logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 



Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



Mod Security 2 and GotRoot Rules

 
Post new topic   Reply to topic    Apache Forum Index -> How-to's & Documentation & Tips



View previous topic :: View next topic  
Author Message
strigoi



Joined: 15 Dec 2005
Posts: 36

PostPosted: Thu 18 Jan '07 22:40    Post subject: Mod Security 2 and GotRoot Rules Reply with quote

There seems to be alot of confusion surrounding the rules to be used in mod_security. so ive decided to make this post for mod_security beginners who need decent rules from the start, and also give them time to read documentation to understand how to write there rules, and tweak them.

im going to assume you have mod_security up and running, if you dont please search this forum.

first we need to make a new folder, ive chosen to make in it apache's conf folder, naming it security2.

now well visit gotroot and grab the latest mod_security Rules

Be Carefull to grab the appropriate rules, if your using mod security 1x's then use those.

extract the files into the newly created security2 folder.

there are 9 config files that we need to Include into mod_security.

here is how this is accomplished.

<IfModule mod_security2.c>

SecRuleEngine On
SecDefaultAction log,auditlog,deny,status:403,phase:2,t:lowercase,t:replaceNulls,t:compressWhitespace

SecAuditEngine RelevantOnly
SecAuditLogType Serial
SecAuditLog logs/mod_security2.log


## -- General rules --------------------

SecRule ARGS "c:/" t:normalisePathWin
SecRule ARGS "\.\./" t:normalisePathWin
SecRule ARGS "d:/" t:normalisePathWin

## -- phpBB attack --------------------
SecRule ARGS:highlight "(\x27|%27|\x2527|%2527)"

#GotRoot Exclude rules
Include conf/security2/exclude.conf

#GotRoot apache2 rules
Include conf/security2/apache2-rules.conf

#GotRoot blacklist rules
Include conf/security2/blacklist.conf

#GotRoot blacklist2 rules
Include conf/security2/blacklist2.conf

#GotRoot jitp rules
Include conf/security2/jitp.conf

#GotRoot recons rules
Include conf/security2/recons.conf

#GotRoot rootkits rules
Include conf/security2/rootkits.conf

#GotRoot rules
Include conf/security2/rules.conf

#GotRoot useragents rules
Include conf/security2/useragents.conf

</IfModule>

Exclude.conf MUST be loaded first per GotRoots instructions, ive left Stephans Default Rules in also.

this is just how easy it is to add some comprehensive rules to mod security 2 from the get go.

what this is NOT is universal, these rules may block legitimate traffic to your website, as ALL websites are not the same. you may need to adjust the rules and or exclude some.

as we cannot possibly go over every rule on a per site basis, if you run into an issue, look at the security log, then comment out the rule that is affecting legitimate traffic in its conf file, simply add a # in front to negate that rule, its just that simple.

also keep in mind memory and resource usage, for low resource systems, you may want to just use these.

exclude.conf
apache2-rules.conf
jitp.conf
recons.conf
rootkits.conf
rules.conf
useragents.conf

my server has 16 gigs memory, and dual 3.0Ghz xeons
so i prefer to run them all and hand edit the files.

i would like to thank Steffan for this very helpfull site, and all the contributors who took the time to post tutorials, and help others, ive learned far more then i ever expected from this site.

Vlad Tepes

President, PC-FX LLC.
Back to top
asdfgqw



Joined: 21 Jan 2007
Posts: 12

PostPosted: Sun 21 Jan '07 14:49    Post subject: Reply with quote

But you know that these rules are not even used by the Deutsche Bank or SUN for their servers.Mr. Green Yes i know they don´t use phpBB forums Razz

I am running a Windows Webserver for about 8 years, without mod_security and only protected with a Unix firwall and they never hacked my sites and actually i am running four Joomla CMSs and two phpBB boards which are hackers best friends Laughing

OK there have been attemps through the tor net or the german JAP, but you can block that with a firewall and not with mod_security.

P.S: Don´t use the rules on a Pentium III or older plus php, it would slow down the machine drastically.
Back to top
strigoi



Joined: 15 Dec 2005
Posts: 36

PostPosted: Mon 22 Jan '07 6:52    Post subject: correct Reply with quote

admittedly these rules may be extreeme overkill in many situations, and all rules will not be needed, any rules need to be looked at on a per site/webserver basis.

i also filter traffic thru a linux firewall, namely smoothwall with many mods.

what my post was not meant to be, was the end all be all solution to mod_security rules, as i stated.
Back to top
wesleywillians



Joined: 06 Jun 2008
Posts: 1

PostPosted: Fri 06 Jun '08 18:21    Post subject: r57shell Reply with quote

Hi folks,

I followed the instructions and my apache is running with mod_security2.
But I can see that i dont have anything writed in my mod_sec.log.

I upload a malicious script called r57shell to see if mod_security would block it. But I can execute this one normaly.

How do I know if my mod_security is working correctly. Why my logs are empty.

