1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice

Ruleset for mod_security and Plesk Server?

Discussion in 'Plesk for Linux - 8.x and Older' started by graffix, Aug 1, 2005.

  1. graffix

    graffix Guest

    0
     
    Hello,

    we´re have heavy problems to secure our servers, and the modules from sw-soft are too old.
    So we decided to integrate the mod_security in our VZ boxes for Plesk.

    But we need a good working ruleset for mod_security.

    A few customer said to us, that their pages gots an Internal error 500.
    But when we go on the site, all is good.

    So, has anybody a good working ruleset for us?

    Thanks for helps, i hope for answer, that i can sleep good in the next days ;-.-)
     
  2. w0uter

    w0uter Guest

    0
     
    I have the follow rules:

    <IfModule mod_security.c>
    # Turn the filtering engine On or Off
    SecFilterEngine On

    # Change Server: string
    SecServerSignature "Apache"


    # This setting should be set to On only if the Web site is
    # using the Unicode encoding. Otherwise it may interfere with
    # the normal Web site operation.
    SecFilterCheckUnicodeEncoding Off

    # The audit engine works independently and
    # can be turned On of Off on the per-server or
    # on the per-directory basis. "On" will log everything,
    # "DynamicOrRelevant" will log dynamic requests or violations,
    # and "RelevantOnly" will only log policy violations
    SecAuditEngine RelevantOnly

    # The name of the audit log file
    SecAuditLog logs/audit_log

    # Should mod_security inspect POST payloads
    SecFilterScanPOST On

    # Action to take by default
    SecFilterDefaultAction "deny,log,status:403"

    ## ## ## ## ## ## ## ## ## ##
    ## ## ## ## ## ## ## ## ## ##

    # Require HTTP_USER_AGENT and HTTP_HOST in all requests
    # SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

    # Require Content-Length to be provided with
    # every POST request
    SecFilterSelective REQUEST_METHOD "^POST$" chain
    SecFilterSelective HTTP_Content-Length "^$"

    # Don't accept transfer encodings we know we don't handle
    # (and you don't need it anyway)
    SecFilterSelective HTTP_Transfer-Encoding "!^$"

    # Protecting from XSS attacks through the PHP session cookie
    SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
    SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"

    SecFilter "viewtopic\.php\?" chain
    SecFilter "chr\(([0-9]{1,3})\)" "deny,log"

    # Block various methods of downloading files to a server
    SecFilterSelective THE_REQUEST "wget "
    SecFilterSelective THE_REQUEST "lynx "
    SecFilterSelective THE_REQUEST "scp "
    SecFilterSelective THE_REQUEST "ftp "
    SecFilterSelective THE_REQUEST "cvs "
    SecFilterSelective THE_REQUEST "rcp "
    SecFilterSelective THE_REQUEST "curl "
    SecFilterSelective THE_REQUEST "telnet "
    SecFilterSelective THE_REQUEST "ssh "
    SecFilterSelective THE_REQUEST "echo "
    SecFilterSelective THE_REQUEST "links -dump "
    SecFilterSelective THE_REQUEST "links -dump-charset "
    SecFilterSelective THE_REQUEST "links -dump-width "
    SecFilterSelective THE_REQUEST "links http:// "
    SecFilterSelective THE_REQUEST "links ftp:// "
    SecFilterSelective THE_REQUEST "links -source "
    SecFilterSelective THE_REQUEST "mkdir "
    SecFilterSelective THE_REQUEST "cd /tmp "
    SecFilterSelective THE_REQUEST "cd /var/tmp "
    SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "
    </IfModule>

    Let me know if i missing something or can be better!
     
  3. graffix

    graffix Guest

    0
     
    This is mine, but i think is not good this ruleset:

    # Turn the filtering engine On or Off
    SecFilterEngine DynamicOnly

    # Make sure that URL encoding is valid
    SecFilterCheckURLEncoding On
    SecFilterCheckUnicodeEncoding On
    SecFilterCheckCookieFormat On

    # Only allow bytes from this range
    SecFilterForceByteRange 32 254
    # SecFilterForceByteRange 0 255

    # The audit engine works independently and
    # can be turned On of Off on the per-server or
    # on the per-directory basis
    SecAuditEngine On

    # The name of the audit log file
    SecAuditLog logs/audit_log

    SecFilterDebugLog logs/modsec_debug_log
    SecFilterDebugLevel 9

    # Should mod_security inspect POST payloads
    SecFilterScanPOST On

    # Action to take by default
    SecFilterDefaultAction "deny,log,status:500"
    #SecFilterDefaultAction "status:500,log,pass"

