:: Shashank.net :: Personal Web

  • Increase font size
  • Default font size
  • Decrease font size
Home Articles Extended Mod_Security Rules

Extended Mod Security Rules

E-mail Print PDF
User Rating: / 1
PoorBest 

Continuing from the the "Mod_Security :: How To" article here are some more mod_security rules I think should be added.

<IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On

# Change Server: string
SecServerSignature " "

# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On

# This setting should be set to On only if the Web site is
# using the Unicode encoding. Otherwise it may interfere with
# the normal Web site operation.
SecFilterCheckUnicodeEncoding Off

Read more for the whole ruleset.


Continuing from the the "Mod_Security :: How To" article here are some more mod_security rules I think should be added.

<IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On

# Change Server: string
SecServerSignature " "

# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On

# This setting should be set to On only if the Web site is
# using the Unicode encoding. Otherwise it may interfere with
# the normal Web site operation.
SecFilterCheckUnicodeEncoding Off

# Only allow bytes from this range
SecFilterForceByteRange 1 255

# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis. "On" will log everything,
# "DynamicOrRelevant" will log dynamic requests or violations,
# and "RelevantOnly" will only log policy violations
SecAuditEngine RelevantOnly

# The name of the audit log file
SecAuditLog /var/log/audit_log

# Should mod_security inspect POST payloads
SecFilterScanPOST On

# Action to take by default
SecFilterDefaultAction "deny,log,status:500"
SecFilterDefaultAction "pass,exec:/home/security.php"

# Require HTTP_USER_AGENT and HTTP_HOST in all requests
#SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
# This causes problems with some php scripts so commented out


# Weaker XSS protection but allows common HTML tags
SecFilter "<[[:space:]]*script"

# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"

SecFilter /boot
# SecFilter /bin
SecFilter /dev
SecFilter /etc
SecFilter /initrd
SecFilter /lib
SecFilter /lost+found
SecFilter /misc
SecFilter /mnt
SecFilter /proc
SecFilter /root
SecFilter /sbin
SecFilter /scripts
SecFilter /tmp
# SecFilter /usr
SecFilter /usr/local/apache
SecFilter /usr/local/cpanel
SecFilter /usr/local/mysql
SecFilter /var


#Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"

