ModSecurity Ruleset

modsecurity

Here is my attempt at creating a comprehensive ModSecurity ruleset. Most of the rules are acquired from various sites/blogs. The idea behind this is to have an easily accessible ruleset that can be deployed with minimum/no modifications and yet comes with an assurance of keeping your sites up and running securely.

<IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On

# Change Server: string
SecServerSignature “Apache”

# This setting should be set to On only if the Web site is
# using the Unicode encoding. Otherwise it may interfere with
# the normal Web site operation.
SecFilterCheckUnicodeEncoding Off

#The audit engine works independently and can be turned On of Off on the per-server or on the per-directory basis. #”On” will log everything, “DynamicOrRelevant” will log dynamic requests or violations, and “RelevantOnly” will #only log policy violations
SecAuditEngine RelevantOnly

# The name of the audit log file
SecAuditLog logs/audit_log

# Should mod_security inspect POST payloads
SecFilterScanPOST On

# Action to take by default
SecFilterDefaultAction “deny,log,status:403”

# Require HTTP_USER_AGENT and HTTP_HOST in all requests
# SecFilterSelective “HTTP_USER_AGENT|HTTP_HOST” “^$”

# Require Content-Length to be provided with every POST request
SecFilterSelective REQUEST_METHOD “^POST$” chain
SecFilterSelective HTTP_Content-Length “^$”

# Don’t accept transfer encodings we know we don’t handle (and you don’t need it anyway)
SecFilterSelective HTTP_Transfer-Encoding “!^$”

# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID “!^[0-9a-z]*$”
SecFilterSelective COOKIE_PHPSESSID “!^[0-9a-z]*$”

SecFilter “viewtopic\.php\?” chain
SecFilter “chr\(([0-9]{1,3})\)” “deny,log”

# Block various methods of downloading files to a server
SecFilterSelective THE_REQUEST “wget ”
SecFilterSelective THE_REQUEST “lynx ”
SecFilterSelective THE_REQUEST “scp ”
SecFilterSelective THE_REQUEST “ftp ”
SecFilterSelective THE_REQUEST “cvs ”
SecFilterSelective THE_REQUEST “rcp ”
SecFilterSelective THE_REQUEST “curl ”
SecFilterSelective THE_REQUEST “telnet ”
SecFilterSelective THE_REQUEST “ssh ”
SecFilterSelective THE_REQUEST “echo ”
SecFilterSelective THE_REQUEST “links -dump ”
SecFilterSelective THE_REQUEST “links -dump-charset ”
SecFilterSelective THE_REQUEST “links -dump-width ”
SecFilterSelective THE_REQUEST “links http:// ”
SecFilterSelective THE_REQUEST “links ftp:// ”
SecFilterSelective THE_REQUEST “links -source ”
SecFilterSelective THE_REQUEST “mkdir ”
SecFilterSelective THE_REQUEST “cd /tmp ”
SecFilterSelective THE_REQUEST “cd /var/tmp ”
SecFilterSelective THE_REQUEST “cd /etc/httpd/proxy ”
SecFilterSelective THE_REQUEST “/config.php?v=1&DIR ”
SecFilterSelective THE_REQUEST “&highlight=%2527%252E ”
SecFilterSelective THE_REQUEST “changedir=%2Ftmp%2F.php ”
SecFilterSelective THE_REQUEST “arta\.zip ”
SecFilterSelective THE_REQUEST “cmd=cd\x20/var ”
SecFilterSelective THE_REQUEST “HCL_path=http ”
SecFilterSelective THE_REQUEST “clamav-partial ”
SecFilterSelective THE_REQUEST “vi\.recover ”
SecFilterSelective THE_REQUEST “netenberg ”
SecFilterSelective THE_REQUEST “psybnc ”
SecFilterSelective THE_REQUEST “fantastico_de_luxe “

