ModSecurity Ruleset

modsecurity

Here is my attempt at creating a comprehensive ModSecurity ruleset. Most of the rules are acquired from various sites/blogs. The idea behind this is to have an easily accessible ruleset that can be deployed with minimum/no modifications and yet comes with an assurance of keeping your sites up and running securely.

<IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On

# Change Server: string
SecServerSignature “Apache”

# This setting should be set to On only if the Web site is
# using the Unicode encoding. Otherwise it may interfere with
# the normal Web site operation.
SecFilterCheckUnicodeEncoding Off

#The audit engine works independently and can be turned On of Off on the per-server or on the per-directory basis. #”On” will log everything, “DynamicOrRelevant” will log dynamic requests or violations, and “RelevantOnly” will #only log policy violations
SecAuditEngine RelevantOnly

# The name of the audit log file
SecAuditLog logs/audit_log

# Should mod_security inspect POST payloads
SecFilterScanPOST On

# Action to take by default
SecFilterDefaultAction “deny,log,status:403”

# Require HTTP_USER_AGENT and HTTP_HOST in all requests
# SecFilterSelective “HTTP_USER_AGENT|HTTP_HOST” “^$”

# Require Content-Length to be provided with every POST request
SecFilterSelective REQUEST_METHOD “^POST$” chain
SecFilterSelective HTTP_Content-Length “^$”

# Don’t accept transfer encodings we know we don’t handle (and you don’t need it anyway)
SecFilterSelective HTTP_Transfer-Encoding “!^$”

# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID “!^[0-9a-z]*$”
SecFilterSelective COOKIE_PHPSESSID “!^[0-9a-z]*$”

SecFilter “viewtopic\.php\?” chain
SecFilter “chr\(([0-9]{1,3})\)” “deny,log”

# Block various methods of downloading files to a server
SecFilterSelective THE_REQUEST “wget ”
SecFilterSelective THE_REQUEST “lynx ”
SecFilterSelective THE_REQUEST “scp ”
SecFilterSelective THE_REQUEST “ftp ”
SecFilterSelective THE_REQUEST “cvs ”
SecFilterSelective THE_REQUEST “rcp ”
SecFilterSelective THE_REQUEST “curl ”
SecFilterSelective THE_REQUEST “telnet ”
SecFilterSelective THE_REQUEST “ssh ”
SecFilterSelective THE_REQUEST “echo ”
SecFilterSelective THE_REQUEST “links -dump ”
SecFilterSelective THE_REQUEST “links -dump-charset ”
SecFilterSelective THE_REQUEST “links -dump-width ”
SecFilterSelective THE_REQUEST “links http:// ”
SecFilterSelective THE_REQUEST “links ftp:// ”
SecFilterSelective THE_REQUEST “links -source ”
SecFilterSelective THE_REQUEST “mkdir ”
SecFilterSelective THE_REQUEST “cd /tmp ”
SecFilterSelective THE_REQUEST “cd /var/tmp ”
SecFilterSelective THE_REQUEST “cd /etc/httpd/proxy ”
SecFilterSelective THE_REQUEST “/config.php?v=1&DIR ”
SecFilterSelective THE_REQUEST “&highlight=%2527%252E ”
SecFilterSelective THE_REQUEST “changedir=%2Ftmp%2F.php ”
SecFilterSelective THE_REQUEST “arta\.zip ”
SecFilterSelective THE_REQUEST “cmd=cd\x20/var ”
SecFilterSelective THE_REQUEST “HCL_path=http ”
SecFilterSelective THE_REQUEST “clamav-partial ”
SecFilterSelective THE_REQUEST “vi\.recover ”
SecFilterSelective THE_REQUEST “netenberg ”
SecFilterSelective THE_REQUEST “psybnc ”
SecFilterSelective THE_REQUEST “fantastico_de_luxe “

SecFilter “bcc:”
SecFilter “bcc\x3a”
SecFilter “cc:”
SecFilter “cc\x3a”
SecFilter “bcc:|Bcc:|BCC:” chain
SecFilter “[A-Z0-9._%-]+@[A-Z0-9._%-]+\.[A-Z]{2,4}\,\x20[A-Z0-9._%-]+@[A-Z0-9._%-]+\.[A-Z]{2,4}”
SecFilterSelective POST_PAYLOAD “Bcc:”
SecFilterSelective POST_PAYLOAD “Bcc:\x20”
SecFilterSelective POST_PAYLOAD “cc:”
SecFilterSelective POST_PAYLOAD “cc:\x20”
SecFilterSelective POST_PAYLOAD “bcc:”
SecFilterSelective POST_PAYLOAD “bcc:\x20”
SecFilterSelective POST_PAYLOAD “bcc: ”
SecFilterSelective THE_REQUEST “Bcc:”
SecFilterSelective THE_REQUEST “Bcc:\x20”
SecFilterSelective THE_REQUEST “cc:”
SecFilterSelective THE_REQUEST “cc:\x20”
SecFilterSelective THE_REQUEST “bcc:”
SecFilterSelective THE_REQUEST “bcc:\x20”
SecFilterSelective THE_REQUEST “bcc: ”
SecFilterSelective THE_REQUEST “/\.\./\.\./”
# WEB-PHP phpbb quick-reply.php arbitrary command attempt
SecFilterSelective THE_REQUEST “/quick-reply\.php” chain
SecFilter “phpbb_root_path=”

#Comment spam header line
SecFilter “^x-aaaaaaaaaa”

#check for bad meta characters in User-Agent field
SecFilterSelective HTTP_USER_AGENT “.*\'”

#XSS in the UA field
SecFilterSelective HTTP_USER_AGENT “<*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)*>”

#Exploit agent
SecFilterSelective HTTP_USER_AGENT “Mosiac 1\.*”

