SharkSpace_Amanda
12-26-2006, 08:38 PM
1) Login to shell as root.
2) Download the latest version from http://www.modsecurity.org/download/ ( Use version 1.x for apache 1)
wget http://www.modsecurity.org/download/modsecurity-apache_1.9.4.tar.gz
3) Uncompress the download.
tar zxvf modsecurity-apache_1.9.4.tar.gz
4) Go into the mod security directory.
cd modsecurity-apache_1.9.4
5) Select the correct apache version.
APACHE 1.x users
cd apache1/
APACHE 2.x users
cd apache2/
6) Compile mod_security
/usr/local/apache/bin/apxs -cia mod_security.c
7) Backup your apache configuration file.
cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.backup
8) Edit the apache configuration file.
nano -w /usr/local/apache/conf/httpd.conf
9) Add mod_security rules. (the rules below is what I recommend. You can use any rules you like)
Go below <IfModule mod_dir.c> and add:
<IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On
# Change Server: string
SecServerSignature "Apache"
# This setting should be set to On only if the Web site is
# using the Unicode encoding. Otherwise it may interfere with
# the normal Web site operation.
SecFilterCheckUnicodeEncoding Off
# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis. "On" will log everything,
# "DynamicOrRelevant" will log dynamic requests or violations,
# and "RelevantOnly" will only log policy violations
SecAuditEngine RelevantOnly
# The name of the audit log file
SecAuditLog logs/audit_log
# Should mod_security inspect POST payloads
SecFilterScanPOST On
# Action to take by default
SecFilterDefaultAction "deny,log,status:403"
## ## ## ## ## ## ## ## ## ##
## ## ## ## ## ## ## ## ## ##
#PHP code injection attack
SecFilterSelective HTTP_USER_AGENT "(<\\\\?php|<[[:space:]]*\\\\?[[:space:]]*php)"
SecFilterSelective HTTP_USER_AGENT ".*HTTP_GET_VARS"
# Require HTTP_USER_AGENT and HTTP_HOST in all requests
# SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
# Don't accept transfer encodings we know we don't handle
# (and you don't need it anyway)
SecFilterSelective HTTP_Transfer-Encoding "!^$"
# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
SecFilter "viewtopic\\\\.php\\\\?" chain
SecFilter "chr\\\\(([0-9]{1,3})\\\\)" "deny,log"
# Block various methods of downloading files to a server
SecFilterSelective THE_REQUEST "wget "
SecFilterSelective THE_REQUEST "lynx "
SecFilterSelective THE_REQUEST "scp "
SecFilterSelective THE_REQUEST "ftp "
SecFilterSelective THE_REQUEST "cvs "
SecFilterSelective THE_REQUEST "rcp "
SecFilterSelective THE_REQUEST "curl "
SecFilterSelective THE_REQUEST "telnet "
SecFilterSelective THE_REQUEST "ssh "
SecFilterSelective THE_REQUEST "echo "
SecFilterSelective THE_REQUEST "links -dump "
SecFilterSelective THE_REQUEST "links -dump-charset "
SecFilterSelective THE_REQUEST "links -dump-width "
SecFilterSelective THE_REQUEST "links http:// "
SecFilterSelective THE_REQUEST "links ftp:// "
SecFilterSelective THE_REQUEST "links -source "
SecFilterSelective THE_REQUEST "mkdir "
SecFilterSelective THE_REQUEST "cd /tmp "
SecFilterSelective THE_REQUEST "cd /var/tmp "
SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "
SecFilterSelective THE_REQUEST "/cse\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/terminatorX-exp.*\\\\.(gif|jpg|txt|bmp|php)\\\\?"
SecFilterSelective THE_REQUEST "/\\\\.it/viewde"
SecFilterSelective THE_REQUEST "/cmd\\\\?&(command|cmd)="
SecFilterSelective THE_REQUEST "/cmd\\\\.php\\\\.ns\\\\?&(command|cmd)="
SecFilterSelective THE_REQUEST "/cmd\\\\.dat\\\\?&(command|cmd)="
SecFilterSelective THE_REQUEST "/sep\\\\.txt\\\\?&(command|cmd)="
SecFilterSelective THE_REQUEST "/s\\\\.txt\\\\?&(cmd|command)="
SecFilterSelective THE_REQUEST "/pro18\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/shell\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/bash\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/(o|0|p)wn(e|3)d\\\\.(gif|jpg|txt|bmp)\\\\?&(cmd|command)="
SecFilterSelective THE_REQUEST "/get\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/root\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/spy\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/nmap\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/asc\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/lila\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/sh\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/new(cmd|command)\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/(cmd|command)\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/(cmd|command)[0-9]\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/[a-z](cmd|command)\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/[a-z](cmd|command)[0-9]\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/ijoo\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/oinc\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/a\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/gif\\\\.ph(p(3|4)?|tml)\\\\?"
SecFilterSelective THE_REQUEST "/jpg\\\\.ph(p(3|4)?|tml)\\\\?"
SecFilterSelective THE_REQUEST "/ion\\\\.ph(p(3|4)?|tml)\\\\?"
