Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: modsecurity precaution to php warning |
|
Author |
|
blasto
Joined: 21 Mar 2006 Posts: 3
|
Posted: Tue 21 Mar '06 14:16 Post subject: modsecurity precaution to php warning |
|
|
Hi,
first of all this lounge seems to be pretty neat and good looking here is my question:
I've been running a mambo site (xp+apache+php+mysql+mambo) for a while without any problems, as site became more popular I've installed the modsecurity module to increase the security. I'm using it with bundled rules and nowadays I'm reading some php warning messages from apache error.log, like;
[client 195.140.135.146] PHP Warning: main(http://ess.trix.net/therules.dat): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden\r\n in http://dustaush.com/thefive/tool.gif?/includes/HTML_toolbar.php on line 13
[client 195.140.135.146] PHP Warning: main(): Failed opening 'http://ess.trix.net/therules.dat' for inclusion (include_path='.;c:\\php4\\pear') in http://dustaush.com/thefive/tool.gif?/includes/HTML_toolbar.php on line 13
[client 200.67.229.226] PHP Warning: main(?/includes/HTML_toolbar.php): failed to open stream: No such file or directory in \\www\\contenttab.php on line 13
[client 200.67.229.226] PHP Fatal error: main(): Failed opening required '?/includes/HTML_toolbar.php' (include_path='.;c:\\php4\\pear') in \\www\\contenttab.php on line 13
How should I define modsecurity new rules to match these patterns and deny them before php gives warnings and fatal errors? thanks |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7360 Location: Germany, Next to Hamburg
|
Posted: Tue 21 Mar '06 15:50 Post subject: |
|
|
I don't know how the config from mod_security is, but to fight the symtoms:
in your php.ini you can turn off the displaying off errors caused by PHP
display_errors = off
For your security log the errors
log_errors = On
error_log = C:\logs\myphperror.log
This prevent PHP to send errors.
Second idea is to change the errordocuments from Apache
ErrorDocument 401 /thefive/index.php
ErrorDocument 403 /thefive/index.php
ErrorDocument 404 /thefive/index.php
How does the config of mod_security look? |
|
Back to top |
|
blasto
Joined: 21 Mar 2006 Posts: 3
|
Posted: Tue 21 Mar '06 16:21 Post subject: |
|
|
hi,
those warning and error messages are already from apache error.log file, nothing is printed out to the browser. the log points that these are attacks and carried on by some bot or someone, I'm asking how to prevent these attacks with modsecurity... BTW those urls (dustaush.com , ess.trix.net) do not belong to me, I guess they are what is called cross sites, hosting some kind of compromised code to redirect attacks.. below is my modsecurity config which catches most of the similar type of crossite attacks.
thanks...
<IfModule mod_security.c>
# Turn ModSecurity On
SecFilterEngine On
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckUnicodeEncoding Off
# Accept almost all byte values
SecFilterForceByteRange 1 255
#SecUploadDir logs
#SecUploadKeepFiles Off
# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog c:/inet/logs/security.log
## -- Common attacks --------------------
SecFilterDefaultAction "deny,log,msg:'Common attacks',status:403"
#Web Proxy GET Request
SecFilter "^GET (http|https|ftp)\:/"
#Web Proxy HEAD Request
SecFilter "^HEAD (http|https|ftp)\:/"
#Proxy POST Request
SecFilter "^POST (http|https|ftp)\:/"
#Proxy CONNECT Request
SecFilterSelective THE_REQUEST "^CONNECT "
# Only accept request encodings we know how to handle.
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Type "!(^application/x-www-form-urlencoded$|^multipart/form-data;)"
# Do not accept GET or HEAD requests with bodies
SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Length "!^$"
# Restrict which request methods can be used
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD|POST)$"
# Restrict protocol versions.
SecFilterSelective SERVER_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$"
# Require Content-Length to be provided with every POST request.
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
# Don't accept transfer encodings we know we don't know how to handle
SecFilterSelective HTTP_Transfer-Encoding "!^$"
## -- PHP attacks --------------------
SecFilterSignatureAction "log,deny,msg:'PHP attack'"
# Possible code execution attack (targets valid PHP streams constructs)
SecFilterSelective ARGS_NAMES "^php:/"
#phpBB attack
SecFilterSelective ARG_highlight "(\x27|%27|\x2527|%2527)"
## -- SQL Injection Attacks --------------------
SecFilterSignatureAction "log,deny,msg:'SQL Injection attack'"
# Generic
SecFilterSelective ARGS "delete[[:space:]]+from"
SecFilterSelective ARGS "drop[[:space:]]+database"
SecFilterSelective ARGS "drop[[:space:]]+table"
SecFilterSelective ARGS "drop[[:space:]]+column"
SecFilterSelective ARGS "drop[[:space:]]+procedure"
SecFilterSelective ARGS "create[[::space:]]+table"
SecFilterSelective ARGS "update.+set.+="
SecFilterSelective ARGS "insert[[:space:]]+into.+values"
SecFilterSelective ARGS "select.+from"
SecFilterSelective ARGS "bulk[[:space:]]+insert"
SecFilterSelective ARGS "union.+select"
SecFilterSelective ARGS "or.+1[[:space:]]*=[[:space:]]1"
SecFilterSelective ARGS "alter[[:space:]]+table"
SecFilterSelective ARGS "or 1=1--'"
SecFilterSelective ARGS "'.+--"
# MySQL
SecFilterSelective ARGS "into[[:space:]]+outfile"
SecFilterSelective ARGS "load[[:space:]]+data
SecFilterSelective ARGS "/\*.+\*/"
## -- Command execution --------------------
SecFilterSignatureAction "log,deny,msg:'Command execution attack'"
SecFilterSelective ARGS_VALUES "^(uname|id|ls|rm|kill)"
SecFilterSelective ARGS_VALUES "^(ls|id|pwd|wget)"
SecFilterSelective ARGS_VALUES ";[[:space:]]*(ls|id|pwd|wget)"
#Common windows extensions that could be bad, comment out what you can use
SecFilterSelective REQUEST_URI "(\.cmd|\.bat|\.htw|\.ida|\.idq|\.htr|\.idc|\.printer|\.ini|\.pol|\.dat|\.cfg|\.idx|\.dll|\.inf|\.mdb|\.mde|\.msi|\.reg|\.scr)"
</IfModule> |
|
Back to top |
|
|
|
|
|
|