ModSecurity Ruleset

modsecurity

Here is my attempt at creating a comprehensive ModSecurity ruleset. Most of the rules are acquired from various sites/blogs. The idea behind this is to have an easily accessible ruleset that can be deployed with minimum/no modifications and yet comes with an assurance of keeping your sites up and running securely.

<IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On

# Change Server: string
SecServerSignature “Apache”

# This setting should be set to On only if the Web site is
# using the Unicode encoding. Otherwise it may interfere with
# the normal Web site operation.
SecFilterCheckUnicodeEncoding Off

#The audit engine works independently and can be turned On of Off on the per-server or on the per-directory basis. #”On” will log everything, “DynamicOrRelevant” will log dynamic requests or violations, and “RelevantOnly” will #only log policy violations
SecAuditEngine RelevantOnly

# The name of the audit log file
SecAuditLog logs/audit_log

# Should mod_security inspect POST payloads
SecFilterScanPOST On

# Action to take by default
SecFilterDefaultAction “deny,log,status:403”

# Require HTTP_USER_AGENT and HTTP_HOST in all requests
# SecFilterSelective “HTTP_USER_AGENT|HTTP_HOST” “^$”

# Require Content-Length to be provided with every POST request
SecFilterSelective REQUEST_METHOD “^POST$” chain
SecFilterSelective HTTP_Content-Length “^$”

# Don’t accept transfer encodings we know we don’t handle (and you don’t need it anyway)
SecFilterSelective HTTP_Transfer-Encoding “!^$”

# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID “!^[0-9a-z]*$”
SecFilterSelective COOKIE_PHPSESSID “!^[0-9a-z]*$”

SecFilter “viewtopic\.php\?” chain
SecFilter “chr\(([0-9]{1,3})\)” “deny,log”

# Block various methods of downloading files to a server
SecFilterSelective THE_REQUEST “wget ”
SecFilterSelective THE_REQUEST “lynx ”
SecFilterSelective THE_REQUEST “scp ”
SecFilterSelective THE_REQUEST “ftp ”
SecFilterSelective THE_REQUEST “cvs ”
SecFilterSelective THE_REQUEST “rcp ”
SecFilterSelective THE_REQUEST “curl ”
SecFilterSelective THE_REQUEST “telnet ”
SecFilterSelective THE_REQUEST “ssh ”
SecFilterSelective THE_REQUEST “echo ”
SecFilterSelective THE_REQUEST “links -dump ”
SecFilterSelective THE_REQUEST “links -dump-charset ”
SecFilterSelective THE_REQUEST “links -dump-width ”
SecFilterSelective THE_REQUEST “links http:// ”
SecFilterSelective THE_REQUEST “links ftp:// ”
SecFilterSelective THE_REQUEST “links -source ”
SecFilterSelective THE_REQUEST “mkdir ”
SecFilterSelective THE_REQUEST “cd /tmp ”
SecFilterSelective THE_REQUEST “cd /var/tmp ”
SecFilterSelective THE_REQUEST “cd /etc/httpd/proxy ”
SecFilterSelective THE_REQUEST “/config.php?v=1&DIR ”
SecFilterSelective THE_REQUEST “&highlight=%2527%252E ”
SecFilterSelective THE_REQUEST “changedir=%2Ftmp%2F.php ”
SecFilterSelective THE_REQUEST “arta\.zip ”
SecFilterSelective THE_REQUEST “cmd=cd\x20/var ”
SecFilterSelective THE_REQUEST “HCL_path=http ”
SecFilterSelective THE_REQUEST “clamav-partial ”
SecFilterSelective THE_REQUEST “vi\.recover ”
SecFilterSelective THE_REQUEST “netenberg ”
SecFilterSelective THE_REQUEST “psybnc ”
SecFilterSelective THE_REQUEST “fantastico_de_luxe “

