Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #11  
Old 8th March 2013, 20:41
sageman sageman is offline
Junior Member
 
Join Date: Feb 2006
Posts: 24
Thanks: 2
Thanked 2 Times in 1 Post
Default

Here are some more that helped me today:

Joomla 2.5.x - Akeeba Backup (after installation)

Reason
PHP source code leakage

Rule
SecRuleRemoveById 970015

------------------------------------------------

Joomla 2.5.x - JCE Editor (saving configuration)

Reason
Too many arguments in request

Rule
SecRuleRemoveById 960335

------------------------------------------------

Menalto Gallery 3 - Uploader stops processing images

Reason
Request Missing an Accept Header

Rule
SecRuleRemoveById 960015

------------------------------------------------

Usage
You should place this rule within the global whitelist
__________________
Richard Dvořák

Last edited by sageman; 10th March 2013 at 11:42.
Reply With Quote
Sponsored Links
  #12  
Old 12th March 2013, 13:05
SpeedyB SpeedyB is offline
HowtoForge Supporter
 
Join Date: Dec 2009
Posts: 43
Thanks: 3
Thanked 4 Times in 3 Posts
Default

Remoting is not working with mod-security installed

This is due to an "Request Missing an Accept Header" error.

to fix this add the following code to the 000-ispconfig.vhost (at the bottom)
Code:
<LocationMatch "/remote/index.php">
  SecRuleRemoveById 960015 
</LocationMatch>

==================

Since I only want to enable rules for the PHP files which need to be excluded I have the following ruleset for WordPress:

Code:
<LocationMatch "/">
  SecRuleRemoveById 910006 # Google robot activity - Useful in someways but noisy for sites where you want them crawled
  SecRuleRemoveById 960015 # Request Missing an Accept Header -  Allow for Google Reader
</LocationMatch>

<LocationMatch "/wp-admin/post.php">
  SecRuleRemoveById 950006 # System Command Injection - Another rule that probably doesn't need to be disabled by everyone it stops .exe and various other extensions being passed in arguments.
  SecRuleRemoveById 950004 # Disable XSS 
</LocationMatch>

<LocationMatch "/wp-admin/admin-ajax.php">
  SecRuleRemoveById 950004 # Disable XSS 
</LocationMatch>

<LocationMatch "(/wp-admin/|/wp-login.php)">
  SecRuleRemoveById 950005 # Remote File Access Attempt - Probably no need to be disabled by everyone; it allows me putting /etc/ and other linux paths in posts.
  SecRuleRemoveById 950117 # Remote File Inclusion Attack - Disable to allow http:// to be passed in args
</LocationMatch>

<LocationMatch "(/wp-admin/options.php|/wp-admin/theme-editor.php|/wp-content/plugins/)">
  SecRuleRemoveById 950907 # System Command Injection
  SecRuleRemoveById 950005 # Remote File Access Attempt - Probably no need to be disabled by everyone; it allows me putting /etc/ and other linux paths in posts.
  SecRuleRemoveById 950006 # System Command Injection - Another rule that probably doesn't need to be disabled by everyone it stops .exe and various other extensions being passed in arguments.
  SecRuleRemoveById 959006 # SQL Injection Attack -
  SecRuleRemoveById 960008 # Request Missing a Host Header
  SecRuleRemoveById 960011 # GET or HEAD requests with bodies
  SecRuleRemoveById 960904 # Request Containing Content, but Missing Content-Type header

  SecRuleRemoveById phpids-17 # Detects JavaScript object properties and methods
  SecRuleRemoveById phpids-20 # Detects JavaScript language constructs
  SecRuleRemoveById phpids-21 # Detects very basic XSS probings
  SecRuleRemoveById phpids-30 # Detects common XSS concatenation patterns 1/2
  SecRuleRemoveById phpids-61 # Detects url injections and RFE attempts
</LocationMatch>

<LocationMatch "/wp-includes/">
  SecRuleRemoveById 950006 # System Command Injection - Another rule that probably doesn't need to be disabled by everyone it stops .exe and various other extensions being passed in arguments.
  SecRuleRemoveById 959006 # SQL Injection Attack -
  SecRuleRemoveById 960010 # Request content type is not allowed by policy - Allows for amongst other things spell check to work on admin area
  SecRuleRemoveById 960012 # Require Content-Length to be provided with every POST request - Same as above

  SecRuleRemoveById phpids-17 # Detects JavaScript object properties and methods
  SecRuleRemoveById phpids-20 # Detects JavaScript language constructs
  SecRuleRemoveById phpids-21 # Detects very basic XSS probings
  SecRuleRemoveById phpids-30 # Detects common XSS concatenation patterns 1/2
  SecRuleRemoveById phpids-61 # Detects url injections and RFE attempts
</LocationMatch>
Reply With Quote
  #13  
Old 8th November 2013, 05:26
manarak manarak is offline
Senior Member
 
Join Date: Apr 2009
Posts: 262
Thanks: 32
Thanked 6 Times in 5 Posts
Default

I'm currently also looking at this issue from a seo point of view focusing on search engine crawlers.
Google is not the only search engine.

I think what's needed is a collection of tightly-defined whitelisting rules which disable certain rules for certain IPs/user agents of search engines.

People could then use these rules in the global mod_security 00_whitelist.conf or inside the individual site's settings.
Reply With Quote
  #14  
Old 8th November 2013, 07:05
manarak manarak is offline
Senior Member
 
Join Date: Apr 2009
Posts: 262
Thanks: 32
Thanked 6 Times in 5 Posts
 
Default

What has always been very irritating about Mod_security is that there is so few simple documentation about it and that most of the support chatter is done via mailing list rather than forum.

Try to google "mod_security whitelist IP ranges" to see what I mean...

This makes any custom rules exercise rather difficult.

Anyway, here is how far I progressed:

I added a file "modsecurity_crs_15_whitelist.conf" in /etc/apache2/modsecurity
(that can be another directory, depending on where you put your rules)

And I began to design a rule file for whitelisting bots.

Here is a non-working example
Code:
SecRule REMOTE_ADDR "^192\.168\.[0-1]{1}\.[0-9]{1,3}$" chain
SecRule REMOTE_HOST googlebot.com$ chain
SecRule REQUEST_HEADERS:User-Agent "Googlebot" phase:1,log,allow,id:999999999,ctl:ruleEngine=off
I want the rules to check the IP and the USER-Agent and if performance permits the Remote Host (don't know if this requires a DNS request or not).
As you see, the regex allows to check for simple ranges.

Some questions I would like to ask persons that are knowledgable about mod_security rules:
1- the above rules chain rules in an "AND" mode, i.e. if this AND that, then allow. Question: how to introduce an OR ? i.e. if the IP address is this OR that, then allow? Would the following work?
Code:
SecRule REMOTE_ADDR "^192\.168\.[0-1]{1}\.[0-9]{1,3}$¦^193\.168\.[0-1]{1}\.[0-9]{1,3}$¦^194\.168\.[0-1]{1}\.[0-9]{1,3}$"
2- I want to give matching requests a pass on one or more specific rules only, not turn off the secrule engine completely. How can this be done?
Reply With Quote
Reply

Bookmarks

Tags
mod_security, rules, security, whitelist

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 17:52.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.