SecFilterSelective THE_REQUEST "/lala\\\\.ph(p(3|4)?|tml)\\\\?"
SecFilterSelective THE_REQUEST "/shell\\\\.ph(p(3|4)?|tml)\\\\?"
SecFilterSelective THE_REQUEST "/phpshell\\\\.ph(p(3|4)?|tml)\\\\?"
SecFilterSelective THE_REQUEST "/tool[12][05]\\\\.ph(p(3|4)?|tml)\\\\?"
SecFilterSelective THE_REQUEST "/tool[12]\\\\.ph(p(3|4)?|tml)\\\\?"
SecFilterSelective THE_REQUEST "/tool[12][0-9]\\\\.js"
SecFilterSelective THE_REQUEST "/tool25\\\\.js"
SecFilterSelective THE_REQUEST "/img/wiki_up/.*\\\\.(php(3|4)?|tml|cgi|sh)"
SecFilterSelective THE_REQUEST "wiki_up/gif\\\\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST "wiki_up/ion\\\\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST "wiki_up/jpg\\\\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST "wiki_up/lala\\\\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST "wiki_up/.*\\\\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST "/phpshell\\\\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST "/shell\\\\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST "/tool20\\\\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST "/tool20\\\\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST "/temp/gif\\\\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST "/temp/lala\\\\.ph(p(3|4)?|tml)"
SecFilterSelective REQUEST_URI "/phpterm"
SecFilterSelective THE_REQUEST "/iblis\\\\.htm\\\\?"
SecFilterSelective THE_REQUEST "/gif\\\\.gif\\\\?"
SecFilterSelective THE_REQUEST "/go\\\\.php\\\\.txt\\\\?"
SecFilterSelective THE_REQUEST "/sh[0-9]\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/iys\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/shell[0-9]\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/zehir\\\\.asp"
SecFilterSelective THE_REQUEST "/aflast\\\\.txt\\\\?"
SecFilterSelective THE_REQUEST "/sikat\\\\.txt\\\\?&cmd"
SecFilterSelective THE_REQUEST "/t\\\\.gif\\\\?"
SecFilterSelective THE_REQUEST "/phpbb_patch\\\\?&"
SecFilterSelective THE_REQUEST "/phpbb2_patch\\\\?&"
SecFilterSelective THE_REQUEST "/lukka\\\\?&"
10) Save the file
Ctrl + X then Y
11) Restart apache
/etc/rc.d/init.d/httpd restart
Process complete
2) Download the latest version from http://www.modsecurity.org/download/ ( Use version 1.x for apache 1)
wget http://www.modsecurity.org/download/modsecurity-apache_1.9.4.tar.gz
3) Uncompress the download.
tar zxvf modsecurity-apache_1.9.4.tar.gz
4) Go into the mod security directory.
cd modsecurity-apache_1.9.4
5) Select the correct apache version.
APACHE 1.x users
cd apache1/
APACHE 2.x users
cd apache2/
6) Compile mod_security
/usr/local/apache/bin/apxs -cia mod_security.c
7) Backup your apache configuration file.
cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.backup
8) Edit the apache configuration file.
nano -w /usr/local/apache/conf/httpd.conf
9) Add mod_security rules. (the rules below is what I recommend. You can use any rules you like)
Go below <IfModule mod_dir.c> and add:
<IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On
# Change Server: string
SecServerSignature "Apache"
# This setting should be set to On only if the Web site is
# using the Unicode encoding. Otherwise it may interfere with
# the normal Web site operation.
SecFilterCheckUnicodeEncoding Off
# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis. "On" will log everything,
# "DynamicOrRelevant" will log dynamic requests or violations,
# and "RelevantOnly" will only log policy violations
SecAuditEngine RelevantOnly
# The name of the audit log file
SecAuditLog logs/audit_log
# Should mod_security inspect POST payloads
SecFilterScanPOST On
# Action to take by default
SecFilterDefaultAction "deny,log,status:403"
## ## ## ## ## ## ## ## ## ##
## ## ## ## ## ## ## ## ## ##
#PHP code injection attack
SecFilterSelective HTTP_USER_AGENT "(<\\\\?php|<[[:space:]]*\\\\?[[:space:]]*php)"
SecFilterSelective HTTP_USER_AGENT ".*HTTP_GET_VARS"
# Require HTTP_USER_AGENT and HTTP_HOST in all requests
# SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
# Don't accept transfer encodings we know we don't handle
# (and you don't need it anyway)
SecFilterSelective HTTP_Transfer-Encoding "!^$"
# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
SecFilter "viewtopic\\\\.php\\\\?" chain
SecFilter "chr\\\\(([0-9]{1,3})\\\\)" "deny,log"
# Block various methods of downloading files to a server
SecFilterSelective THE_REQUEST "wget "
SecFilterSelective THE_REQUEST "lynx "
SecFilterSelective THE_REQUEST "scp "
SecFilterSelective THE_REQUEST "ftp "
SecFilterSelective THE_REQUEST "cvs "
SecFilterSelective THE_REQUEST "rcp "
SecFilterSelective THE_REQUEST "curl "
SecFilterSelective THE_REQUEST "telnet "
SecFilterSelective THE_REQUEST "ssh "
SecFilterSelective THE_REQUEST "echo "
SecFilterSelective THE_REQUEST "links -dump "
SecFilterSelective THE_REQUEST "links -dump-charset "
SecFilterSelective THE_REQUEST "links -dump-width "
SecFilterSelective THE_REQUEST "links http:// "
SecFilterSelective THE_REQUEST "links ftp:// "
SecFilterSelective THE_REQUEST "links -source "
SecFilterSelective THE_REQUEST "mkdir "
SecFilterSelective THE_REQUEST "cd /tmp "
SecFilterSelective THE_REQUEST "cd /var/tmp "
SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "
SecFilterSelective THE_REQUEST "/cse\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/terminatorX-exp.*\\\\.(gif|jpg|txt|bmp|php)\\\\?"
