msg:'Awstats attack'"
SecRule ARGS_NAMES "^php:/" "id:90002,severity:4,msg:'php attack'"
SecRule ARGS:highlight "(\x27|%27|\x2527|%2527)" "id:90003,severity:4,msg:'phpBB attack'"
SecRule ARGS:phpbb_root_path "http" "id:90003,severity:4,msg:'phpBB rootpath attack'"
SecRule ARGS:mosConfig_absolute_path "http" "id:90004,severity:4,msg:'Joomla'"
SecRule ARGS:sbp "http" "id:90004,severity:4,msg:'Joomla'"
SecRule ARGS:task "vote" "id:90004,severity:4,msg:'Joomla'"
SecRule ARGS "c:/" "t:normalisePathWin,id:50904,severity:4,msg:'Drive Access'"
SecRule ARGS "\.\./" "t:normalisePathWin,id:50904,severity:4,msg:'Drive Access'"
SecRule ARGS "f:/" "t:normalisePathWin,id:50904,severity:4,msg:'Drive Access'"
## -- SQL Injection Attacks --------------------------------------------------
# Generic
SecRule ARGS "delete[[:space:]]+from"
SecRule ARGS "drop[[:space:]]+database"
SecRule ARGS "drop[[:space:]]+table"
SecRule ARGS "drop[[:space:]]+column"
SecRule ARGS "truncate[[:space:]]+table"
SecRule ARGS "create[[::space:]]+table"
SecRule ARGS "update.+set.+="
SecRule ARGS "insert[[:space:]]+into.+values"
SecRule ARGS "select.+from"
SecRule ARGS "bulk[[:space:]]+insert"
SecRule ARGS "union.+select"
SecRule ARGS "or.+1[[:space:]]*=[[:space:]]1"
SecRule ARGS "alter[[:space:]]+table"
SecRule ARGS "or 1=1--'"
SecRule ARGS "'.+--"
# MySQL
SecRule ARGS "into[[:space:]]+outfile"
SecRule ARGS "load[[:space:]]+data
SecRule ARGS "/\*.+\*/"
-----------------------------------------
This is a small office server with an html web page with a small php online shop and a cgi based ticket script.
Any other rules that anyone could kindly sugest ? |
|
| Back to top |
|
|
|
|
|
|