# WEB-ATTACKS ps command attempt
SecFilterSelective THE_REQUEST "/bin/ps"

# WEB-ATTACKS /bin/ps command attempt
SecFilterSelective THE_REQUEST "ps\x20"

# WEB-ATTACKS wget command attempt
SecFilter "wget\x20"

# WEB-ATTACKS uname -a command attempt
SecFilter "uname\x20-a"

# WEB-ATTACKS /usr/bin/id command attempt
SecFilterSelective THE_REQUEST "/usr/bin/id"

# WEB-ATTACKS id command attempt
SecFilter "\;id"

# WEB-ATTACKS kill command attempt
SecFilterSelective THE_REQUEST "/bin/kill"

# WEB-ATTACKS chsh command attempt
SecFilterSelective THE_REQUEST "/usr/bin/chsh"

# WEB-ATTACKS tftp command attempt
SecFilter "tftp\x20"

# WEB-ATTACKS /usr/bin/gcc command attempt
SecFilterSelective THE_REQUEST "/usr/bin/gcc"

# WEB-ATTACKS gcc command attempt
SecFilter "gcc\x20-o"

# WEB-ATTACKS /usr/bin/cc command attempt
SecFilterSelective THE_REQUEST "/usr/bin/cc"

# WEB-ATTACKS cc command attempt
SecFilter "cc\x20"

# WEB-ATTACKS /usr/bin/cpp command attempt
SecFilterSelective THE_REQUEST "/usr/bin/cpp"

# WEB-ATTACKS cpp command attempt
SecFilter "cpp\x20"

# WEB-ATTACKS /usr/bin/g++ command attempt
SecFilterSelective THE_REQUEST "/usr/bin/g\+\+"

# WEB-ATTACKS g++ command attempt
SecFilter "g\+\+\x20"

# WEB-ATTACKS bin/python access attempt
SecFilterSelective THE_REQUEST "bin/python"

# WEB-ATTACKS python access attempt
SecFilter "python\x20"

# WEB-ATTACKS bin/tclsh execution attempt
SecFilter "bin/tclsh"

# WEB-ATTACKS tclsh execution attempt
SecFilter "tclsh8\x20"

# WEB-ATTACKS bin/nasm command attempt
SecFilterSelective THE_REQUEST "bin/nasm"

# WEB-ATTACKS nasm command attempt
SecFilter "nasm\x20"

# WEB-ATTACKS perl execution attempt
SecFilter "perl\x20"

# WEB-ATTACKS traceroute command attempt
SecFilter "traceroute\x20"

# WEB-ATTACKS ping command attempt
SecFilterSelective THE_REQUEST "/bin/ping"

# WEB-ATTACKS netcat command attempt
SecFilter "nc\x20"

# WEB-ATTACKS nmap command attempt
SecFilter "nmap\x20"

# WEB-ATTACKS xterm command attempt
SecFilterSelective THE_REQUEST "/usr/X11R6/bin/xterm"

# WEB-ATTACKS X application to remote host attempt
SecFilter "\x20-display\x20"

# WEB-ATTACKS lsof command attempt
SecFilter "lsof\x20"

# WEB-ATTACKS rm command attempt
SecFilter "rm\x20"

# WEB-ATTACKS mail command attempt
SecFilterSelective THE_REQUEST "/bin/mail"

# WEB-ATTACKS /bin/ls command attempt
SecFilterSelective THE_REQUEST "/bin/ls"

# WEB-ATTACKS /etc/shadow access
SecFilter "/etc/shadow"

# WEB-ATTACKS .htgroup access
SecFilterSelective THE_REQUEST "\.htgroup"

# WEB-CGI websitepro path access
SecFilter " /HTTP/1\."

# WEB-CGI formmail arbitrary command execution attempt
SecFilterSelective THE_REQUEST "/formmail" chain
SecFilter "\x0a"

# WEB-CGI formmail access
SecFilterSelective THE_REQUEST "/formmail" log,pass

# WEB-CGI phf arbitrary command execution attempt
SecFilterSelective THE_REQUEST "/phf" chain
SecFilter "\x0a/"

# WEB-CGI phf access
SecFilterSelective THE_REQUEST "/phf" log,pass

# WEB-CGI rksh access
SecFilterSelective THE_REQUEST "/rksh"

# WEB-CGI bash access
SecFilterSelective THE_REQUEST "/bash" log,pass

# WEB-CGI zsh access
SecFilterSelective THE_REQUEST "/zsh"

# WEB-CGI csh access
SecFilterSelective THE_REQUEST "/csh"

# WEB-CGI tcsh access
SecFilterSelective THE_REQUEST "/tcsh"

# WEB-CGI rsh access
SecFilterSelective THE_REQUEST "/rsh"

# WEB-CGI ksh access
SecFilterSelective THE_REQUEST "/ksh"

# WEB-CLIENT Javascript URL host spoofing attempt
SecFilter "javascript\://"

# WEB-FRONTPAGE fpsrvadm.exe access
SecFilterSelective THE_REQUEST "/fpsrvadm\.exe" log,pass

# WEB-FRONTPAGE fpremadm.exe access
SecFilterSelective THE_REQUEST "/fpremadm\.exe" log,pass

# WEB-FRONTPAGE fpadmin.htm access
SecFilterSelective THE_REQUEST "/admisapi/fpadmin\.htm" log,pass

# WEB-FRONTPAGE fpadmcgi.exe access
SecFilterSelective THE_REQUEST "/scripts/Fpadmcgi\.exe" log,pass

# WEB-FRONTPAGE orders.txt access
SecFilterSelective THE_REQUEST "/_private/orders\.txt" log,pass

# WEB-FRONTPAGE form_results access
SecFilterSelective THE_REQUEST "/_private/form_results\.txt" log,pass

# WEB-FRONTPAGE registrations.htm access
SecFilterSelective THE_REQUEST "/_private/registrations\.htm" log,pass

# WEB-FRONTPAGE cfgwiz.exe access
SecFilterSelective THE_REQUEST "/cfgwiz\.exe" log,pass

