logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Third-party Modules View previous topic :: View next topic
Reply to topic   Topic: modsecurity precaution to php warning
Author
blasto



Joined: 21 Mar 2006
Posts: 3

PostPosted: Tue 21 Mar '06 14:16    Post subject: modsecurity precaution to php warning Reply with quote

Hi,
first of all this lounge seems to be pretty neat and good looking Smile here is my question:
I've been running a mambo site (xp+apache+php+mysql+mambo) for a while without any problems, as site became more popular I've installed the modsecurity module to increase the security. I'm using it with bundled rules and nowadays I'm reading some php warning messages from apache error.log, like;

[client 195.140.135.146] PHP Warning: main(http://ess.trix.net/therules.dat): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden\r\n in http://dustaush.com/thefive/tool.gif?/includes/HTML_toolbar.php on line 13
[client 195.140.135.146] PHP Warning: main(): Failed opening 'http://ess.trix.net/therules.dat' for inclusion (include_path='.;c:\\php4\\pear') in http://dustaush.com/thefive/tool.gif?/includes/HTML_toolbar.php on line 13

[client 200.67.229.226] PHP Warning: main(?/includes/HTML_toolbar.php): failed to open stream: No such file or directory in \\www\\contenttab.php on line 13
[client 200.67.229.226] PHP Fatal error: main(): Failed opening required '?/includes/HTML_toolbar.php' (include_path='.;c:\\php4\\pear') in \\www\\contenttab.php on line 13

How should I define modsecurity new rules to match these patterns and deny them before php gives warnings and fatal errors? thanks
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7360
Location: Germany, Next to Hamburg

PostPosted: Tue 21 Mar '06 15:50    Post subject: Reply with quote

I don't know how the config from mod_security is, but to fight the symtoms:

in your php.ini you can turn off the displaying off errors caused by PHP
display_errors = off
For your security log the errors

log_errors = On
error_log = C:\logs\myphperror.log

This prevent PHP to send errors.

Second idea is to change the errordocuments from Apache

ErrorDocument 401 /thefive/index.php
ErrorDocument 403 /thefive/index.php
ErrorDocument 404 /thefive/index.php

How does the config of mod_security look?
Back to top
blasto



Joined: 21 Mar 2006
Posts: 3

PostPosted: Tue 21 Mar '06 16:21    Post subject: Reply with quote

hi,
those warning and error messages are already from apache error.log file, nothing is printed out to the browser. the log points that these are attacks and carried on by some bot or someone, I'm asking how to prevent these attacks with modsecurity... BTW those urls (dustaush.com , ess.trix.net) do not belong to me, I guess they are what is called cross sites, hosting some kind of compromised code to redirect attacks.. below is my modsecurity config which catches most of the similar type of crossite attacks.
thanks...

<IfModule mod_security.c>
# Turn ModSecurity On
SecFilterEngine On
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckUnicodeEncoding Off
# Accept almost all byte values
SecFilterForceByteRange 1 255
#SecUploadDir logs
#SecUploadKeepFiles Off
# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog c:/inet/logs/security.log

## -- Common attacks --------------------
SecFilterDefaultAction "deny,log,msg:'Common attacks',status:403"
#Web Proxy GET Request
SecFilter "^GET (http|https|ftp)\:/"
#Web Proxy HEAD Request
SecFilter "^HEAD (http|https|ftp)\:/"
#Proxy POST Request
SecFilter "^POST (http|https|ftp)\:/"
#Proxy CONNECT Request
SecFilterSelective THE_REQUEST "^CONNECT "
# Only accept request encodings we know how to handle.
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Type "!(^application/x-www-form-urlencoded$|^multipart/form-data;)"
# Do not accept GET or HEAD requests with bodies
SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Length "!^$"
# Restrict which request methods can be used
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD|POST)$"
# Restrict protocol versions.
SecFilterSelective SERVER_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$"
# Require Content-Length to be provided with every POST request.
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
# Don't accept transfer encodings we know we don't know how to handle
SecFilterSelective HTTP_Transfer-Encoding "!^$"

## -- PHP attacks --------------------
SecFilterSignatureAction "log,deny,msg:'PHP attack'"
# Possible code execution attack (targets valid PHP streams constructs)
SecFilterSelective ARGS_NAMES "^php:/"
#phpBB attack
SecFilterSelective ARG_highlight "(\x27|%27|\x2527|%2527)"

## -- SQL Injection Attacks --------------------
SecFilterSignatureAction "log,deny,msg:'SQL Injection attack'"
# Generic
SecFilterSelective ARGS "delete[[:space:]]+from"
SecFilterSelective ARGS "drop[[:space:]]+database"
SecFilterSelective ARGS "drop[[:space:]]+table"
SecFilterSelective ARGS "drop[[:space:]]+column"
SecFilterSelective ARGS "drop[[:space:]]+procedure"
SecFilterSelective ARGS "create[[::space:]]+table"
SecFilterSelective ARGS "update.+set.+="
SecFilterSelective ARGS "insert[[:space:]]+into.+values"
SecFilterSelective ARGS "select.+from"
SecFilterSelective ARGS "bulk[[:space:]]+insert"
SecFilterSelective ARGS "union.+select"
SecFilterSelective ARGS "or.+1[[:space:]]*=[[:space:]]1"
SecFilterSelective ARGS "alter[[:space:]]+table"
SecFilterSelective ARGS "or 1=1--'"
SecFilterSelective ARGS "'.+--"

# MySQL
SecFilterSelective ARGS "into[[:space:]]+outfile"
SecFilterSelective ARGS "load[[:space:]]+data
SecFilterSelective ARGS "/\*.+\*/"

## -- Command execution --------------------
SecFilterSignatureAction "log,deny,msg:'Command execution attack'"
SecFilterSelective ARGS_VALUES "^(uname|id|ls|rm|kill)"
SecFilterSelective ARGS_VALUES "^(ls|id|pwd|wget)"
SecFilterSelective ARGS_VALUES ";[[:space:]]*(ls|id|pwd|wget)"
#Common windows extensions that could be bad, comment out what you can use
SecFilterSelective REQUEST_URI "(\.cmd|\.bat|\.htw|\.ida|\.idq|\.htr|\.idc|\.printer|\.ini|\.pol|\.dat|\.cfg|\.idx|\.dll|\.inf|\.mdb|\.mde|\.msi|\.reg|\.scr)"
</IfModule>
Back to top


Reply to topic   Topic: modsecurity precaution to php warning View previous topic :: View next topic
Post new topic   Forum Index -> Third-party Modules