Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: RESOLVED - mod security settings.... |
|
| Author |
|
strigoi
Joined: 15 Dec 2005
Posts: 36
|
 Posted: Mon 08 Jan '07 11:02 Post subject: RESOLVED - mod security settings.... |
 |
|
think my logging got messed up somehow upgrading to the latest build of modsecurity for apache 2.0x's.
does this look ok, because the security log hasnt changed in months, very busy webserver, log was being written to daily.. not anymore.
thnx
LoadModule security2_module modules/mod_security2/mod_security2.so
LoadModule setenvif_module modules/mod_setenvif.so
#LoadModule speling_module modules/mod_speling.so
#LoadModule status_module modules/mod_status.so
LoadModule unique_id_module modules/mod_unique_id.so
LoadModule userdir_module modules/mod_userdir.so
#LoadModule usertrack_module modules/mod_usertrack.so
#LoadModule vhost_alias_module modules/mod_vhost_alias.so
#LoadModule ssl_module modules/mod_ssl.so
LoadModule log_rotate_module modules/mod_log_rotate/mod_log_rotate.so
RotateLogs On
RotateInterval 86400
<IfModule mod_security.c>
# Turn ModSecurity On
SecFilterEngine On
SecRuleEngine On
SecDefaultAction log,auditlog,deny,status:403,phase:2,t:lowercase,t:replaceNulls,t:compressWhitespace
#SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckUnicodeEncoding Off
# Accept almost all byte values
SecFilterForceByteRange 1 255
# Server masking is optional
# SecServerSignature "Steffen  "
#SecUploadDir logs
#SecUploadKeepFiles Off
# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLogType Serial
SecAuditLog logs/mod_security2.log
## -- Common attacks --------------------
SecFilterDefaultAction "deny,log,msg:'Common attacks',status:403"
#Web Proxy GET Request
SecFilter "^GET (http|https|ftp)\:/"
#Web Proxy HEAD Request
SecFilter "^HEAD (http|https|ftp)\:/"
#Proxy POST Request
SecFilter "^POST (http|https|ftp)\:/"
#Proxy CONNECT Request
SecFilterSelective THE_REQUEST "^CONNECT "
# Only accept request encodings we know how to handle.
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Type "!(^application/x-www-form-urlencoded$|^multipart/form-data;)"
# Do not accept GET or HEAD requests with bodies
SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Length "!^$"
# Restrict which request methods can be used
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD|POST)$"
# Restrict protocol versions.
SecFilterSelective SERVER_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$"
# Require Content-Length to be provided with every POST request.
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
# Don't accept transfer encodings we know we don't know how to handle
SecFilterSelective HTTP_Transfer-Encoding "!^$"
## -- PHP attacks --------------------
SecFilterSignatureAction "log,deny,msg:'PHP attack'"
# Possible code execution attack (targets valid PHP streams constructs)
SecFilterSelective ARGS_NAMES "^php:/"
#phpBB attack
#SecFilterSelective ARG_highlight "(\x27|%27|\x2527|%2527)"
SecRule ARGS:highlight "(\x27|%27|\x2527|%2527)"
## -- SQL Injection Attacks --------------------
SecFilterSignatureAction "log,deny,msg:'SQL Injection attack'"
# Generic
SecFilterSelective ARGS "delete[[:space:]]+from"
SecFilterSelective ARGS "drop[[:space:]]+database"
SecFilterSelective ARGS "drop[[:space:]]+table"
SecFilterSelective ARGS "drop[[:space:]]+column"
SecFilterSelective ARGS "drop[[:space:]]+procedure"
SecFilterSelective ARGS "create[[::space:]]+table"
SecFilterSelective ARGS "update.+set.+="
SecFilterSelective ARGS "insert[[:space:]]+into.+values"
SecFilterSelective ARGS "select.+from"
SecFilterSelective ARGS "bulk[[:space:]]+insert"
SecFilterSelective ARGS "union.+select"
SecFilterSelective ARGS "or.+1[[:space:]]*=[[:space:]]1"
SecFilterSelective ARGS "alter[[:space:]]+table"
SecFilterSelective ARGS "or 1=1--'"
SecFilterSelective ARGS "'.+--"
# MySQL
SecFilterSelective ARGS "into[[:space:]]+outfile"
SecFilterSelective ARGS "load[[:space:]]+data
SecFilterSelective ARGS "/\*.+\*/"
## -- Command execution --------------------
SecFilterSignatureAction "log,deny,msg:'Command execution attack'"
#SecFilterSelective ARGS_VALUES "^(uname|id|ls|cat|rm|kill)"
SecFilterSelective ARGS_VALUES "^(uname|id|ls|rm|kill)"
SecFilterSelective ARG_VALUES "^(ls|id|pwd|wget)"
SecFilterSelective ARG_VALUES ";[[:space:]]*(ls|id|pwd|wget)"
</IfModule>
Last edited by strigoi on Thu 18 Jan '07 22:42; edited 1 time in total |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3058
Location: Hilversum, NL, EU
|
|
| Back to top |
|
strigoi
Joined: 15 Dec 2005
Posts: 36
|
| Posted: Wed 10 Jan '07 0:35 Post subject: k |
|
|
well the rules i got from here, and im sure there fine, just after a few upgrades to mod_security that i got from this site, its not logging anything, wanted to make sure it was on, the last log entry in sec.log was in june 2006..
i really just want to make sure its running, anyway to test it, so itll write to the log ??
there was a sanity one i was using, that always made it write to the log.
my main concern is that i dont think its running. any help would be appreciated.
i have subscribed to the link to you posted also.
EDIT:
after looking deepeer, this log does not even exist
SecAuditLog logs/mod_security2.log
the log that is there, sec.log is from a previous version i got from here, so i really dont think it is running |
|
| Back to top |
|
strigoi
Joined: 15 Dec 2005
Posts: 36
|
| Posted: Tue 16 Jan '07 6:28 Post subject: Solved |
|
|
| Solved, and thank you for the mailing list, its a wealth of information !!! |
|
| Back to top |
|
|
|
|
|
|