# WEB-FRONTPAGE authors.pwd access
SecFilterSelective THE_REQUEST "/authors\.pwd" log,pass

# WEB-FRONTPAGE author.exe access
SecFilterSelective THE_REQUEST "/_vti_bin/_vti_aut/author\.exe" log,pass

# WEB-FRONTPAGE administrators.pwd access
SecFilterSelective THE_REQUEST "/administrators\.pwd" log,pass

# WEB-FRONTPAGE form_results.htm access
SecFilterSelective THE_REQUEST "/_private/form_results\.htm" log,pass

# WEB-FRONTPAGE access.cnf access
SecFilterSelective THE_REQUEST "/_vti_pvt/access\.cnf" log,pass

# WEB-FRONTPAGE register.txt access
SecFilterSelective THE_REQUEST "/_private/register\.txt" log,pass

# WEB-FRONTPAGE registrations.txt access
SecFilterSelective THE_REQUEST "/_private/registrations\.txt" log,pass

# WEB-FRONTPAGE service.cnf access
SecFilterSelective THE_REQUEST "/_vti_pvt/service\.cnf" log,pass

# WEB-FRONTPAGE service.pwd
SecFilterSelective THE_REQUEST "/service\.pwd" log,pass

# WEB-FRONTPAGE service.stp access
SecFilterSelective THE_REQUEST "/_vti_pvt/service\.stp" log,pass

# WEB-FRONTPAGE services.cnf access
SecFilterSelective THE_REQUEST "/_vti_pvt/services\.cnf" log,pass

# WEB-FRONTPAGE shtml.exe access
SecFilterSelective THE_REQUEST "/_vti_bin/shtml\.exe" log,pass

# WEB-FRONTPAGE svcacl.cnf access
SecFilterSelective THE_REQUEST "/_vti_pvt/svcacl\.cnf" log,pass

# WEB-FRONTPAGE users.pwd access
SecFilterSelective THE_REQUEST "/users\.pwd" log,pass

# WEB-FRONTPAGE writeto.cnf access
SecFilterSelective THE_REQUEST "/_vti_pvt/writeto\.cnf" log,pass

# WEB-FRONTPAGE dvwssr.dll access
SecFilterSelective THE_REQUEST "/dvwssr\.dll" log,pass

# WEB-FRONTPAGE register.htm access
SecFilterSelective THE_REQUEST "/_private/register\.htm" log,pass

# WEB-FRONTPAGE /_vti_bin/ access
SecFilterSelective THE_REQUEST "/_vti_bin/" log,pass

# WEB-MISC cross site scripting \(img src=javascript\) attempt
SecFilter "img src=javascript"

# WEB-MISC .htpasswd access
SecFilter "\.htpasswd"

# WEB-MISC .htaccess access
SecFilter "\.htaccess"

# WEB-MISC cd..
SecFilter "cd\.\."

# WEB-MISC ///cgi-bin access
SecFilterSelective THE_REQUEST "///cgi-bin"

SecUploadDir /tmp
</IfModule>

Additions always welcome. :-)

< Prev   Next >
 

Main Menu

Search


Who's Online

We have 5 guests online

Statistics

Content View Hits : 11392

Syndication

Top Stories

Top Stories
Yahoo! News
  • UAW to renegotiate labor terms, suspend jobs bank (AP)

    United Auto Workers (UAW) President Ron Gettelfinger (L) and General Motors CEO Richard Wagoner on Capitol Hill, November 19, 2008. (Kevin Lamarque/Reuters)AP - The United Auto Workers said Wednesday it is willing to change its contracts with U.S. automakers and accept delays payments of billions of dollars to a union-run health care trust to do its part to help the struggling companies secure $34 billion in government loans.


  • Cruise passengers describe "cheeky" pirate attack (AP)

    Pirates ride alongside the luxury American cruise ship M/S Nautica, in this photo take from the Nautica, during a hijack attempt on the vessel, off the coast of Yemen in the Gulf of Aden, Sunday, Nov. 30, 2008. The M/S Nautica, carrying 656 international passengers and 399 crew members, was sailing through the Gulf of Aden on Sunday when it encountered six bandits in two speedboats. The pirates fired at the passenger liner but the larger ship was faster than the pirates' vessels, and escaped being boarded.(AP Photo)AP - Ordered to get inside and stay down, Oregon tourist Clyde Thornburg heard the pirates' rifle shots hit the side of the luxury cruise liner — "Pop! Pop! Pop!" — then felt the ship speed up to escape.


  • Scientists ask: Is technology rewiring our brains? (AP)

    University of California, Los Angeles, Professor of Psychiatry Dr. Gary Small plays with a digital memory electronic device at his office at the Semel Institute for Neuroscience & Human Behavior in Westwood, Calif., on Monday, Dec. 1, 2008. (AP Photo/Damian Dovarganes)AP - What does a teenage brain on Google look like? Do all those hours spent online rewire the circuitry? Could these kids even relate better to emoticons than to real people? These sound like concerns from worried parents. But they're coming from brain scientists.