    SecFilterSelective ARG_p secret allow

    # Redirect user on filter match
    SecFilter xxx redirect:http://www.webkreator.com

    # Execute the external script on filter match
    SecFilter yyy log,exec:/home/users/ivanr/apache/bin/report-attack.pl

    SecFilterSelective ARG_b2inc "!^$"

    # Simple filter
    SecFilter 111 pause:5000

    # Only check the QUERY_STRING variable
    SecFilterSelective QUERY_STRING 222

    # Only check the body of the POST request
    SecFilterSelective POST_PAYLOAD 333

    # Only check arguments (will work for GET and POST)
    SecFilterSelective ARGS 444

    # Test filter
    SecFilter "/cgi-bin/modsec-test.pl/keyword"

    # Another test filter, will be denied with 404 but not logged
    # action supplied as a parameter overrides the default action
    SecFilter 999 "deny,nolog,status:500"

    # Prevent OS specific keywords
    SecFilter /etc/passwd

    # Prevent path traversal (..) attacks
    SecFilter "\.\./"

    # Weaker XSS protection but allows common HTML tags
    SecFilter "<[:space:]*script"

    # Prevent XSS atacks (HTML/Javascript injection)
    SecFilter "<.+>"

    # Very crude filters to prevent SQL injection attacks
    SecFilter "delete[[:space:]]+from"
    SecFilter "insert[[:space:]]+into"
    SecFilter "select.+from"

    # Require HTTP_USER_AGENT and HTTP_HOST headers
    SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

    # Forbid file upload
    # SecFilterSelective "HTTP_CONTENT_TYPE" multipart/form-data

    # Only watch argument p1
    SecFilterSelective "ARG_p1" 555

    # Watch all arguments except p1
    SecFilterSelective "ARGS|!ARG_p2" 666

    # Only allow our own test utility to send requests (or Mozilla)
    SecFilterSelective HTTP_USER_AGENT "!(mod_security|mozilla|links)"

    # Do not allow variables with this name
    SecFilterSelective ARGS_NAMES 777

    # Do now allow this variable value (names are ok)
    SecFilterSelective ARGS_VALUES 888

    # Test for a POST variable parsing bug, see test #41
    SecFilterSelective ARG_p2 AAA

    # Stop spamming through FormMail
    # note the exclamation mark at the beginning
    # of the filter - only requests that match this regex will
    # be allowed
    <Location /cgi-bin/FormMail>
    SecFilterSelective "ARG_recipient" "!@webkreator.com$"
    </Location>

    # when allowing upload, only allow images
    # note that this is not foolproof, a determined attacker
    # could get around this
    <Location /fileupload.php>
    SecFilterInheritance Off
    SecFilterSelective POST_PAYLOAD "!image/(jpeg|bmp|gif)"
    </Location>

    # SecChrootDir /chroot/apache

    SecFilter "chicken"
    SecFilterSelective ARG_p "/bin/ls"

    SecServerSignature "MyServer x.y.z"

    # SecFilterSelective REQUEST_URI "!^[-a-zA-z0-9\\._/]+$"
    # SecFilter "!^[-a-zA-Z0-9_/.?]+$"

    # test 50
    SecFilterSelective ARG_q1 value1 chained
    SecFilterSelective ARG_q2 value2

    # test 51
    SecFilterSelective ARG_q3 value3 skipnext
    SecFilterSelective ARG_q3 value3

    # test 52
    SecFilterSelective ARG_q5 value5 skipnext:2
    SecFilterSelective ARG_q5 value5
    SecFilterSelective ARG_q5 value5

    # test 52 - repeated with skip as an action
    SecFilterSelective ARG_q5 value5 skip:2
    SecFilterSelective ARG_q5 value5
    SecFilterSelective ARG_q5 value5

    # test 53
    SecFilterSelective COOKIE_phpsessid "!(^$|^[a-zA-Z0-9]+$)"

    # test 55
    SecFilterSelective COOKIES_NAMES "fakephpsessid"

    # test 56
    SecFilterSelective COOKIES_VALUES "!(^$|^[a-zA-Z0-9]+$)"

    # test 57
    SecFilter "wget\x20wget"

    SecFilterScanOutput On
    # SecFilterOutputMimeTypes "(null) text/html text/plain"
    SecFilterSelective OUTPUT "Fatal error:"

    # test 70
    SecFilterSelective ARGS "-bug70-"

    </IfModule>


    On this Site you.ll find more, but i don´t know which is the best to use!

    http://www.gotroot.com


    Any help?
     
