• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Ruleset for mod_security and Plesk Server?

G

graffix

Guest
Hello,

we´re have heavy problems to secure our servers, and the modules from sw-soft are too old.
So we decided to integrate the mod_security in our VZ boxes for Plesk.

But we need a good working ruleset for mod_security.

A few customer said to us, that their pages gots an Internal error 500.
But when we go on the site, all is good.

So, has anybody a good working ruleset for us?

Thanks for helps, i hope for answer, that i can sleep good in the next days ;-.-)
 
I have the follow rules:

<IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On

# Change Server: string
SecServerSignature "Apache"


# This setting should be set to On only if the Web site is
# using the Unicode encoding. Otherwise it may interfere with
# the normal Web site operation.
SecFilterCheckUnicodeEncoding Off

# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis. "On" will log everything,
# "DynamicOrRelevant" will log dynamic requests or violations,
# and "RelevantOnly" will only log policy violations
SecAuditEngine RelevantOnly

# The name of the audit log file
SecAuditLog logs/audit_log

# Should mod_security inspect POST payloads
SecFilterScanPOST On

# Action to take by default
SecFilterDefaultAction "deny,log,status:403"

## ## ## ## ## ## ## ## ## ##
## ## ## ## ## ## ## ## ## ##

# Require HTTP_USER_AGENT and HTTP_HOST in all requests
# SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"

# Don't accept transfer encodings we know we don't handle
# (and you don't need it anyway)
SecFilterSelective HTTP_Transfer-Encoding "!^$"

# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"

SecFilter "viewtopic\.php\?" chain
SecFilter "chr\(([0-9]{1,3})\)" "deny,log"

# Block various methods of downloading files to a server
SecFilterSelective THE_REQUEST "wget "
SecFilterSelective THE_REQUEST "lynx "
SecFilterSelective THE_REQUEST "scp "
SecFilterSelective THE_REQUEST "ftp "
SecFilterSelective THE_REQUEST "cvs "
SecFilterSelective THE_REQUEST "rcp "
SecFilterSelective THE_REQUEST "curl "
SecFilterSelective THE_REQUEST "telnet "
SecFilterSelective THE_REQUEST "ssh "
SecFilterSelective THE_REQUEST "echo "
SecFilterSelective THE_REQUEST "links -dump "
SecFilterSelective THE_REQUEST "links -dump-charset "
SecFilterSelective THE_REQUEST "links -dump-width "
SecFilterSelective THE_REQUEST "links http:// "
SecFilterSelective THE_REQUEST "links ftp:// "
SecFilterSelective THE_REQUEST "links -source "
SecFilterSelective THE_REQUEST "mkdir "
SecFilterSelective THE_REQUEST "cd /tmp "
SecFilterSelective THE_REQUEST "cd /var/tmp "
SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "
</IfModule>

Let me know if i missing something or can be better!
 
This is mine, but i think is not good this ruleset:

# Turn the filtering engine On or Off
SecFilterEngine DynamicOnly

# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On
SecFilterCheckUnicodeEncoding On
SecFilterCheckCookieFormat On

# Only allow bytes from this range
SecFilterForceByteRange 32 254
# SecFilterForceByteRange 0 255

# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis
SecAuditEngine On

# The name of the audit log file
SecAuditLog logs/audit_log

SecFilterDebugLog logs/modsec_debug_log
SecFilterDebugLevel 9

# Should mod_security inspect POST payloads
SecFilterScanPOST On

# Action to take by default
SecFilterDefaultAction "deny,log,status:500"
#SecFilterDefaultAction "status:500,log,pass"

SecFilterSelective ARG_p secret allow

# Redirect user on filter match
SecFilter xxx redirect:http://www.webkreator.com

# Execute the external script on filter match
SecFilter yyy log,exec:/home/users/ivanr/apache/bin/report-attack.pl

SecFilterSelective ARG_b2inc "!^$"

