Güvenlik » Makaleler
Örnek Mod Security Kural Zinciri
WHM cPanel Destek Platformu
| |||||||
| Kayıt ol | Yardım | Üye Listesi | Ajanda | Forumları Okundu Kabul Et |
 |
| | LinkBack (1) | Seçenekler | Stil |
01.08.07, 01:39 PM
| ||||
| ||||
 Örnek Mod Security Kural Zinciri Merhaba, Kendi sunucumda kullandığım örnek mod security conf dosyasını sizinle yaplaşayım. Sunucunuzda cPanel-WHM kullanıyorsanız eğer mod security kurulu değilse WHM den cPanel menüsüne gelin ve ordan pluginslere tıklayın karşınıza Addon Modules çıkacaktır. Çıkan listede modsecurity nin altına Install and Keep Updated yazan yere tick atın ve save deyin. Artık mod security kuruldu. Şimdi Conf dosyamızı hazırlayacaz. Mod security kurduktan sonra WHM den plugins lere tıklayın ve açılan yerde mod security görünecektir. Tıklayın mod security e ve en yukarda bulunan edit config butonuna basın. Açılan yerde aşağıda vereceğim örnek kural zincirini ekleyin ve elttan Save Configuration butonuna basın. Bunları yaptıktan sonra Apache ye bi restart atın tamamdır  Örnek Mod Security Kural Zinciri; Kod: ########################################### #Generic SQL injection rule exclusions ########################################### #generic PHP forum posting exclusion <LocationMatch "/posting.php"> SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog </LocationMatch> #PhpBB posting <LocationMatch "/index.php?name=PNphpBB2&file=posting&mode=reply.*"> SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog </LocationMatch> #Postnuke uploads <LocationMatch "/modules.php?op=modload&name=Downloads.*"> SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog </LocationMatch> #Squirrel mail and Horde postings <LocationMatch "/horde/imp/compose.php"> SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog </LocationMatch> #Phorum posting <LocationMatch "/phorum/post.php"> SecFilterSelective POST_PAYLOAD "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog </LocationMatch> <LocationMatch "/tiki-editpage.php"> SecFilterSelective POST_PAYLOAD "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog </LocationMatch> <LocationMatch "/misc.php"> SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog </LocationMatch> ########################################### #Double pipe exclusion rules ########################################### <LocationMatch "/_vti_bin/fpcount.exe"> SecFilterSelective THE_REQUEST "\|+.*[\x20].*[\x20].*\|" pass,nolog </LocationMatch> ########################################### #Front page exclusions ########################################### <LocationMatch "/_vti_bin/_vti_aut/author.exe"> SecFilterInheritance Off </LocationMatch> #Enforce proper HTTP requests SecFilterSelective THE_REQUEST "!HTTP\/(0\.9|1\.0|1\.1)$" "id:340000,rev:1,severity:1,msg:'Bad HTTP Protocol'" # Only accept request encodings we know how to handle # we exclude GET requests from this because some (automated) # clients supply "text/html" as Content-Type SecFilterSelective REQUEST_METHOD "!^(GET|HEAD|POST|PUT|PROPFIND|OPTIONS)$" "chain,id:340001,rev:1,severity:2,msg:'Restricted HTTP function'" SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)" # Don't accept transfer encodings we know we don't handle # (and you don't need it anyway) SecFilterSelective HTTP_Transfer-Encoding "!^$" "id:340004,rev:1,severity:2,msg:'Dis-allowed Transfer Encoding'" #HTTP response spilting generic sigs SecFilter "Content-Length\:.*Content-Type\:.