  4. faris

    faris Guest

    0
     
    You need to go to http://www.gotroot.com/mod_security+rules

    You'll find an extensive set of regularly-updated set of rules which work brilliantly with Plesk (or anything else).

    Ocasionally a rule might be added that causes the odd problem, but almost the moment they are reported they get modified or removed.

    But you MUST monitor your /var/log/httpd/audit_log (which is where mod_sec rule violations get listed) in order to make sure there are no rules that might cause you false positives.

    I've written (modified) a small script, which you can find at www.atomicrocketturtle.com in the forums which emails you the last 24 hours worth of log entries. This is the first thing I read in the morning :)

    Faris.

    p.s. you'll find a range or rulsets on gotroot.com. Use them all! (with the possible exception of the WIndows IIS ones if you aren't running WIndows).
     
  5. graffix

    graffix Guest

    0
     
    @ wu0ter:

    Is your Ruleset working with Frontpage?
    Mine is not working with it!

    I´ll tried this:
    SecFilter "_vti_bin" allow
    SecFilterSelective THE_REQUEST "/fpsrvadm\.exe" pass
    SecFilterSelective THE_REQUEST "/fpremadm\.exe" pass
    SecFilterSelective THE_REQUEST "/admisapi/fpadmin\.htm" pass
    SecFilterSelective THE_REQUEST "/scripts/Fpadmcgi\.exe" pass
    SecFilterSelective THE_REQUEST "/_private/orders\.txt" pass
    SecFilterSelective THE_REQUEST "/_private/form_results\.txt" pass
    SecFilterSelective THE_REQUEST "/_private/registrations\.htm" pass
    SecFilterSelective THE_REQUEST "/cfgwiz\.exe" pass
    SecFilterSelective THE_REQUEST "/authors\.pwd" pass
    SecFilterSelective THE_REQUEST "/_vti_bin/_vti_aut/author\.exe" pass
    SecFilterSelective THE_REQUEST "/administrators\.pwd" pass
    SecFilterSelective THE_REQUEST "/_private/form_results\.htm" pass
    SecFilterSelective THE_REQUEST "/_vti_pvt/access\.cnf" pass
    SecFilterSelective THE_REQUEST "/_private/register\.txt" pass
    SecFilterSelective THE_REQUEST "/_private/registrations\.txt" pass
    SecFilterSelective THE_REQUEST "/_vti_pvt/service\.cnf" pass
    SecFilterSelective THE_REQUEST "/service\.pwd" pass
    SecFilterSelective THE_REQUEST "/_vti_pvt/service\.stp" pass
    SecFilterSelective THE_REQUEST "/_vti_pvt/services\.cnf" pass
    SecFilterSelective THE_REQUEST "/_vti_bin/shtml\.exe" pass
    SecFilterSelective THE_REQUEST "/_vti_pvt/svcacl\.cnf" pass
    SecFilterSelective THE_REQUEST "/users\.pwd" pass
    SecFilterSelective THE_REQUEST "/_vti_pvt/writeto\.cnf" pass
    SecFilterSelective THE_REQUEST "/dvwssr\.dll" pass
    SecFilterSelective THE_REQUEST "/_private/register\.htm" pass
    SecFilterSelective THE_REQUEST "/_vti_bin/" pass
    SecFilterSelective THE_REQUEST "/_vti_bin/shtml.exe/_vti_rpc/" pass
    SecFilterSelective THE_REQUEST "/_vti_bin/_vti_adm/fpadmcgi.exe" pass

    But doesn´t work.

    Any idea?
     
  6. w0uter

    w0uter Guest

    0
     
    @ Graffix:

    I dont know because i dont use frontpage.....
     
  7. mikk

    mikk Basic Pleskian

    23
    73%
    Joined:
    Jan 29, 2005
    Messages:
    83
    Likes Received:
    0
    if i recall you cannot use SecServerSignature settings if you use frontpage, frontpage checks this value.

    if it isnt SecServerSignature its something similar that causes Frontpage Publishing issues from what i recall.
     
  8. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    Yep, thats true. You cannot use mod_sec with frontpage
     
  9. Limedrink

    Limedrink Guest

    0
     
    Anyone have an opinion on the modsecurity.org ruleset?

    I'm looking for an alternative to the gotroot.com ruleset because I'm just getting way too many false positives.
     
Loading...