Installing mod_security

[stealthhosts]

----------------------------------------
This article is provided free by
Stealth IT Solutions Limited
It is free for non-distribution only.
Due to the nature of this data it may
not be edited, no data may be removed
including this text.
With thanks to admin0
myshashi2010@yahoo.com
------http://www.stealthhosts.com-------

CGI Security

first, we backup our apache.conf file in CPanel.

In SSH:

cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd-backup.conf

wget http://www.modsecurity.org/download/mod_security-1.7.6.tar.gz
tar zxvf mod_security-1.7.6.tar.gz
cd mod_security-1.7.6

cd apache1/ (or apache2/)

/usr/local/apache/bin/apxs -cia mod_security.c

ok.. that is done.
Now, let's start the configurations:

edit your httpd.conf and add the following lines:

Include /etc/mod_security.conf

Create: /etc/mod_security

IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On 
# Change Server: string
SecServerSignature " "

# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On

# This setting should be set to On only if the Web site is
# using the Unicode encoding. Otherwise it may interfere with
# the normal Web site operation.
SecFilterCheckUnicodeEncoding Off

# Only allow bytes from this range
SecFilterForceByteRange 1 255

# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis. "On" will log everything,
# "DynamicOrRelevant" will log dynamic requests or violations,
# and "RelevantOnly" will only log policy violations
SecAuditEngine RelevantOnly

# The name of the audit log file
SecAuditLog /var/log/httpd/audit_log

# Should mod_security inspect POST payloads
SecFilterScanPOST On

# Action to take by default
SecFilterDefaultAction "deny,log,status:500"

# Require HTTP_USER_AGENT and HTTP_HOST in all requests
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

#Allow CPanel/WHM 
SecFilterSelective REMOTE_ADDR "^127.0.0.1$" nolog,allow

# Weaker XSS protection but allows common HTML tags
SecFilter "<[[:space:]]*script"

# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"

# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"

# Import our snort converted modsec rules
Include /etc/mod_security_snort.conf
</IfModule>

----------------------------TBC-------------------------

 

[stealthhosts]

Create: /etc/mod_security_snort.conf

# WEB-ATTACKS ps command attempt
SecFilterSelective THE_REQUEST "/bin/ps" 
# WEB-ATTACKS /bin/ps command attempt
SecFilterSelective THE_REQUEST "ps\x20"

