View Single Post
Old 17th July 2006, 09:11
Ben Ben is offline
Join Date: Jul 2006
Posts: 1,029
Thanks: 7
Thanked 62 Times in 56 Posts

On what? Installation or configuration?

That's a (undocumented) config example on mod_security
<IfModule mod_security.c>
#Start Engine
SecFilterEngine On
SecFilterDefaultAction "deny,log,status:404"
SecFilterScanPOST On

#Valid URL-Encoding
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat On

#Unicode Encoding Check
SecFilterCheckUnicodeEncoding Off

SecFilterForceByteRange 1 255

SecAuditEngine RelevantOnly
SecAuditLog /var/log/modsec_audit.log
SecFilterDebugLog /var/log/modesc_debug.log
SecFilterDebugLevel 0

SecServerSignature "."

#Enforce proper HTTP requests
#SecFilterSelective THE_REQUEST "!HTTP\/(0\.9|1\.0|1\.1)$"

#check for bad meta characters in User-Agent field
SecFilterSelective HTTP_USER_AGENT ".*\'"

#Require Content-Length to be provided with every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"

#Don't accept chunked encodings
SecFilterSelective HTTP_Transfer-Encoding "chunked"

#must have a useragent string
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

#Again, this is better protected by removing these functions in php.ini
SecFilterSelective ARGS "(system|exec|passthru|popen|shell_exec|proc_open| fopen|fwrite)\s*\("

#Prevent path traversal (..) attacks
SecFilter "\.\./"

#generic recursion signature
SecFilterSelective THE_REQUEST "\.\./\.\./"

#generic attack sig
SecFilterSelective THE_REQUEST "cd\x20*\;(cd|\;|echo|perl|python|rpm|yum|apt-get|emerge|lynx|links|mk dir|elinks|cmd|pwd|wget|id|uname|cvs|svn|(s|r)(cp| sh)|rexec|smbclient|t?ftp|ncftp|curl|te lnet|gcc|cc|g\+\+|\./)"

#generic filter to prevent SQL injection attacks
SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|tr uncate|u pdate|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z |a-z|0-9|\*| |\,]"

#generic PHP remote file inclusion attack
SecFilter "\.php\?" chain
SecFilter "(http|https|ftp)\:/" chain
SecFilter "cmd=(cd|\;|perl|python|rpm|yum|apt-get|emerge|lynx|links|mkdir|elinks |cmd|pwd|wget|id|uname|cvs|svn|(s|r)(cp|sh)|rexec| smbclient|t?ftp|ncftp|curl|telnet|gcc |cc|g\+\+|\./)"

#generic sig for more bad PHP functions
SecFilterSelective THE_REQUEST "chr\(([0-9]{1,3})\)"
SecFilterSelective THE_REQUEST "chr\([0-9a-fA-Fx]+\)"

#SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"

#SQL injection in cookies
SecFilterSelective COOKIE_sessionid ".*(select|grant|delete|insert|drop|do|alter|repla ce|truncate|update|c reate|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*||\,]+[[:space:]]+(from|into|table |database|index|view)"
That can be placed anywhere in you apache config... under debian it makes sense to store that file to mods-available and link it into mods-enabled on usage. Under Suse I actually (and I don't mind ) don't know the hundreds of files the config is split into and where to best put that...

Also you must load the module with sth. like
LoadModule security_module /usr/lib/apache2/modules/
Do disable that stuff for e.g. phpMyAdmin
<Directory /your/path/to/phpMyAdmin/>
<IfModule mod_security.c>
SecFilterEngine Off
If you're not willing to apply that rules from above to _ALL_ your sites and to a whitelist like that stuff with phpMyAdmin, it makes sense to apply that filter only on some dirs....

More on Installation and configuration can be found here:
Reply With Quote