*Content-Type\:" "id:340005,rev:1,severity:2,msg:'HTTP response splitting'" SecFilter "Content-Length\:" "chain,id:340006,rev:1,severity:2,msg:'HTTP response splitting'" SecFilter "Content-Type\:" chain SecFilter "Content-Type\:" #deny TRACE method SecFilterSelective REQUEST_METHOD "TRACE" "id:340007,rev:1,severity:2,msg:'TRACE method denied'" #Generic PHP exploit signatures SecFilterSelective THE_REQUEST "\;(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:300007,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'" #slightly tighter rules with narrower focus SecFilterSelective REQUEST_URI "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:300008,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'" SecFilterSelective POST_PAYLOAD "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:300009,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'" #Prevent SQL injection in cookies SecFilterSelective COOKIE_VALUES "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" "id:300011,rev:1,severity:2,msg:'Generic SQL injection in cookie'" #Prevent SQL injection in UA SecFilterSelective HTTP_USER_AGENT "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" "id:300012,rev:1,severity:2,msg:'Generic SQL injection in User Agent header'" #simple buffer overflow protection #there is an issue with positives with this, so use with care #SecFilterSelective THE_REQUEST "!^[\x0a\x0d\x20-\x7f]+$" "id:300013,rev:1,severity:2,msg:'Generic Simple Buffer Overflow protection'" # Generic filter to prevent SQL injection attacks # Understand that all SQL filters are very limited and are very difficult # to prevent false postives and negatives. # Pplease report false positives/negatives to mike@gotroot.com SecFilterSelective REQUEST_URI "!((/wp-admin/post|privmsg|/ticket/admin|/misc|tiki-editpage|/post|/horde/imp/compose|/posting)\.php|/modules\.php\?op=modload&name=(Downloads|Submit_News)|/admin\.php\?module=NS\-AddStory\&op=|/index\.php\?name=PNphpBB2&file=posting&mode=reply.*|/phpMyAdmin/|/PNphpBB2-posting\.html|/otrs/index\.pl|tiki-index\.php\?page=|/index\.php\?title=.*&action=edit|/_mmServerScripts/)" "chain,id:300013,rev:1,severity:2,msg:'Generic SQL injection protection'" SecFilter "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" #SecFilter "([[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" #Generic command line attack filter SecFilterSelective REQUEST_URI "!(/Count\.cgi)" chain SecFilterSelective THE_REQUEST "\|+.*[\x20].*[\x20].*\|" #PHP Injection Attack generic signature SecFilterSelective REQUEST_URI "\.php" chain SecFilter "(\?((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|path|pathtoroot|cat|pagina|path|include_location|root|page|gorumDir|site|topside|pun_root|open|seite)=(http|https|ftp)\:/|(cmd|command)=(cd|\;|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |id|cmd|pwd|wget |uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./|whoami|killall |rm \-[a-z|A-Z]))" SecFilterSelective REQUEST_URI "\.php\?(((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|pagina|path|pathtoroot|cat|include_location|gorumDir|root|page|site|topside|pun_root|open|seite)=(http|https|ftp)\:/|.*(cmd|command)=(cd|\;|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z]))" #Generic PHP remote file inclusion attack signature SecFilterSelective REQUEST_URI "\.php\?" chain SecFilter "(http|https|ftp)\:/" chain SecFilter "(cmd|command)=(cd|\;|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])" SecFilterSelective REQUEST_URI "\.php\?" chain SecFilter "(http|https|ftp)\:/" chain SecFilter "(cmd|command)=.*(cd|\;|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])" #really broad furl_fopen attack sig #tune this for your system #SecFilterSelective REQUEST_URI "!(banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main)" chain #SecFilterSelective REQUEST_URI "\.php\?.*=(http|https|ftp)\:/.*\?" #Genenric PHP body attack SecFilterSelective THE_REQUEST "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)" chain SecFilterSelective POST_PAYLOAD "^PHP\:*((cd|mkdir)[[:space:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])" #Generic PHP remote file injection SecFilterSelective REQUEST_URI "!((galler(y|i)/do_command))" chain SecFilterSelective REQUEST_URI "\.php\?.*=(http|http|ftp)\:/.*(cmd|command)=" #script, perl, etc. code in HTTP_Referer string SecFilterSelective HTTP_Referer "\#\!.*/" #phpMyAdmin Export.PHP File Disclosure Vulnerability SecFilterSelective SCRIPT_FILENAME "export\.php$" chain SecFilterSelective ARG_what "\.