Facebook
Twitter
C
criticman
Guest
Alright, so I am moved to my new server and not looking forward to being hacked again, so....
I have installed mod_security and configured it according to gotroot.
Basically, I have yet to see a log be created for audit_log. I am wondering if there is a way to see if mod_security is actually installed and running properly. I would hate to be hacked only to find out that it was not running properly.
Thanks!
Distro: FC 3
Plesk: 7.5.4
======CONTENTS OF modsecurity.conf=======
<IfModule mod_security.c>
# Only inspect dynamic requests
# (YOU MUST TEST TO MAKE SURE IT WORKS AS EXPECTED)
#SecFilterEngine DynamicOnly
SecFilterEngine On
# Reject requests with status 500
SecFilterDefaultAction "deny,log,status:500"
# Some sane defaults
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat On
SecFilterCheckUnicodeEncoding Off
SecFilterNormalizeCookies On
# enable version 1 (RFC 2965) cookies
SecFilterCookieFormat 1
SecServerResponseToken Off
#If you want to scan the output, uncomment these
#SecFilterScanOutput On
#SecFilterOutputMimeTypes "(null) text/html text/plain"
# Accept almost all byte values
SecFilterForceByteRange 1 255
# Server masking is optional
#fake server banner - NOYB used - no one needs to know what we are using
SecServerSignature "NOYB"
#SecUploadDir /tmp
#SecUploadKeepFiles Off
# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog /var/log/httpd/audit_log
# You normally won't need debug logging
SecFilterDebugLevel 0
SecFilterDebugLog /var/log/httpd/modsec_debug_log
#And now, the rules
#Remove any of these Include lines you do not use or have rules for.
#First, add in your exclusion rules:
#These MUST come first!
Include /etc/modsecurity/exclude.conf
#Application protection rules
Include /etc/modsecurity/rules.conf
#Comment spam rules
Include /etc/modsecurity/blacklist.conf
#Bad hosts, bad proxies and other bad players
Include /etc/modsecurity/blacklist2.conf
#Bad clients, known bogus useragents and other signs of malware
Include /etc/modsecurity/useragents.conf
#Known bad software, rootkits and other malware
Include /etc/modsecurity/rootkits.conf
#Signatures to prevent proxying through your server
#only rule these rules if your server is NOT a proxy
Include /etc/modsecurity/proxy.conf
#Additional rules for Apache 2.x ONLY! Do not add this line if you use Apache 1.x
Include /etc/modsecurity/apache2-rules.conf
</IfModule>
=============================
I have installed mod_security and configured it according to gotroot.
Basically, I have yet to see a log be created for audit_log. I am wondering if there is a way to see if mod_security is actually installed and running properly. I would hate to be hacked only to find out that it was not running properly.
Thanks!
Distro: FC 3
Plesk: 7.5.4
======CONTENTS OF modsecurity.conf=======
<IfModule mod_security.c>
# Only inspect dynamic requests
# (YOU MUST TEST TO MAKE SURE IT WORKS AS EXPECTED)
#SecFilterEngine DynamicOnly
SecFilterEngine On
# Reject requests with status 500
SecFilterDefaultAction "deny,log,status:500"
# Some sane defaults
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat On
SecFilterCheckUnicodeEncoding Off
SecFilterNormalizeCookies On
# enable version 1 (RFC 2965) cookies
SecFilterCookieFormat 1
SecServerResponseToken Off
#If you want to scan the output, uncomment these
#SecFilterScanOutput On
#SecFilterOutputMimeTypes "(null) text/html text/plain"
# Accept almost all byte values
SecFilterForceByteRange 1 255
# Server masking is optional
#fake server banner - NOYB used - no one needs to know what we are using
SecServerSignature "NOYB"
#SecUploadDir /tmp
#SecUploadKeepFiles Off
# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog /var/log/httpd/audit_log
# You normally won't need debug logging
SecFilterDebugLevel 0
SecFilterDebugLog /var/log/httpd/modsec_debug_log
#And now, the rules
#Remove any of these Include lines you do not use or have rules for.
#First, add in your exclusion rules:
#These MUST come first!
Include /etc/modsecurity/exclude.conf
#Application protection rules
Include /etc/modsecurity/rules.conf
#Comment spam rules
Include /etc/modsecurity/blacklist.conf
#Bad hosts, bad proxies and other bad players
Include /etc/modsecurity/blacklist2.conf
#Bad clients, known bogus useragents and other signs of malware
Include /etc/modsecurity/useragents.conf
#Known bad software, rootkits and other malware
Include /etc/modsecurity/rootkits.conf
#Signatures to prevent proxying through your server
#only rule these rules if your server is NOT a proxy
Include /etc/modsecurity/proxy.conf
#Additional rules for Apache 2.x ONLY! Do not add this line if you use Apache 1.x
Include /etc/modsecurity/apache2-rules.conf
</IfModule>
=============================