# Simple filter
SecFilter 111 pause:5000

# Only check the QUERY_STRING variable
SecFilterSelective QUERY_STRING 222

# Only check the body of the POST request
SecFilterSelective POST_PAYLOAD 333

# Only check arguments (will work for GET and POST)
SecFilterSelective ARGS 444

# Test filter
SecFilter "/cgi-bin/modsec-test.pl/keyword"

# Another test filter, will be denied with 404 but not logged
# action supplied as a parameter overrides the default action
SecFilter 999 "deny,nolog,status:500"

# Prevent OS specific keywords
SecFilter /etc/passwd

# Prevent path traversal (..) attacks
SecFilter "\.\./"

# Weaker XSS protection but allows common HTML tags
SecFilter "<[:space:]*script"

# Prevent XSS atacks (HTML/Javascript injection)
SecFilter "<.+>"

# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"

# Require HTTP_USER_AGENT and HTTP_HOST headers
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

# Forbid file upload
# SecFilterSelective "HTTP_CONTENT_TYPE" multipart/form-data

# Only watch argument p1
SecFilterSelective "ARG_p1" 555

# Watch all arguments except p1
SecFilterSelective "ARGS|!ARG_p2" 666

# Only allow our own test utility to send requests (or Mozilla)
SecFilterSelective HTTP_USER_AGENT "!(mod_security|mozilla|links)"

# Do not allow variables with this name
SecFilterSelective ARGS_NAMES 777

# Do now allow this variable value (names are ok)
SecFilterSelective ARGS_VALUES 888

# Test for a POST variable parsing bug, see test #41
SecFilterSelective ARG_p2 AAA

# Stop spamming through FormMail
# note the exclamation mark at the beginning
# of the filter - only requests that match this regex will
# be allowed
<Location /cgi-bin/FormMail>
SecFilterSelective "ARG_recipient" "[email protected]$"
</Location>

# when allowing upload, only allow images
# note that this is not foolproof, a determined attacker
# could get around this
<Location /fileupload.php>
SecFilterInheritance Off
SecFilterSelective POST_PAYLOAD "!image/(jpeg|bmp|gif)"
</Location>

# SecChrootDir /chroot/apache

SecFilter "chicken"
SecFilterSelective ARG_p "/bin/ls"

SecServerSignature "MyServer x.y.z"

# SecFilterSelective REQUEST_URI "!^[-a-zA-z0-9\\._/]+$"
# SecFilter "!^[-a-zA-Z0-9_/.?]+$"

# test 50
SecFilterSelective ARG_q1 value1 chained
SecFilterSelective ARG_q2 value2

# test 51
SecFilterSelective ARG_q3 value3 skipnext
SecFilterSelective ARG_q3 value3

# test 52
SecFilterSelective ARG_q5 value5 skipnext:2
SecFilterSelective ARG_q5 value5
SecFilterSelective ARG_q5 value5

# test 52 - repeated with skip as an action
SecFilterSelective ARG_q5 value5 skip:2
SecFilterSelective ARG_q5 value5
SecFilterSelective ARG_q5 value5

# test 53
SecFilterSelective COOKIE_phpsessid "!(^$|^[a-zA-Z0-9]+$)"

# test 55
SecFilterSelective COOKIES_NAMES "fakephpsessid"

# test 56
SecFilterSelective COOKIES_VALUES "!(^$|^[a-zA-Z0-9]+$)"

# test 57
SecFilter "wget\x20wget"

SecFilterScanOutput On
# SecFilterOutputMimeTypes "(null) text/html text/plain"
SecFilterSelective OUTPUT "Fatal error:"

# test 70
SecFilterSelective ARGS "-bug70-"

</IfModule>


On this Site you.ll find more, but i don´t know which is the best to use!

http://www.gotroot.com


Any help?
 
You need to go to http://www.gotroot.com/mod_security+rules

You'll find an extensive set of regularly-updated set of rules which work brilliantly with Plesk (or anything else).

Ocasionally a rule might be added that causes the odd problem, but almost the moment they are reported they get modified or removed.

But you MUST monitor your /var/log/httpd/audit_log (which is where mod_sec rule violations get listed) in order to make sure there are no rules that might cause you false positives.

