1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice

Ruleset for mod_security and Plesk Server?

Discussion in 'Plesk for Linux - 8.x and Older' started by graffix, Aug 1, 2005.

  1. graffix

    graffix Guest

    0
     
    Hello,

    we´re have heavy problems to secure our servers, and the modules from sw-soft are too old.
    So we decided to integrate the mod_security in our VZ boxes for Plesk.

    But we need a good working ruleset for mod_security.

    A few customer said to us, that their pages gots an Internal error 500.
    But when we go on the site, all is good.

    So, has anybody a good working ruleset for us?

    Thanks for helps, i hope for answer, that i can sleep good in the next days ;-.-)
     
  2. w0uter

    w0uter Guest

    0
     
    I have the follow rules:

    <IfModule mod_security.c>
    # Turn the filtering engine On or Off
    SecFilterEngine On

    # Change Server: string
    SecServerSignature "Apache"


    # This setting should be set to On only if the Web site is
    # using the Unicode encoding. Otherwise it may interfere with
    # the normal Web site operation.
    SecFilterCheckUnicodeEncoding Off

    # The audit engine works independently and
    # can be turned On of Off on the per-server or
    # on the per-directory basis. "On" will log everything,
    # "DynamicOrRelevant" will log dynamic requests or violations,
    # and "RelevantOnly" will only log policy violations
    SecAuditEngine RelevantOnly

    # The name of the audit log file
    SecAuditLog logs/audit_log

    # Should mod_security inspect POST payloads
    SecFilterScanPOST On

    # Action to take by default
    SecFilterDefaultAction "deny,log,status:403"

    ## ## ## ## ## ## ## ## ## ##
    ## ## ## ## ## ## ## ## ## ##

    # Require HTTP_USER_AGENT and HTTP_HOST in all requests
    # SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

    # Require Content-Length to be provided with
    # every POST request
    SecFilterSelective REQUEST_METHOD "^POST$" chain
    SecFilterSelective HTTP_Content-Length "^$"

    # Don't accept transfer encodings we know we don't handle
    # (and you don't need it anyway)
    SecFilterSelective HTTP_Transfer-Encoding "!^$"

    # Protecting from XSS attacks through the PHP session cookie
    SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
    SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"

    SecFilter "viewtopic\.php\?" chain
    SecFilter "chr\(([0-9]{1,3})\)" "deny,log"

    # Block various methods of downloading files to a server
    SecFilterSelective THE_REQUEST "wget "
    SecFilterSelective THE_REQUEST "lynx "
    SecFilterSelective THE_REQUEST "scp "
    SecFilterSelective THE_REQUEST "ftp "
    SecFilterSelective THE_REQUEST "cvs "
    SecFilterSelective THE_REQUEST "rcp "
    SecFilterSelective THE_REQUEST "curl "
    SecFilterSelective THE_REQUEST "telnet "
    SecFilterSelective THE_REQUEST "ssh "
    SecFilterSelective THE_REQUEST "echo "
    SecFilterSelective THE_REQUEST "links -dump "
    SecFilterSelective THE_REQUEST "links -dump-charset "
    SecFilterSelective THE_REQUEST "links -dump-width "
    SecFilterSelective THE_REQUEST "links http:// "
    SecFilterSelective THE_REQUEST "links ftp:// "
    SecFilterSelective THE_REQUEST "links -source "
    SecFilterSelective THE_REQUEST "mkdir "
    SecFilterSelective THE_REQUEST "cd /tmp "
    SecFilterSelective THE_REQUEST "cd /var/tmp "
    SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "
    </IfModule>

    Let me know if i missing something or can be better!
     
  3. graffix

    graffix Guest

    0
     
    This is mine, but i think is not good this ruleset:

    # Turn the filtering engine On or Off
    SecFilterEngine DynamicOnly

    # Make sure that URL encoding is valid
    SecFilterCheckURLEncoding On
    SecFilterCheckUnicodeEncoding On
    SecFilterCheckCookieFormat On

    # Only allow bytes from this range
    SecFilterForceByteRange 32 254
    # SecFilterForceByteRange 0 255

    # The audit engine works independently and
    # can be turned On of Off on the per-server or
    # on the per-directory basis
    SecAuditEngine On

    # The name of the audit log file
    SecAuditLog logs/audit_log

    SecFilterDebugLog logs/modsec_debug_log
    SecFilterDebugLevel 9

    # Should mod_security inspect POST payloads
    SecFilterScanPOST On

    # Action to take by default
    SecFilterDefaultAction "deny,log,status:500"
    #SecFilterDefaultAction "status:500,log,pass"

