Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: My first rules for ModSecurity 2 |
|
| Author |
|
raffe
Joined: 20 Dec 2005
Posts: 15
|
 Posted: Tue 03 Apr '07 14:10 Post subject: My first rules for ModSecurity 2 |
 |
|
So I finally upgraded to Apache 2.2.x and then also needed ModSecurity 2. Installation went fine and all seems to be working. But still I'm here and writing  So my question is this:
What rule files do you use and what changes have you done?
I did this:
1. I copy all these conf files to apache2/conf/mod_security2/
modsecurity_crsBlocking_20_protocol_violations.conf
modsecurity_crsBlocking_21_protocol_anomalies.conf
modsecurity_crsBlocking_40_generic_attacks.conf
modsecurity_crs_10_config.conf
modsecurity_crs_20_protocol_violations.conf
modsecurity_crs_21_protocol_anomalies.conf
modsecurity_crs_30_http_policy.conf
modsecurity_crs_35_bad_robots.conf
modsecurity_crs_40_generic_attacks.conf
modsecurity_crs_45_trojans.conf
modsecurity_crs_50_outbound.conf
modsecurity_crs_55_marketing.conf
2. In modsecurity_crs_10_config.conf I change to this
SecAuditLog logs/mod_security2.log
3. I add this to httpd.conf
LoadModule security2_module modules/mod_security2/mod_security2.so
LoadModule unique_id_module modules/mod_unique_id.so
Include "c:/apache2/conf/mod_security2/*.conf"
4. And it seems to be working.
But this seems to be to easy. I have not gone thrue all the conf files (only 10_config). What kind of problems can I look forward to? What conf files should I look into first? How did you do all this?
Last edited by raffe on Wed 04 Apr '07 5:07; edited 1 time in total |
|
| Back to top |
|
raffe
Joined: 20 Dec 2005
Posts: 15
|
| Posted: Wed 04 Apr '07 4:49 Post subject: |
|
|
And then we also have Gotroot
http://www.apachelounge.com/viewtopic.php?t=1281
http://www.apachelounge.com/viewtopic.php?t=1433
1. Are they 'better' or is the core stuff the best?
2. And/or can I use them at the same time as I use the core rules?
3. When I download apache2-gotrootrules-modsec2.0-latest.tar.gz the readme says "These are currently beta rules. 1.9 rules are considered production rules."
4. Btw, I have a old crappy PC as a server, maybe the core rules are 'lighter'?
5. They say this is a good start (I don't use this at this time):
| Code: | <IfModule mod_security.c>
# Only inspect dynamic requests
# (YOU MUST TEST TO MAKE SURE IT WORKS AS EXPECTED)
#SecFilterEngine DynamicOnly
SecFilterEngine On
# Reject requests with status 500
SecFilterDefaultAction "deny,log,status:500"
# Some sane defaults
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat On
SecFilterCheckUnicodeEncoding Off
SecFilterNormalizeCookies On
# enable version 1 (RFC 2965) cookies
SecFilterCookieFormat 1
SecServerResponseToken Off
#If you want to scan the output, uncomment these
#SecFilterScanOutput On
#SecFilterOutputMimeTypes "(null) text/html text/plain"
# Accept almost all byte values
SecFilterForceByteRange 1 255
# Server masking is optional
#fake server banner - NOYB used - no one needs to know what we are using
SecServerSignature "NOYB"
#SecUploadDir /tmp
#SecUploadKeepFiles Off
# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log
# You normally won't need debug logging
SecFilterDebugLevel 0
SecFilterDebugLog logs/modsec_debug_log
#And now, the rules
#Remove any of these Include lines you do not use or have rules for.
#First, add in your exclusion rules:
#These MUST come first!
Include /etc/modsecurity/exclude.conf
#Application protection rules
Include /etc/modsecurity/rules.conf
#Comment spam rules
Include /etc/modsecurity/blacklist.conf
#Bad hosts, bad proxies and other bad players
Include /etc/modsecurity/blacklist2.conf
#Bad clients, known bogus useragents and other signs of malware
Include /etc/modsecurity/useragents.conf
#Known bad software, rootkits and other malware
Include /etc/modsecurity/rootkits.conf
#Signatures to prevent proxying through your server
#only rule these rules if your server is NOT a proxy
Include /etc/modsecurity/proxy.conf
#Additional rules for Apache 2.x ONLY! Do not add this line if you use Apache 1.x
Include /etc/modsecurity/apache2-rules.conf
</IfModule> |
And we also have this (I don't use this at this time):
| Code: | SecRuleEngine On
SecDefaultAction log,auditlog,deny,status:403,phase:2,t:lowercase,t:replaceNulls,t:compressWhitespace
SecAuditEngine RelevantOnly
SecAuditLogType Serial
SecAuditLog logs/mod_security2.log
## -- General rules --------------------
SecRule ARGS "c:/" t:normalisePathWin
SecRule ARGS "\.\./" t:normalisePathWin
SecRule ARGS "d:/" t:normalisePathWin
## -- phpBB attack --------------------
SecRule ARGS:highlight "(\x27|%27|\x2527|%2527)" |
Should they be combined for best function?
PS. I have started monitoring the results in the log file. After I have got 'enough' log entries from mod_security2, I may need some help with understanding some of the entries. |
|
| Back to top |
|
raffe
Joined: 20 Dec 2005
Posts: 15
|
|
| Back to top |
|
raffe
Joined: 20 Dec 2005
Posts: 15
|
| Posted: Thu 26 Apr '07 16:31 Post subject: |
|
|
Anyone? Is it a secret how you did it?  |
|
| Back to top |
|
|
|
|
|
|
