#1  
Old 30th July 2007, 11:42
llamy llamy is offline
Member
 
Join Date: Jun 2007
Posts: 80
Thanks: 3
Thanked 0 Times in 0 Posts
Default mod_security on FC6

Hi,

I was following the Falko's Howto on securing apache with mod_security on a FC6, after instaling mod_security with yum, my mod_security.conf file looks like this :

# Example configuration file for the mod_security Apache module

LoadFile /usr/lib/libxml2.so.2

LoadModule security2_module modules/mod_security2.so
LoadModule unique_id_module modules/mod_unique_id.so

<IfModule mod_security2.c>
# This is the ModSecurity Core Rules Set.

# Basic configuration goes in here
Include modsecurity.d/modsecurity_crs_10_config.conf

# Protocol violation and anomalies.

Include modsecurity.d/modsecurity_crs_20_protocol_violations.conf
Include modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf

# HTTP policy rules

Include modsecurity.d/modsecurity_crs_30_http_policy.conf

# Here comes the Bad Stuff...

Include modsecurity.d/modsecurity_crs_35_bad_robots.conf
Include modsecurity.d/modsecurity_crs_40_generic_attacks.conf
Include modsecurity.d/modsecurity_crs_45_trojans.conf
Include modsecurity.d/modsecurity_crs_50_outbound.conf

# Search engines and other crawlers. Only useful if you want to track
# Google / Yahoo et. al.

# Include modsecurity.d/modsecurity_crs_55_marketing.conf

# Put your local rules in here.

Include modsecurity.d/modsecurity_localrules.conf
</IfModule>




should i then add the Falko's ruleset after the part # Put your local rules in here.
according to the howto, the Falko's ruleset is the following :



# Example configuration file for the mod_security Apache module

LoadModule security_module modules/mod_security.so

<IfModule mod_security.c>

# Turn the filtering engine On or Off
SecFilterEngine On

# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis
SecAuditEngine RelevantOnly

# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On

# Unicode encoding check
SecFilterCheckUnicodeEncoding On

# Only allow bytes from this range
SecFilterForceByteRange 1 255

# Cookie format checks.
SecFilterCheckCookieFormat On

# The name of the audit log file
SecAuditLog logs/audit_log

# Should mod_security inspect POST payloads
SecFilterScanPOST On

# Default action set
SecFilterDefaultAction "deny,log,status:406"

# Simple example filter
# SecFilter 111

# Prevent path traversal (..) attacks
# SecFilter "\.\./"

# Weaker XSS protection but allows common HTML tags
# SecFilter "<( |\n)*script"

# Prevent XSS atacks (HTML/Javascript injection)
# SecFilter "<(.|\n)+>"

# Very crude filters to prevent SQL injection attacks
# SecFilter "delete[[:space:]]+from"
# SecFilter "insert[[:space:]]+into"
# SecFilter "select.+from"

# Require HTTP_USER_AGENT and HTTP_HOST headers
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

# Only accept request encodings we know how to handle
# we exclude GET requests from this because some (automated)
# clients supply "text/html" as Content-Type
SecFilterSelective REQUEST_METHOD "!^GET$" chain
SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)"

# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"

# Don't accept transfer encodings we know we don't handle
# (and you don't need it anyway)
SecFilterSelective HTTP_Transfer-Encoding "!^$"

# Some common application-related rules from
# http://modsecrules.monkeydev.org/rules.php?safety=safe

#Nuke Bookmarks XSS
SecFilterSelective THE_REQUEST "/modules\.php\?name=Bookmarks\&file=(del_cat\&catna me|del_mark\&markname|edit_cat\&catname|edit_cat\& catcomment|marks\&catname|uploadbookmarks\&categor y)=(<[[:space:]]*script|(http|https|ftp)\:/)"

#Nuke Bookmarks Marks.php SQL Injection Vulnerability
SecFilterSelective THE_REQUEST "modules\.php\?name=Bookmarks\&file=marks\&catname =.*\&category=.*/\*\*/(union|select|delete|insert)"

#PHPNuke general XSS attempt
#/modules.php?name=News&file=article&sid=1&optionbox =
SecFilterSelective THE_REQUEST "/modules\.php\?*name=<[[:space:]]*script"