    SecFilterSelective ARG_p secret allow

    # Redirect user on filter match
    SecFilter xxx redirect:http://www.webkreator.com

    # Execute the external script on filter match
    SecFilter yyy log,exec:/home/users/ivanr/apache/bin/report-attack.pl

    SecFilterSelective ARG_b2inc "!^$"

    # Simple filter
    SecFilter 111 pause:5000

    # Only check the QUERY_STRING variable
    SecFilterSelective QUERY_STRING 222

    # Only check the body of the POST request
    SecFilterSelective POST_PAYLOAD 333

    # Only check arguments (will work for GET and POST)
    SecFilterSelective ARGS 444

    # Test filter
    SecFilter "/cgi-bin/modsec-test.pl/keyword"

    # Another test filter, will be denied with 404 but not logged
    # action supplied as a parameter overrides the default action
    SecFilter 999 "deny,nolog,status:500"

    # Prevent OS specific keywords
    SecFilter /etc/passwd

    # Prevent path traversal (..) attacks
    SecFilter "\.\./"

    # Weaker XSS protection but allows common HTML tags
    SecFilter "<[:space:]*script"

    # Prevent XSS atacks (HTML/Javascript injection)
    SecFilter "<.+>"

    # Very crude filters to prevent SQL injection attacks
    SecFilter "delete[[:space:]]+from"
    SecFilter "insert[[:space:]]+into"
    SecFilter "select.+from"

    # Require HTTP_USER_AGENT and HTTP_HOST headers
    SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

    # Forbid file upload
    # SecFilterSelective "HTTP_CONTENT_TYPE" multipart/form-data

    # Only watch argument p1
    SecFilterSelective "ARG_p1" 555

    # Watch all arguments except p1
    SecFilterSelective "ARGS|!ARG_p2" 666

    # Only allow our own test utility to send requests (or Mozilla)
    SecFilterSelective HTTP_USER_AGENT "!(mod_security|mozilla|links)"

    # Do not allow variables with this name
    SecFilterSelective ARGS_NAMES 777

    # Do now allow this variable value (names are ok)
    SecFilterSelective ARGS_VALUES 888

    # Test for a POST variable parsing bug, see test #41
    SecFilterSelective ARG_p2 AAA

    # Stop spamming through FormMail
    # note the exclamation mark at the beginning
    # of the filter - only requests that match this regex will
    # be allowed
    <Location /cgi-bin/FormMail>
    SecFilterSelective "ARG_recipient" "!@webkreator.com$"
    </Location>

    # when allowing upload, only allow images
    # note that this is not foolproof, a determined attacker
    # could get around this
    <Location /fileupload.php>
    SecFilterInheritance Off
    SecFilterSelective POST_PAYLOAD "!image/(jpeg|bmp|gif)"
    </Location>

    # SecChrootDir /chroot/apache

    SecFilter "chicken"
    SecFilterSelective ARG_p "/bin/ls"

    SecServerSignature "MyServer x.y.z"

    # SecFilterSelective REQUEST_URI "!^[-a-zA-z0-9\\._/]+$"
    # SecFilter "!^[-a-zA-Z0-9_/.?]+$"

    # test 50
    SecFilterSelective ARG_q1 value1 chained
    SecFilterSelective ARG_q2 value2

    # test 51
    SecFilterSelective ARG_q3 value3 skipnext
    SecFilterSelective ARG_q3 value3

    # test 52
    SecFilterSelective ARG_q5 value5 skipnext:2
    SecFilterSelective ARG_q5 value5
    SecFilterSelective ARG_q5 value5

    # test 52 - repeated with skip as an action
    SecFilterSelective ARG_q5 value5 skip:2
    SecFilterSelective ARG_q5 value5
    SecFilterSelective ARG_q5 value5

    # test 53
    SecFilterSelective COOKIE_phpsessid "!(^$|^[a-zA-Z0-9]+$)"

    # test 55
    SecFilterSelective COOKIES_NAMES "fakephpsessid"

    # test 56
    SecFilterSelective COOKIES_VALUES "!(^$|^[a-zA-Z0-9]+$)"

    # test 57
    SecFilter "wget\x20wget"

    SecFilterScanOutput On
    # SecFilterOutputMimeTypes "(null) text/html text/plain"
    SecFilterSelective OUTPUT "Fatal error:"

    # test 70
    SecFilterSelective ARGS "-bug70-"

    </IfModule>


    On this Site you.ll find more, but i don´t know which is the best to use!

    http://www.gotroot.com


    Any help?
     