# WEB-ATTACKS wget command attempt
SecFilter "wget\x20"

# WEB-ATTACKS uname -a command attempt
SecFilter "uname\x20-a"

# WEB-ATTACKS /usr/bin/id command attempt
SecFilterSelective THE_REQUEST "/usr/bin/id"

# WEB-ATTACKS id command attempt
SecFilter "\;id"

# WEB-ATTACKS kill command attempt
SecFilterSelective THE_REQUEST "/bin/kill"

# WEB-ATTACKS chsh command attempt
SecFilterSelective THE_REQUEST "/usr/bin/chsh"

# WEB-ATTACKS tftp command attempt
SecFilter "tftp\x20"

# WEB-ATTACKS /usr/bin/gcc command attempt
SecFilterSelective THE_REQUEST "/usr/bin/gcc"

# WEB-ATTACKS gcc command attempt
SecFilter "gcc\x20-o"

# WEB-ATTACKS /usr/bin/cc command attempt
SecFilterSelective THE_REQUEST "/usr/bin/cc"

# WEB-ATTACKS cc command attempt
SecFilter "cc\x20"

# WEB-ATTACKS /usr/bin/cpp command attempt
SecFilterSelective THE_REQUEST "/usr/bin/cpp"

# WEB-ATTACKS cpp command attempt
SecFilter "cpp\x20"

# WEB-ATTACKS /usr/bin/g++ command attempt
SecFilterSelective THE_REQUEST "/usr/bin/g\+\+"

# WEB-ATTACKS g++ command attempt
SecFilter "g\+\+\x20"

# WEB-ATTACKS bin/python access attempt
SecFilterSelective THE_REQUEST "bin/python"

# WEB-ATTACKS python access attempt
SecFilter "python\x20"

# WEB-ATTACKS bin/tclsh execution attempt
SecFilter "bin/tclsh"

# WEB-ATTACKS tclsh execution attempt
SecFilter "tclsh8\x20"

# WEB-ATTACKS bin/nasm command attempt
SecFilterSelective THE_REQUEST "bin/nasm"

# WEB-ATTACKS nasm command attempt
SecFilter "nasm\x20"

# WEB-ATTACKS perl execution attempt
SecFilter "perl\x20"

# WEB-ATTACKS traceroute command attempt
SecFilter "traceroute\x20"

# WEB-ATTACKS ping command attempt
SecFilterSelective THE_REQUEST "/bin/ping"

# WEB-ATTACKS netcat command attempt
SecFilter "nc\x20"

# WEB-ATTACKS nmap command attempt
SecFilter "nmap\x20"

# WEB-ATTACKS xterm command attempt
SecFilterSelective THE_REQUEST "/usr/X11R6/bin/xterm"

# WEB-ATTACKS X application to remote host attempt
SecFilter "\x20-display\x20"

# WEB-ATTACKS lsof command attempt
SecFilter "lsof\x20"

# WEB-ATTACKS rm command attempt
SecFilter "rm\x20"

# WEB-ATTACKS mail command attempt
SecFilterSelective THE_REQUEST "/bin/mail"

# WEB-ATTACKS mail command attempt
SecFilter "mail\x20"

# WEB-ATTACKS /bin/ls command attempt
SecFilterSelective THE_REQUEST "/bin/ls"

# WEB-ATTACKS /etc/shadow access
SecFilter "/etc/shadow"

# WEB-ATTACKS .htgroup access
SecFilterSelective THE_REQUEST "\.htgroup"

# WEB-CGI websitepro path access
SecFilter " /HTTP/1\."

# WEB-CGI formmail arbitrary command execution attempt
SecFilterSelective THE_REQUEST "/formmail" chain
SecFilter "\x0a"

# WEB-CGI formmail access
SecFilterSelective THE_REQUEST "/formmail" log,pass

# WEB-CGI phf arbitrary command execution attempt
SecFilterSelective THE_REQUEST "/phf" chain
SecFilter "\x0a/"

# WEB-CGI phf access
SecFilterSelective THE_REQUEST "/phf" log,pass

# WEB-CGI rksh access
SecFilterSelective THE_REQUEST "/rksh"

# WEB-CGI bash access
SecFilterSelective THE_REQUEST "/bash" log,pass

# WEB-CGI zsh access
SecFilterSelective THE_REQUEST "/zsh"

# WEB-CGI csh access
SecFilterSelective THE_REQUEST "/csh"

# WEB-CGI tcsh access
SecFilterSelective THE_REQUEST "/tcsh"

# WEB-CGI rsh access
SecFilterSelective THE_REQUEST "/rsh"

# WEB-CGI ksh access
SecFilterSelective THE_REQUEST "/ksh"

# WEB-CLIENT Javascript URL host spoofing attempt
SecFilter "javascript\://"

# WEB-FRONTPAGE fpsrvadm.exe access
SecFilterSelective THE_REQUEST "/fpsrvadm\.exe" log,pass

# WEB-FRONTPAGE fpremadm.exe access
SecFilterSelective THE_REQUEST "/fpremadm\.exe" log,pass

# WEB-FRONTPAGE fpadmin.htm access
SecFilterSelective THE_REQUEST "/admisapi/fpadmin\.htm" log,pass

# WEB-FRONTPAGE fpadmcgi.exe access
SecFilterSelective THE_REQUEST "/scripts/Fpadmcgi\.exe" log,pass

# WEB-FRONTPAGE orders.txt access
SecFilterSelective THE_REQUEST "/_private/orders\.txt" log,pass

# WEB-FRONTPAGE form_results access
SecFilterSelective THE_REQUEST "/_private/form_results\.txt" log,pass

# WEB-FRONTPAGE registrations.htm access
SecFilterSelective THE_REQUEST "/_private/registrations\.htm" log,pass