\." #faqmanager.cgi arbitrary file access attempt SecFilterSelective REQUEST_URI "/faqmanager\.cgi\?toc=*/" SecFilterSelective REQUEST_URI "/faqmanager\.cgi\?(cd|\;|perl|python|rpm|yum|apt-get|emerge|lynx|links|mkdir|elinks|cmd|pwd|wget|id|uname|cvs|svn|(s|r)(cp|sh)|rexec|smbclient|t?ftp|ncftp|curl|telnet|gcc|cc|g\+\+|\./)" #honeypot SecFilterSelective REQUEST_URI "/tiki-view_forum_thread\.php\?forumId=.*&comments_parentId=.*&topics_offset=.*onmouseover=\'javascript" #wormsign SecFilterSelective REQUEST_URI "Hacked.*by.*member.*of.*SCC" #phpMyAdmin Cross-Site Scripting Vulnerabilities SecFilterSelective ARG_HTTP_HOST "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)" ########################################## # Known rootkits, remote toolkits, etc. signatures ########################################## SecFilterSelective THE_REQUEST "/cse\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/terminatorX-exp.*\.(gif|jpg|txt|bmp|php|png)\?" SecFilterSelective THE_REQUEST "/\.it/viewde" SecFilterSelective THE_REQUEST "/cmd\?&(command|cmd)=" SecFilterSelective THE_REQUEST "/cmd\.php\.ns\?&(command|cmd)=" SecFilterSelective THE_REQUEST "/cmd\.php\?&(command|cmd)=" SecFilterSelective THE_REQUEST "/cmd\.dat\?&(command|cmd)=" SecFilterSelective THE_REQUEST "/sep\.txt\?&(command|cmd)=" SecFilterSelective THE_REQUEST "/s\.txt\?&(cmd|command)=" SecFilterSelective THE_REQUEST "/pro18\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/shell\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/bash\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/(o|0|p)wn(e|3)d\.(gif|jpg|txt|bmp|png)\?&(cmd|command)=" SecFilterSelective THE_REQUEST "/get\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/root\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/spy\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/nmap\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/asc\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/lila\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/sh\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/new(cmd|command)\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/(cmd|command)\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/(cmd|command)[0-9]\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/[a-z](cmd|command)\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/[a-z](cmd|command)[0-9]\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/ijoo\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/oinc\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/a\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/gif\.ph(p(3|4)?|tml)\?" SecFilterSelective THE_REQUEST "/jpg\.ph(p(3|4)?|tml)\?" SecFilterSelective THE_REQUEST "/ion\.ph(p(3|4)?|tml)\?" SecFilterSelective THE_REQUEST "/lala\.ph(p(3|4)?|tml)\?" SecFilterSelective THE_REQUEST "/shell\.ph(p(3|4)?|tml)\?" SecFilterSelective THE_REQUEST "/phpshell\.ph(p(3|4)?|tml)\?" SecFilterSelective THE_REQUEST "/tool[12][05]\.ph(p(3|4)?|tml)\?" SecFilterSelective THE_REQUEST "/tool[12]\.ph(p(3|4)?|tml)\?" SecFilterSelective THE_REQUEST "/tool[12][0-9]\.js" SecFilterSelective THE_REQUEST "/tool25\.js" #Known rootkits SecFilterSelective THE_REQUEST "perl xpl\.pl" SecFilterSelective THE_REQUEST "perl kut" SecFilterSelective THE_REQUEST "perl viewde" SecFilterSelective THE_REQUEST "perl httpd\.txt" SecFilterSelective THE_REQUEST "\./xkernel\;" SecFilterSelective THE_REQUEST "/kaiten\.c" SecFilterSelective THE_REQUEST "/mampus\?&(cmd|command)" #Generic remote perl execution with .pl extension SecFilterSelective REQUEST_URI "perl .*\.pl(\s|\t)*\;" SecFilterSelective REQUEST_URI "\;(\s|\t)*perl .*\.pl" #Known rootkit Defacing Tool 2.0 SecFilterSelective THE_REQUEST "/tool(12)[0-9]\.(d(ao)t|gif|jpg|bmp|txt|png)\?&(cmd|command)=" SecFilterSelective THE_REQUEST "/tool\.(d(ao)t|gif|jpg|bmp|txt|png)\?&(cmd|command)=" SecFilterSelective THE_REQUEST "/tool25\.