  4. faris

    faris Guest

    0
     
    You need to go to http://www.gotroot.com/mod_security+rules

    You'll find an extensive set of regularly-updated set of rules which work brilliantly with Plesk (or anything else).

    Ocasionally a rule might be added that causes the odd problem, but almost the moment they are reported they get modified or removed.

    But you MUST monitor your /var/log/httpd/audit_log (which is where mod_sec rule violations get listed) in order to make sure there are no rules that might cause you false positives.

    I've written (modified) a small script, which you can find at www.atomicrocketturtle.com in the forums which emails you the last 24 hours worth of log entries. This is the first thing I read in the morning :)

    Faris.

    p.s. you'll find a range or rulsets on gotroot.com. Use them all! (with the possible exception of the WIndows IIS ones if you aren't running WIndows).
     
  5. graffix

    graffix Guest

    0
     
    @ wu0ter:

    Is your Ruleset working with Frontpage?
    Mine is not working with it!

    I´ll tried this:
    SecFilter "_vti_bin" allow
    SecFilterSelective THE_REQUEST "/fpsrvadm\.exe" pass
    SecFilterSelective THE_REQUEST "/fpremadm\.exe" pass
    SecFilterSelective THE_REQUEST "/admisapi/fpadmin\.htm" pass
    SecFilterSelective THE_REQUEST "/scripts/Fpadmcgi\.exe" pass
    SecFilterSelective THE_REQUEST "/_private/orders\.txt" pass
    SecFilterSelective THE_REQUEST "/_private/form_results\.txt" pass
    SecFilterSelective THE_REQUEST "/_private/registrations\.htm" pass
    SecFilterSelective THE_REQUEST "/cfgwiz\.exe" pass
    SecFilterSelective THE_REQUEST "/authors\.pwd" pass
    SecFilterSelective THE_REQUEST "/_vti_bin/_vti_aut/author\.exe" pass
    SecFilterSelective THE_REQUEST "/administrators\.pwd" pass
    SecFilterSelective THE_REQUEST "/_private/form_results\.htm" pass
    SecFilterSelective THE_REQUEST "/_vti_pvt/access\.cnf" pass
    SecFilterSelective THE_REQUEST "/_private/register\.txt" pass
    SecFilterSelective THE_REQUEST "/_private/registrations\.txt" pass
    SecFilterSelective THE_REQUEST "/_vti_pvt/service\.cnf" pass
    SecFilterSelective THE_REQUEST "/service\.pwd" pass
    SecFilterSelective THE_REQUEST "/_vti_pvt/service\.stp" pass
    SecFilterSelective THE_REQUEST "/_vti_pvt/services\.cnf" pass
    SecFilterSelective THE_REQUEST "/_vti_bin/shtml\.exe" pass
    SecFilterSelective THE_REQUEST "/_vti_pvt/svcacl\.cnf" pass
    SecFilterSelective THE_REQUEST "/users\.pwd" pass
    SecFilterSelective THE_REQUEST "/_vti_pvt/writeto\.cnf" pass
    SecFilterSelective THE_REQUEST "/dvwssr\.dll" pass
    SecFilterSelective THE_REQUEST "/_private/register\.htm" pass
    SecFilterSelective THE_REQUEST "/_vti_bin/" pass
    SecFilterSelective THE_REQUEST "/_vti_bin/shtml.exe/_vti_rpc/" pass
    SecFilterSelective THE_REQUEST "/_vti_bin/_vti_adm/fpadmcgi.exe" pass

    But doesn´t work.

    Any idea?
     
  6. w0uter

    w0uter Guest

    0
     
    @ Graffix:

    I dont know because i dont use frontpage.....
     
  7. mikk

    mikk Basic Pleskian

    23
    73%
    Joined:
    Jan 29, 2005
    Messages:
    83
    Likes Received:
    0
    if i recall you cannot use SecServerSignature settings if you use frontpage, frontpage checks this value.

    if it isnt SecServerSignature its something similar that causes Frontpage Publishing issues from what i recall.
     
  8. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    Yep, thats true. You cannot use mod_sec with frontpage
     
  9. Limedrink

    Limedrink Guest

    0
     
    Anyone have an opinion on the modsecurity.org ruleset?

    I'm looking for an alternative to the gotroot.com ruleset because I'm just getting way too many false positives.
     
Loading...