Kind Regards,
Wesley
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2123
Location: Sun Diego, USA

PostPosted: Fri 06 Jun '08 19:03    Post subject: Reply with quote

I find these littering my Apache error.log file

[Fri Jun 06 07:13:02 2008] [error] [client 143.167.169.10] ModSecurity: Access denied with code 500 (phase 2). Pattern match -snip- at REQUEST_BASENAME. -snip- [msg "URL file extension is restricted by policy" [tag "POLICY/EXT_RESTRICTED"] [hostname "www.mydomain.com"] [uri "/_vti_bin/owssvr.dll"] -snip-

This tells me that in my case it is working.
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2581
Location: Hilversum, NL, EU

PostPosted: Fri 06 Jun '08 20:17    Post subject: Reply with quote

To check your mod_security, see few posts below the rule:


Call your site with:

http://www.xxxx.com/?abc=../../

You should get a access denied and in the log:

Code:

[Fri Jun 06 20:14:52 2008] [error] [client 77.250.60.183] ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\.\\./" at ARGS:abc. [file "D:/servers/apache/conf/httpd.conf"] [line "580"] [id "99999"] [msg "Drive Access"] [severity "WARNING"] [hostname "www.apachelounge.com"] [uri "/"] [unique_id "cCs1fsCoAAEAAAVkhmwAAABT"]


I go to update the readme in the download with above check.

Steffen


Last edited by Steffen on Sun 05 Dec '10 23:47; edited 1 time in total
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2123
Location: Sun Diego, USA

PostPosted: Sun 05 Dec '10 22:59    Post subject: Reply with quote

shouldn't this rule have a deny in it?
I was just testing 2.5.13 on Apache 2.3.10-dev and without the deny it lets the request pass.

Granted, I've hacked the mod to work with 2.3.x so I tested on a unhacked module on 2.2.17, same result, no 403, nothing in error log.

However, on both 2.2.17 & 2.3.10-dev, this does as it should, 403s and logs the error

SecRule ARGS "\.\./" "t:normalisePathWin,id:99999,severity:4,log,deny,msg:'Drive Access'"

2.2
[Sun Dec 05 12:37:16 2010] [error] [client ::1] ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\.\\./" at ARGS:abc. [file "C:/Apache22sni6/conf/extra/httpd-security.conf"] [line "40"] [id "99999"] [msg "Drive Access"] [severity "WARNING"] [hostname "localhost"] [uri "/"] [unique_id "TPv3-AoAAAMAABVMA3AAAAA9"]

2.3
[Sun Dec 05 13:35:29.534700 2010] [security2:error] [pid 840:tid 1112] [client ::1] ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\.\\./" at ARGS:abc. [file "C:/Apache2x/conf/extra/httpd-security.conf"] [line "65"] [id "99999"] [msg "Drive Access"] [severity "WARNING"] [hostname "localhost"] [uri "/"] [unique_id "TPwFoQoAAAMAAANIAFYAAAA7"]


Last edited by glsmith on Sun 05 Dec '10 23:45; edited 1 time in total
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2581
Location: Hilversum, NL, EU

PostPosted: Sun 05 Dec '10 23:32    Post subject: Reply with quote

Do you have as in the readme:


SecDefaultAction log,auditlog,deny,status:403,phase:2,t:lowercase,t:replaceNulls,t:compressWhitespace


There is the deny.

Stefffen
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2123
Location: Sun Diego, USA

PostPosted: Sun 05 Dec '10 23:41    Post subject: Reply with quote

No, I don't. I wanted to test the module so knowing this thread is here, I came to it, copied and pasted that one single line.

Maybe you should edit the post above to include that tidbit of info?
People coming from google probably have not downloaded the module to read that in the included readme.
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2581
Location: Hilversum, NL, EU

PostPosted: Sun 05 Dec '10 23:45    Post subject: Reply with quote

The complete quick start:

SecRuleEngine On
SecDefaultAction log,auditlog,deny,status:403,phase:2,t:lowercase,t:replaceNulls,t:compressWhitespace

SecAuditEngine RelevantOnly
SecAuditLogType Serial
SecAuditLog logs/mod_security2.log


## -- General rules --------------------

SecRule ARGS "c:/" t:normalisePathWin
SecRule ARGS "\.\./" "t:normalisePathWin,id:99999,severity:4,msg:'Drive Access'"
SecRule ARGS "d:/" t:normalisePathWin

## -- phpBB attack --------------------
SecRule ARGS:highlight "(\x27|%27|\x2527|%2527)"



To check your mod_security, add the rule:

Call your site with:

http://www.xxxxcom/?abc=../../

You should get a access denied,
this triggered by the above rule SecRule ARGS "\.\./" t:normalisePathWin
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2123
Location: Sun Diego, USA

PostPosted: Sun 05 Dec '10 23:46    Post subject: Reply with quote

thank you
Back to top


Post new topic   Reply to topic    Apache Forum Index -> How-to's & Documentation & Tips
Page 1 of 1