Server hacked, but always was updated PLESK 7.5.3

[atomicturtle]

mod_security comes with ASL as well

 

[teiz77]

well... mod_security does cause some problems with Horde webmail... The redirect function doesn't seem to work. I must disable it untill I find out what's wrong...
So don't use it with the standard rules when you want to be able to use your webmail.

 

[atomicturtle]

If you're going to use the gotroot.com rules, you'll have to do a lot of tuning. They're very broad in scope and change daily. Thats the "raw" feed that we're using to test and integrate with the mod_security rules we use in ASL.

 

[Griffith]

I've got no problems with mod_security causing trouble with webmail... but, to watch for false positives you can pay close attention to /var/log/httpd/audit.log and if you find false positives, disable those rules

But yes, the rules need some modifications.. etc frontpage ++

 

[atomicturtle]

Yep, you cant use mod_security with frontpage at all since microsoft wont release the specs.

 

[BoXie]

But it should be possible to just disable the rules that block Frontpage ? Or am i wrong ?

 

[teiz77]

How stupid... I somehow didn't disable one of the experimental rules. Everthing works flawless now...

 

[faris]

Yes, you can disable the rules for FrontPage very easily.

I think (but I'm not 100% sure) that the mod_sec rpm available in the ASL channel has them disabled for FP by default. Scott? But if not, it is just a matter of adding a few lines to the config file. A 10 second job. You'll find details on ART's forums (search for FrontPage) in the Security section.

Similarly you can disable them for Horde/Imp.

Faris.

 

[atomicturtle]

Right, we've been tailoring ASL's mod_security for PSA, adding in a rules update agent (a la freshclam), etc.

 

[md3vxx]

mod_security

Does anyone have a recommended ruleset or pre-configured ruleset for a 'default' Plesk box?

Are most people installing mod_security via: yum install mod_security using Art's channels?

m.

 

[atomicturtle]

Yep, we've been putting together mod_security rules for PSA in ASL.

 

[md3vxx]

ASL Rules

Are the rule sets available to people who are not running ASL or are they/will they be sold seperately?

 

[gromett]

Had a quick look at your products and they seem promising. Do you have any plans for Virtuozzo based servers? As they use custom kernels I am not sure if it will work "out of the box"

 

[atomicturtle]

Given the way viruozzo works, I don't think it will be possible to combine the ASL kernel with it (which is the most importat part). You can however get the IDS components to work in viruozzo, namely mod_security and mod_dosevasive, as those are just regular old userspace applications. In fact we've been working on ASW (Atomic Secured Windows) which obviously won't have the hardened kernel either, which is more or less the same idea.

 

[BoXie]

Atomic,

Why don't you promote this great ruleset some more ?

Maybe a big fat hyperlink on www.modsecurity.org itself should be an option?

I think it's a real valuable collection of rules .. everybody should know about it.

btw: Is it 100% compatible with Plesk 7.5.3 functionality ? Or are there (still) some issues) ?

 

[atomicturtle]

Ivan (who wrote mod_security) was saying he was going to change all his links to go to gotroot.com.

Believe me, I will be promoting ASL a lot more in the future, I've just been squaring away some design components with the whole system. A big huge mindnumbling labor intensive part of IDS systems are tuning those rules, whats right for one platform is wrong for another. We literally work on them every day, since the environment youre defending is so dynamic and complex.

The rules on gotroot.com are all our rules for all products (including IIS, PSA, etc), 0 day, least-privilege, and many of them completely untested. AFIAK the gotroot rules break PSA application vault packages.