SecFilter “bcc:”
SecFilter “bcc\x3a”
SecFilter “cc:”
SecFilter “cc\x3a”
SecFilter “bcc:|Bcc:|BCC:” chain
SecFilter “[A-Z0-9._%-]+@[A-Z0-9._%-]+\.[A-Z]{2,4}\,\x20[A-Z0-9._%-]+@[A-Z0-9._%-]+\.[A-Z]{2,4}”
SecFilterSelective POST_PAYLOAD “Bcc:”
SecFilterSelective POST_PAYLOAD “Bcc:\x20”
SecFilterSelective POST_PAYLOAD “cc:”
SecFilterSelective POST_PAYLOAD “cc:\x20”
SecFilterSelective POST_PAYLOAD “bcc:”
SecFilterSelective POST_PAYLOAD “bcc:\x20”
SecFilterSelective POST_PAYLOAD “bcc: ”
SecFilterSelective THE_REQUEST “Bcc:”
SecFilterSelective THE_REQUEST “Bcc:\x20”
SecFilterSelective THE_REQUEST “cc:”
SecFilterSelective THE_REQUEST “cc:\x20”
SecFilterSelective THE_REQUEST “bcc:”
SecFilterSelective THE_REQUEST “bcc:\x20”
SecFilterSelective THE_REQUEST “bcc: ”
SecFilterSelective THE_REQUEST “/\.\./\.\./”
# WEB-PHP phpbb quick-reply.php arbitrary command attempt
SecFilterSelective THE_REQUEST “/quick-reply\.php” chain
SecFilter “phpbb_root_path=”

#Comment spam header line
SecFilter “^x-aaaaaaaaaa”

#check for bad meta characters in User-Agent field
SecFilterSelective HTTP_USER_AGENT “.*\'”

#XSS in the UA field
SecFilterSelective HTTP_USER_AGENT “<*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)*>”

#Exploit agent
SecFilterSelective HTTP_USER_AGENT “Mosiac 1\.*”

#Bad agent
SecFilterSelective HTTP_USER_AGENT “Brutus/AET”

#CGI vuln scan tool
SecFilterSelective HTTP_USER_AGENT cgichk
SecFilterSelective HTTP_USER_AGENT “DataCha0s/2\.0”

#Damn fine UA
SecFilterSelective HTTP_USER_AGENT “.*THIS IS AN EXPLOIT*”
SecFilterSelective HTTP_USER_AGENT “Morzilla”

#CIRT.DK Webroot auditing tool
SecFilterSelective HTTP_USER_AGENT “.*WebRoot “

#Exploit UA
SecFilterSelective HTTP_USER_AGENT “.*T H A T \’ S G O T T A H U R T*”

#XML RPC exploit tool
SecFilterSelective HTTP_USER_AGENT “xmlrpc exploit*”

#A friendly little exploit banner for a WP vuln
SecFilterSelective HTTP_USER_AGENT “WordPress Hash Grabber”

#Web leaches
SecFilterSelective HTTP_USER_AGENT EmailCollector
SecFilterSelective HTTP_USER_AGENT EmailWolf
SecFilterSelective HTTP_USER_AGENT WebZIP
SecFilterSelective HTTP_USER_AGENT webbandit
SecFilterSelective HTTP_USER_AGENT WebCopier
SecFilterSelective HTTP_USER_AGENT Webster
SecFilterSelective HTTP_USER_AGENT WebZIP
SecFilterSelective HTTP_USER_AGENT EmailSiphon
SecFilterSelective HTTP_USER_AGENT Extractorpro
SecFilterSelective HTTP_USER_AGENT “Web Downloader”
SecFilterSelective HTTP_USER_AGENT WebEMailExtrac
SecFilterSelective HTTP_USER_AGENT WebStripper
SecFilterSelective HTTP_USER_AGENT “teleport pro”

</IfModule>

ModSecurity rules are a never ending affair. Any modification/suggestion regarding this ruleset would be greatly appreciated.

References:

A superb article by Ivan Ristic, the author of ModSecurity.

The official ModSecurity documentation

More Rules

Unslung It!

I have been pretty fortunate to be playing around with some cool hardware these days (thanks to my boss who keeps sending them to me). One of those lovely devices to come my way was the Linksys NSLU 2.

Its a great device if you want to add additional storage to your network. It can be easily managed via a browser interface. From the official  site “The Network Storage Link features built-in disk utilities, accessible through your web browser. You can format new disk drives, and scan drives for errors. The built-in backup program lets you schedule full, incremental, or synchronization backups of your network drives to the Network Storage Link, or vice versa. It will even send you an email message when a hard drive gets nearly full, completely full, or has an error.” The best part though about it is that there are 4 alternate open source firmwares available.

Each of these firmwares although different from each other and provide different functionalities have one thing in common, they are much better than the stock Linksys firmware. After a lot of trials I realized that the firmware best suited for my purpose was the Unslung firmware.

NSLU 2 with a Seagate Freeagent external drive

NSLU 2 with a Seagate Freeagent external drive

Web Interface for those that don't ssh.

Web Interface for those that don't ssh.