#Bad agent
SecFilterSelective HTTP_USER_AGENT “Brutus/AET”

#CGI vuln scan tool
SecFilterSelective HTTP_USER_AGENT cgichk
SecFilterSelective HTTP_USER_AGENT “DataCha0s/2\.0”

#Damn fine UA
SecFilterSelective HTTP_USER_AGENT “.*THIS IS AN EXPLOIT*”
SecFilterSelective HTTP_USER_AGENT “Morzilla”

#CIRT.DK Webroot auditing tool
SecFilterSelective HTTP_USER_AGENT “.*WebRoot “

#Exploit UA
SecFilterSelective HTTP_USER_AGENT “.*T H A T \’ S G O T T A H U R T*”

#XML RPC exploit tool
SecFilterSelective HTTP_USER_AGENT “xmlrpc exploit*”

#A friendly little exploit banner for a WP vuln
SecFilterSelective HTTP_USER_AGENT “WordPress Hash Grabber”

#Web leaches
SecFilterSelective HTTP_USER_AGENT EmailCollector
SecFilterSelective HTTP_USER_AGENT EmailWolf
SecFilterSelective HTTP_USER_AGENT WebZIP
SecFilterSelective HTTP_USER_AGENT webbandit
SecFilterSelective HTTP_USER_AGENT WebCopier
SecFilterSelective HTTP_USER_AGENT Webster
SecFilterSelective HTTP_USER_AGENT WebZIP
SecFilterSelective HTTP_USER_AGENT EmailSiphon
SecFilterSelective HTTP_USER_AGENT Extractorpro
SecFilterSelective HTTP_USER_AGENT “Web Downloader”
SecFilterSelective HTTP_USER_AGENT WebEMailExtrac
SecFilterSelective HTTP_USER_AGENT WebStripper
SecFilterSelective HTTP_USER_AGENT “teleport pro”

</IfModule>

ModSecurity rules are a never ending affair. Any modification/suggestion regarding this ruleset would be greatly appreciated.

References:

A superb article by Ivan Ristic, the author of ModSecurity.

The official ModSecurity documentation

More Rules

Replication…..

Flawless replication of a linux box is one of the greatest advantages of linux. Here’s an overview on how to get it done. But why would one want to replicate a linux box?

Reason 1: If you have bought new PC and want to move the same OS and all those custom settings onto the new one.

Reason 2: If you feel that your hardware is acting funny and may fall apart any moment, depending on the moment this could be a backup scheme.

Reason 3: Having the same exact OS on 2 machines would meant if I had to update 1 machine I wouldn’t have to download the packages again to update the other one (well with thin and expensive internet pipes, it would definitely mean something).

Reason 4: When the need arises to do similar installations on a large scale.

I want to say that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take.

What would one need to do this?

Requirement 1: A live CD with good hardware detection abilities. Something like Knoppix or others like System Rescue, Helix etc.

Requirement 2: If you do not want to open up any of the machines the replication job can be done over a network (well I definitely prefer this, because the warranty holds good on a new PC). Then atleast a cross cable and LAN cards on both the machines is a must.

Be certain that the OS being cloned should not be too old to the hardware you wish to clone it on. Example if the OS has a 2.4 kernel probably the usb controller will have no support or the X server will refuse to start because the graphics card or tft monitor could not be identified. For reasons such as this its very much important to keep the OS updated.

I’ll be calling the machine being cloned “A” and the other “B” and both these machines will be cloned over a network.

Boot machine A with its existing OS and boot machine B with the Knoppix live CD preferably in runlevel 2 by issuing “knoppix 2” at the start-up screen. If the machine B has not more than 64Mb ram, the recent versions of Knoppix will refuse to boot. In that case use an older version of Knoppix say in the 3.x series.

Set appropriate IP addresses on both the machines and ensure that ssh works between the 2. example, 192.168.0.1 on A and 192.168.0.2 on B and both having sub-net mask of 255.255.255.0

Check the disk usage on A and create partitions on B. Here I would recommend creating a separate /boot partition maybe of 100Mb size.

Use the “mkfs.ext3 -O none /dev/hdax” command to create the file-system.

I’m using the “-O none” option here because the version of Knoppix I’m using is the latest while the OS on machine A is pretty old. The ext3 file-system has had a number of changes over the years. The machine may probably never boot without this option.

Do not forget to create the swap partition and format it using “mkswap /dev/hdax”.

mount the first partition on B, example

# mount /dev/hda1 /media/hda1

in my case this was the /boot partition.

# rsync -Pax –numeric-ids -e ssh root@192.168.0.1:/boot/ /media/hda1/

Do this for every partition.

Mount the partition on B that contains the /etc/ directory and edit the fstab file accordingly. also edit the modules.conf/modprobe.conf if you are sure which modules will be used on B.

If your boot and / partitions on B are different from that on A, do not forget to edit the grub.conf or menu.lst file for grub to boot the machine properly.

The last step would be to install grub on the master boot record or the active primary partition. To do so, firstly unmount the boot partition that’s mounted on /media/hda1 and mount it on the /boot of the knoppix cd.

#umount /dev/hda1

#mount /dev/hda1 /boot

# grub-install /dev/hda OR

#grub-install /dev/hdax (the primary active partition)

Reboot the machine without the Knoppix live CD. Boot into the single user mode the first time. If you have replicated a Redhat based distro something like kudzu will guide you through hardware changes detected. If its a Debian based distro once you have booted issue “update-modules”.

That’s it. Simple isn’t it? I’m sorry for my terrible writing but like I said before its just an overview.

Let me say that I’m truly overwhelmed by the responses to my previous postings. It would be simply superb if all of it could be as comments on this blog rather than mails to me. Thanks a million.