(d(ao)t|gif|jpg|bmp|txt|png)\?&(cmd|command)=" SecFilterSelective THE_REQUEST "/tool(12)\.(d(ao)t|gif|jpg|bmp|txt|png)\?&(cmd|command)=" SecFilterSelective THE_REQUEST "/therules25\.(d(ao)t|gif|jpg|bmp|txt|png)\?(cmd|command)=" SecFilterSelective THE_REQUEST "/tool25\.jpg\?" SecFilterSelective THE_REQUEST "/tool25\.dat\?" #other known tools SecFilterSelective THE_REQUEST "/xpl\.php\?&(cmd|command)=" SecFilterSelective THE_REQUEST "/ssh\.php" SecFilterSelective THE_REQUEST "/ssh2\.php" SecFilterSelective THE_REQUEST "/sfdg2\.php" #New kit SecFilterSelective THE_REQUEST "/\.dump/(bash|httpd)(\;|\w)" SecFilterSelective THE_REQUEST "/\.dump/(bash|httpd)\.(txt|php|gif|jpg|dat|bmp|png)(\;|\w)" #new kir SecFilterSelective THE_REQUEST "/dblib\.php\?&(cmd|command)=" #suntzu SecFilterSelective THE_REQUEST "/suntzu\.php\?cmd=" SecFilterSelective THE_REQUEST "/suntzu.*\.php\?cmd=" SecFilterSelective HTTP_Content-Disposition "suntzu\.php" #proxysx.gif? SecFilterSelective THE_REQUEST "/proxysx\.(gif|jpg|bmp|txt)\?" #phpbackdoor SecFilterSelective THE_REQUEST "/phpbackdoor\.php\?cmd=" SecFilterSelective THE_REQUEST "/phpbackdoor.*\.php\?cmd=" #new unknown kit SecFilterSelective REQUEST_URI "/oops?&" # known PHP attack shells #value of these sigs, pretty low, but here to catch # any lose threads, honeypoting, etc. SecFilterSelective THE_REQUEST "/img/wiki_up/.*\.(php(3|4)?|tml|cgi|sh)" SecFilterSelective THE_REQUEST "wiki_up/gif\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST "wiki_up/ion\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST "wiki_up/jpg\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST "wiki_up/lala\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST "wiki_up/.*\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST "/phpshell\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST "/shell\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST "/tool20\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST "/tool20\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST "/temp/gif\.ph(p(3|4)?|tml)" SecFilterSelective THE_REQUEST "/temp/lala\.ph(p(3|4)?|tml)" SecFilterSelective REQUEST_URI "/phpterm" #Frantastico worm SecFilterSelective THE_REQUEST "netenberg " SecFilterSelective THE_REQUEST "psybnc " SecFilterSelective THE_REQUEST "fantastico_de_luxe " SecFilterSelective THE_REQUEST "arta\.zip " #new unknown kits SecFilterSelective THE_REQUEST "/iblis\.htm\?" SecFilterSelective THE_REQUEST "/gif\.gif\?" SecFilterSelective THE_REQUEST "/go\.php\.txt\?" SecFilterSelective THE_REQUEST "/sh[0-9]\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/iys\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/shell[0-9]\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective THE_REQUEST "/zehir\.asp" SecFilterSelective THE_REQUEST "/aflast\.txt\?" SecFilterSelective THE_REQUEST "/sikat\.txt\?&cmd" SecFilterSelective THE_REQUEST "/t\.gif\?" SecFilterSelective THE_REQUEST "/phpbb_patch\?&" SecFilterSelective THE_REQUEST "/phpbb2_patch\?&" SecFilterSelective THE_REQUEST "/lukka\?&" #new kit SecFilterSelective THE_REQUEST "/c99shell\.txt" #remote bash shell SecFilterSelective REQUEST_URI "/shell\.php\&cmd=" SecFilterSelective ARGS "/shell\.php\&cmd=" #zencart exploit SecFilterSelective REQUEST_URI "/ipn\.php\?cmd=" #new pattern SecFilterSelective REQUEST_URI "btn_lists\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective REQUEST_URI "dsoul/tool\?" #generic suntzu payload SecFilterSelective THE_REQUEST "HiMaster\!\<\?php system\(" SecFilterSelective THE_REQUEST "error_reporting\(.*\)\;if\(isset\(.*\)\)\{system" SecFilterSelective REQUEST_URI "help_text_vars\.php\?suntzu=" #25dec new one SecFilterSelective REQUEST_URI "anggands\.(gif|jpg|txt|bmp|png)\?" #26dec new kit SecFilterSelective REQUEST_URI "newfile[0-9]\.(gif|jpg|txt|bmp|png)\?" SecFilterSelective REQUEST_URI "/vsf\.vsf\?