SecFilter “bcc:”
SecFilter “bcc\x3a”
SecFilter “cc:”
SecFilter “cc\x3a”
SecFilter “bcc:|Bcc:|BCC:” chain
SecFilter “[A-Z0-9._%-]+@[A-Z0-9._%-]+\.[A-Z]{2,4}\,\x20[A-Z0-9._%-]+@[A-Z0-9._%-]+\.[A-Z]{2,4}”
SecFilterSelective POST_PAYLOAD “Bcc:”
SecFilterSelective POST_PAYLOAD “Bcc:\x20”
SecFilterSelective POST_PAYLOAD “cc:”
SecFilterSelective POST_PAYLOAD “cc:\x20”
SecFilterSelective POST_PAYLOAD “bcc:”
SecFilterSelective POST_PAYLOAD “bcc:\x20”
SecFilterSelective POST_PAYLOAD “bcc: ”
SecFilterSelective THE_REQUEST “Bcc:”
SecFilterSelective THE_REQUEST “Bcc:\x20”
SecFilterSelective THE_REQUEST “cc:”
SecFilterSelective THE_REQUEST “cc:\x20”
SecFilterSelective THE_REQUEST “bcc:”
SecFilterSelective THE_REQUEST “bcc:\x20”
SecFilterSelective THE_REQUEST “bcc: ”
SecFilterSelective THE_REQUEST “/\.\./\.\./”
# WEB-PHP phpbb quick-reply.php arbitrary command attempt
SecFilterSelective THE_REQUEST “/quick-reply\.php” chain
SecFilter “phpbb_root_path=”

#Comment spam header line
SecFilter “^x-aaaaaaaaaa”

#check for bad meta characters in User-Agent field
SecFilterSelective HTTP_USER_AGENT “.*\'”

#XSS in the UA field
SecFilterSelective HTTP_USER_AGENT “<*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)*>”

#Exploit agent
SecFilterSelective HTTP_USER_AGENT “Mosiac 1\.*”

#Bad agent
SecFilterSelective HTTP_USER_AGENT “Brutus/AET”

#CGI vuln scan tool
SecFilterSelective HTTP_USER_AGENT cgichk
SecFilterSelective HTTP_USER_AGENT “DataCha0s/2\.0”

#Damn fine UA
SecFilterSelective HTTP_USER_AGENT “.*THIS IS AN EXPLOIT*”
SecFilterSelective HTTP_USER_AGENT “Morzilla”

#CIRT.DK Webroot auditing tool
SecFilterSelective HTTP_USER_AGENT “.*WebRoot “

#Exploit UA
SecFilterSelective HTTP_USER_AGENT “.*T H A T \’ S G O T T A H U R T*”

#XML RPC exploit tool
SecFilterSelective HTTP_USER_AGENT “xmlrpc exploit*”

#A friendly little exploit banner for a WP vuln
SecFilterSelective HTTP_USER_AGENT “WordPress Hash Grabber”

#Web leaches
SecFilterSelective HTTP_USER_AGENT EmailCollector
SecFilterSelective HTTP_USER_AGENT EmailWolf
SecFilterSelective HTTP_USER_AGENT WebZIP
SecFilterSelective HTTP_USER_AGENT webbandit
SecFilterSelective HTTP_USER_AGENT WebCopier
SecFilterSelective HTTP_USER_AGENT Webster
SecFilterSelective HTTP_USER_AGENT WebZIP
SecFilterSelective HTTP_USER_AGENT EmailSiphon
SecFilterSelective HTTP_USER_AGENT Extractorpro
SecFilterSelective HTTP_USER_AGENT “Web Downloader”
SecFilterSelective HTTP_USER_AGENT WebEMailExtrac
SecFilterSelective HTTP_USER_AGENT WebStripper
SecFilterSelective HTTP_USER_AGENT “teleport pro”

</IfModule>

ModSecurity rules are a never ending affair. Any modification/suggestion regarding this ruleset would be greatly appreciated.

References:

A superb article by Ivan Ristic, the author of ModSecurity.

The official ModSecurity documentation

More Rules

Advertisements

Leave a comment

No comments yet.

Comments RSS TrackBack Identifier URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s