SecFilterSelective THE_REQUEST "/\\\\.it/viewde"
SecFilterSelective THE_REQUEST "/cmd\\\\?&(command|cmd)="
SecFilterSelective THE_REQUEST "/cmd\\\\.php\\\\.ns\\\\?&(command|cmd)="
SecFilterSelective THE_REQUEST "/cmd\\\\.dat\\\\?&(command|cmd)="
SecFilterSelective THE_REQUEST "/sep\\\\.txt\\\\?&(command|cmd)="
SecFilterSelective THE_REQUEST "/s\\\\.txt\\\\?&(cmd|command)="
SecFilterSelective THE_REQUEST "/pro18\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/shell\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/bash\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/(o|0|p)wn(e|3)d\\\\.(gif|jpg|txt|bmp)\\\\?&(cmd|command)="
SecFilterSelective THE_REQUEST "/get\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/root\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/spy\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/nmap\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/asc\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/lila\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/sh\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/new(cmd|command)\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/(cmd|command)\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/(cmd|command)[0-9]\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/[a-z](cmd|command)\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/[a-z](cmd|command)[0-9]\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/ijoo\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/oinc\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/a\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/gif\\\\.ph(p(3|4)?|tml)\\\\?"
SecFilterSelective THE_REQUEST "/jpg\\\\.ph(p(3|4)?|tml)\\\\?"
SecFilterSelective THE_REQUEST "/ion\\\\.ph(p(3|4)?|tml)\\\\?"
SecFilterSelective THE_REQUEST "/lala\\\\.ph(p(3|4)?|tml)\\\\?"
SecFilterSelective THE_REQUEST "/shell\\\\.ph(p(3|4)?|tml)\\\\?"
SecFilterSelective THE_REQUEST "/phpshell\\\\.ph(p(3|4)?|tml)\\\\?"
SecFilterSelective THE_REQUEST "/tool[12][05]\\\\.ph(p(3|4)?|tml)\\\\?"
SecFilterSelective THE_REQUEST "/tool[12]\\\\.ph(p(3|4)?|tml)\\\\?"
SecFilterSelective THE_REQUEST "/tool[12][0-9]\\\\.js"
SecFilterSelective THE_REQUEST "/tool25\\\\.js"
SecFilterSelective THE_REQUEST "/img/wiki_up/.*\\\\.(php(3|4)?|tml|cgi|sh)"
SecFilterSelective THE_REQUEST "wiki_up/gif\\\\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST "wiki_up/ion\\\\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST "wiki_up/jpg\\\\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST "wiki_up/lala\\\\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST "wiki_up/.*\\\\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST "/phpshell\\\\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST "/shell\\\\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST "/tool20\\\\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST "/tool20\\\\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST "/temp/gif\\\\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST "/temp/lala\\\\.ph(p(3|4)?|tml)"
SecFilterSelective REQUEST_URI "/phpterm"
SecFilterSelective THE_REQUEST "/iblis\\\\.htm\\\\?"
SecFilterSelective THE_REQUEST "/gif\\\\.gif\\\\?"
SecFilterSelective THE_REQUEST "/go\\\\.php\\\\.txt\\\\?"
SecFilterSelective THE_REQUEST "/sh[0-9]\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/iys\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/shell[0-9]\\\\.(gif|jpg|txt|bmp)\\\\?"
SecFilterSelective THE_REQUEST "/zehir\\\\.asp"
SecFilterSelective THE_REQUEST "/aflast\\\\.txt\\\\?"
SecFilterSelective THE_REQUEST "/sikat\\\\.txt\\\\?&cmd"
SecFilterSelective THE_REQUEST "/t\\\\.gif\\\\?"
SecFilterSelective THE_REQUEST "/phpbb_patch\\\\?&"
SecFilterSelective THE_REQUEST "/phpbb2_patch\\\\?&"
SecFilterSelective THE_REQUEST "/lukka\\\\?&"
10) Save the file
Ctrl + X then Y
11) Restart apache
/etc/rc.d/init.d/httpd restart
Process complete