# WEB-FRONTPAGE cfgwiz.exe access
SecFilterSelective THE_REQUEST "/cfgwiz\.exe" log,pass

# WEB-FRONTPAGE authors.pwd access
SecFilterSelective THE_REQUEST "/authors\.pwd" log,pass

# WEB-FRONTPAGE author.exe access
SecFilterSelective THE_REQUEST "/_vti_bin/_vti_aut/author\.exe" log,pass

# WEB-FRONTPAGE administrators.pwd access
SecFilterSelective THE_REQUEST "/administrators\.pwd" log,pass

# WEB-FRONTPAGE form_results.htm access
SecFilterSelective THE_REQUEST "/_private/form_results\.htm" log,pass

# WEB-FRONTPAGE access.cnf access
SecFilterSelective THE_REQUEST "/_vti_pvt/access\.cnf" log,pass

# WEB-FRONTPAGE register.txt access
SecFilterSelective THE_REQUEST "/_private/register\.txt" log,pass

# WEB-FRONTPAGE registrations.txt access
SecFilterSelective THE_REQUEST "/_private/registrations\.txt" log,pass

# WEB-FRONTPAGE service.cnf access
SecFilterSelective THE_REQUEST "/_vti_pvt/service\.cnf" log,pass

# WEB-FRONTPAGE service.pwd
SecFilterSelective THE_REQUEST "/service\.pwd" log,pass

# WEB-FRONTPAGE service.stp access
SecFilterSelective THE_REQUEST "/_vti_pvt/service\.stp" log,pass

# WEB-FRONTPAGE services.cnf access
SecFilterSelective THE_REQUEST "/_vti_pvt/services\.cnf" log,pass

# WEB-FRONTPAGE shtml.exe access
SecFilterSelective THE_REQUEST "/_vti_bin/shtml\.exe" log,pass

# WEB-FRONTPAGE svcacl.cnf access
SecFilterSelective THE_REQUEST "/_vti_pvt/svcacl\.cnf" log,pass

# WEB-FRONTPAGE users.pwd access
SecFilterSelective THE_REQUEST "/users\.pwd" log,pass

# WEB-FRONTPAGE writeto.cnf access
SecFilterSelective THE_REQUEST "/_vti_pvt/writeto\.cnf" log,pass

# WEB-FRONTPAGE dvwssr.dll access
SecFilterSelective THE_REQUEST "/dvwssr\.dll" log,pass

# WEB-FRONTPAGE register.htm access
SecFilterSelective THE_REQUEST "/_private/register\.htm" log,pass

# WEB-FRONTPAGE /_vti_bin/ access
SecFilterSelective THE_REQUEST "/_vti_bin/" log,pass

# WEB-MISC cross site scripting \(img src=javascript\) attempt
SecFilter "img src=javascript"

# WEB-MISC .htpasswd access
SecFilter "\.htpasswd"

# WEB-MISC .htaccess access
SecFilter "\.htaccess"

# WEB-MISC cd..
SecFilter "cd\.\."

# WEB-MISC ///cgi-bin access
SecFilterSelective THE_REQUEST "///cgi-bin"

# WEB-MISC /cgi-bin/// access
SecFilterSelective THE_REQUEST "/cgi-bin///"

# WEB-MISC /~root access
SecFilterSelective THE_REQUEST "/~root"

# WEB-MISC /~ftp access
SecFilterSelective THE_REQUEST "/~ftp"

# WEB-MISC cat%20 access
SecFilter "cat\x20"

# WEB-MISC rpm_query access
SecFilterSelective THE_REQUEST "/rpm_query"

# WEB-MISC htgrep attempt
SecFilterSelective THE_REQUEST "/htgrep" chain
SecFilter "hdr=/"

# WEB-MISC htgrep access
SecFilterSelective THE_REQUEST "/htgrep" log,pass

# WEB-MISC .history access
SecFilterSelective THE_REQUEST "/\.history"

# WEB-MISC .bash_history access
SecFilterSelective THE_REQUEST "/\.bash_history"

# WEB-MISC /~nobody access
SecFilterSelective THE_REQUEST "/~nobody"

# WEB-MISC *%0a.pl access
SecFilterSelective THE_REQUEST "/*\x0a\.pl"

# WEB-MISC Apache Chunked-Encoding worm attempt
SecFilter "CCCCCCC\: AAAAAAAAAAAAAAAAAAA"

# WEB-MISC Transfer-Encoding\: chunked
SecFilter "chunked"

# WEB-PHP squirrel mail theme arbitrary command attempt
SecFilterSelective THE_REQUEST "/left_main\.php" chain
SecFilter "cmdd="

# WEB-PHP DNSTools administrator authentication bypass attempt
SecFilterSelective THE_REQUEST "/dnstools\.php" chain
SecFilter "user_dnstools_administrator=true"

# WEB-PHP DNSTools authentication bypass attempt
SecFilterSelective THE_REQUEST "/dnstools\.php" chain
SecFilter "user_logged_in=true"

# WEB-PHP DNSTools access
SecFilterSelective THE_REQUEST "/dnstools\.php" log,pass

# WEB-PHP Blahz-DNS dostuff.php modify user attempt
SecFilterSelective THE_REQUEST "/dostuff\.php\?action=modify_user"

# WEB-PHP Blahz-DNS dostuff.php access
SecFilterSelective THE_REQUEST "/dostuff\.php" log,pass

# WEB-PHP PHP-Wiki cross site scripting attempt
SecFilterSelective THE_REQUEST "<script"

# WEB-PHP strings overflow
SecFilterSelective THE_REQUEST "\?STRENGUR"

# WEB-PHP PHPLIB remote command attempt
SecFilter "_PHPLIB\[libdir\]"

All done.

restart httpd to activate the changes.