# PHPNuke SQL injection attempt
SecFilterSelective THE_REQUEST "/modules\.php\?*name=Search*instory="

#phpnuke sql insertion
SecFilterSelective THE_REQUEST "/modules\.php*name=Forums.*file=viewtopic*/forum=.*\'/"

# WEB-PHP phpbb quick-reply.php arbitrary command attempt

SecFilterSelective THE_REQUEST "/quick-reply\.php" chain
SecFilter "phpbb_root_path="

#Topic Calendar Mod for phpBB Cross-Site Scripting Attack
SecFilterSelective THE_REQUEST "/calendar_scheduler\.php\?start=(<[[:space:]]*script|(http|https|ftp)\:/)"

# phpMyAdmin: Safe

#phpMyAdmin Export.PHP File Disclosure Vulnerability
SecFilterSelective SCRIPT_FILENAME "export\.php$" chain
SecFilterSelective ARG_what "\.\."

#phpMyAdmin path vln
SecFilterSelective REQUEST_URI "/css/phpmyadmin\.css\.php\?GLOBALS\[cfg\]\[ThemePath\]=/etc"

</IfModule>



Thanks in advance.
Llamy.
Reply With Quote
Sponsored Links
  #2  
Old 30th July 2007, 11:59
llamy llamy is offline
Member
 
Join Date: Jun 2007
Posts: 80
Thanks: 3
Thanked 0 Times in 0 Posts
Default mod_security

i have tried with this :

<IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On

# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On

# Unicode encoding check
SecFilterCheckUnicodeEncoding Off

# Only allow bytes from this range
SecFilterForceByteRange 0 255

# Only log suspicious requests
SecAuditEngine RelevantOnly

# The name of the audit log file
SecAuditLog /var/log/httpd/audit_log
# Debug level set to a minimum
SecFilterDebugLog /var/log/httpd/modsec_debug_log
SecFilterDebugLevel 0

# Should mod_security inspect POST payloads
SecFilterScanPOST On

# By default log and deny suspicious requests
# with HTTP status 500
SecFilterDefaultAction "deny,log,status:500"

</IfModule>



And when i restart apache i have this error :

Starting httpd: Syntax error on line 38 of /etc/httpd/conf.d/mod_security.conf:
Invalid command 'SecFilterEngine', perhaps misspelled or defined by a module not included in the server configuration
[FAILED]

Do you know what to do here? Thanks in advance.

Llamy.
Reply With Quote
  #3  
Old 31st July 2007, 15:02
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,751 Times in 2,581 Posts
Default

Which mod_security version did you install? Since version 2, there's no SecFilterEngine anymore: http://www.modsecurity.org/documenta...tml-multipage/

I'd try the original configuration and then add your custom rules where it says so.

Also take a look here: http://www.howtoforge.com/remo_modsecurity_apache
http://www.howtoforge.com/apache2_mo...ty_debian_etch
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #4  
Old 31st July 2007, 15:38
llamy llamy is offline
Member
 
Join Date: Jun 2007
Posts: 80
Thanks: 3
Thanked 0 Times in 0 Posts
 
Default mod_security on FC6

Hi Falko,

Thanks for your reply. This is what i get when i do:> yum info mod_security on my FC6 box :

Installed Packages
Name : mod_security
Arch : i386
Version: 2.1.1
Release: 1.fc6
Size : 1.4 M
Repo : installed
Summary: Security module for the Apache HTTP Server

Description:
ModSecurity is an open source intrusion detection and prevention engine
for web applications. It operates embedded into the web server, acting
as a powerful umbrella - shielding web applications from attacks.

Now i think i will go with the second link you gave in your reply:
http://www.howtoforge.com/apache2_mo...ty_debian_etch

and i will let you know.

About the rules that you said that i've been downloaded in this howto link, i think i should put in the rules directory this http://www.modsecurity.org/download/...2.1-1.4.tar.gz

llamy.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
fc5 to fc6 widean Installation/Configuration 5 12th April 2007 18:14
No ISPConfig login on FC6 scabpicker Installation/Configuration 2 3rd April 2007 23:18
DNS and fc6 phpotes Installation/Configuration 1 9th March 2007 12:20
FC6 installation error PHP binary does not work properly cotthemh Installation/Configuration 3 26th December 2006 18:03
postfix on LAMP setup with fc6 m61 HOWTO-Related Questions 13 16th December 2006 13:12


All times are GMT +2. The time now is 22:31.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.