I've written (modified) a small script, which you can find at www.atomicrocketturtle.com in the forums which emails you the last 24 hours worth of log entries. This is the first thing I read in the morning :)

Faris.

p.s. you'll find a range or rulsets on gotroot.com. Use them all! (with the possible exception of the WIndows IIS ones if you aren't running WIndows).
 
@ wu0ter:

Is your Ruleset working with Frontpage?
Mine is not working with it!

I´ll tried this:
SecFilter "_vti_bin" allow
SecFilterSelective THE_REQUEST "/fpsrvadm\.exe" pass
SecFilterSelective THE_REQUEST "/fpremadm\.exe" pass
SecFilterSelective THE_REQUEST "/admisapi/fpadmin\.htm" pass
SecFilterSelective THE_REQUEST "/scripts/Fpadmcgi\.exe" pass
SecFilterSelective THE_REQUEST "/_private/orders\.txt" pass
SecFilterSelective THE_REQUEST "/_private/form_results\.txt" pass
SecFilterSelective THE_REQUEST "/_private/registrations\.htm" pass
SecFilterSelective THE_REQUEST "/cfgwiz\.exe" pass
SecFilterSelective THE_REQUEST "/authors\.pwd" pass
SecFilterSelective THE_REQUEST "/_vti_bin/_vti_aut/author\.exe" pass
SecFilterSelective THE_REQUEST "/administrators\.pwd" pass
SecFilterSelective THE_REQUEST "/_private/form_results\.htm" pass
SecFilterSelective THE_REQUEST "/_vti_pvt/access\.cnf" pass
SecFilterSelective THE_REQUEST "/_private/register\.txt" pass
SecFilterSelective THE_REQUEST "/_private/registrations\.txt" pass
SecFilterSelective THE_REQUEST "/_vti_pvt/service\.cnf" pass
SecFilterSelective THE_REQUEST "/service\.pwd" pass
SecFilterSelective THE_REQUEST "/_vti_pvt/service\.stp" pass
SecFilterSelective THE_REQUEST "/_vti_pvt/services\.cnf" pass
SecFilterSelective THE_REQUEST "/_vti_bin/shtml\.exe" pass
SecFilterSelective THE_REQUEST "/_vti_pvt/svcacl\.cnf" pass
SecFilterSelective THE_REQUEST "/users\.pwd" pass
SecFilterSelective THE_REQUEST "/_vti_pvt/writeto\.cnf" pass
SecFilterSelective THE_REQUEST "/dvwssr\.dll" pass
SecFilterSelective THE_REQUEST "/_private/register\.htm" pass
SecFilterSelective THE_REQUEST "/_vti_bin/" pass
SecFilterSelective THE_REQUEST "/_vti_bin/shtml.exe/_vti_rpc/" pass
SecFilterSelective THE_REQUEST "/_vti_bin/_vti_adm/fpadmcgi.exe" pass

But doesn´t work.

Any idea?
 
@ Graffix:

I dont know because i dont use frontpage.....
 
if i recall you cannot use SecServerSignature settings if you use frontpage, frontpage checks this value.

if it isnt SecServerSignature its something similar that causes Frontpage Publishing issues from what i recall.
 
Anyone have an opinion on the modsecurity.org ruleset?

I'm looking for an alternative to the gotroot.com ruleset because I'm just getting way too many false positives.
 
You must log in or register to reply here.

Similar threads

Sofie76
Resolved Web Application Firewall for Ubuntu 16.04 (Hacking attacks)
Replies
1
Views
853
Nik G
N
J
Issue Unable to Access Webmail through Plesk after service changed hands.
Replies
3
Views
2K
Peter Debik
P
A
Input Reflections on the future of Plesk. HA (High Availability) Clusters and LB (Load Balancing) Clusters for Plesk.
Replies
5
Views
2K
Adam Makowski
A
famous
Resolved DNS Syncing from Plesk Obsidian to Digital Ocean corrupting today with domain name listed twice.
2
Replies
20
Views
3K
AYamshanov
AYamshanov
Ehud
Question Is Plesk Email SRS fully configured, or it requires an extension?
Replies
0
Views
1K
Ehud
Ehud
Back
Top