&" #27dec SecFilterSelective REQUEST_URI "/scan1\.0/scan/" SecFilterSelective REQUEST_URI "test\.txt\?&" #30dec SecFilterSelective REQUEST_URI "\.k4ka\.txt\?" #31dec SecFilterSelective REQUEST_URI "/php\.txt\?" #1 jan SecFilterSelective REQUEST_URI "/sql\.txt\?" SecFilterSelective REQUEST_URI "bind\.(gif|jpg|txt|bmp|png)\?" # added by kamihacker from TSS #SecFilterSelective THE_REQUEST "delmalstr" ########################################## # Search Engine Recon/Google Hacks Security Rules ########################################## # Note: For modsecurity 1.9.x and above only SecFilterSelective HTTP_Referer "Powered by Gravity Board" "id:350000,rev:1,severity:2,msg:'Gravity Board Google Recon attempt'" SecFilterSelective HTTP_Referer "Powered by SilverNews" "id:350001,rev:1,severity:2,msg:'SilverNews Google Recon attempt'" SecFilterSelective HTTP_Referer "Powered.*PHPBB.*2\.0\.\ inurl\:" "id:350002,rev:1,severity:2,msg:'PHPBB 2.0 Google Recon attempt'" SecFilterSelective HTTP_Referer "PHPFreeNews inurl\:Admin\.php" "id:350003,rev:1,severity:2,msg:'PHPFreeNews Google Recon attempt'" SecFilterSelective HTTP_Referer "inurl.*/cgi-bin/query" "id:350004,rev:1,severity:2,msg:'/cgi-bin/guery Google Recon attempt'" SecFilterSelective HTTP_Referer "inurl.*tiki-edit_submission\.php" "id:350005,rev:1,severity:2,msg:'tiki-edit Google Recon attempt'" SecFilterSelective HTTP_Referer "inurl.*wps_shop\.cgi" "id:350006,rev:1,severity:2,msg:'wps_shop.cgi Google Recon attempt'" SecFilterSelective HTTP_Referer "inurl.*edit_blog\.php.*filetype\:php" "id:350007,rev:1,severity:2,msg:'edit_blog.php Google Recon attempt'" SecFilterSelective HTTP_Referer "inurl.*passwd.txt.*wwwboard.*webadmin" "id:350008,rev:1,severity:2,msg:'passwd.txt Google Recon attempt'" SecFilterSelective HTTP_Referer "inurl.*admin\.mdb" "id:350008,rev:1,severity:2,msg:'admin.mdb Google Recon attempt'" SecFilterSelective HTTP_Referer "filetype:sql \x28\x22passwd values.*password values.*pass values" SecFilterSelective HTTP_Referer "filetype.*blt.*buddylist" SecFilterSelective HTTP_Referer "File Upload Manager v1\.3.*rename to" SecFilterSelective HTTP_Referer "filetype\x3Aphp HAXPLORER .*Server Files Browser" SecFilterSelective HTTP_Referer "inurl.*passlist\.txt" SecFilterSelective HTTP_Referer "wwwboard WebAdmininurl\x3Apasswd\.txt wwwboard\x7Cwebadmin" SecFilterSelective HTTP_Referer "Enter ip.*inurl\x3A\x22php-ping\.php\x22" SecFilterSelective HTTP_Referer "intitle\.*PHP Shell.*Enable stderr.*filetype\.php" SecFilterSelective HTTP_Referer "inurl\.*install.*install\.php" SecFilterSelective HTTP_Referer "Powered by PHPFM.*filetype\.php -username" SecFilterSelective HTTP_Referer "inurl\.*phpSysInfo.*created by phpsysinfo" SecFilterSelective HTTP_Referer "SquirrelMail version 1\.4\.4.*inurl:src ext\.php" SecFilterSelective HTTP_Referer "inurl\.*webutil\.pl" ########################################## #Bad clients, known bogus useragents and other signs of malware ########################################## #Comment spam header line SecFilter "x-aaaaaa.*" SecFilterSelective POST_PAYLOAD "X-AAAAAA.*" #check for bad meta characters in User-Agent field #SecFilterSelective HTTP_USER_AGENT ".*\'" #XSS in the UA field SecFilterSelective HTTP_USER_AGENT "<(.|\s|\n)?(script|about|applet|activex|chrome|object)(.|\s|\n)?>.*<(.|\s|\n)?(script|about|applet|activex|chrome|object)" #PHP code injection attack SecFilterSelective HTTP_USER_AGENT "(<\?php|<[[:space:]]*\?[[:space:]]*php)" SecFilterSelective HTTP_USER_AGENT ".*HTTP_GET_VARS" #For now, logging this to see what legitimate software does this #must have a useragent string and not be from ourself #Some hosting software does not send a UA, so use with caution SecFilterSelective REMOTE_ADDR "!^127\.0\.0\.1$" chain SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$" "log,pass" #Exploit agent SecFilterSelective HTTP_USER_AGENT "Mosiac 1\.*" #Bad agent SecFilterSelective HTTP_USER_AGENT "Brutus/AET" #CGI vuln scan tool SecFilterSelective HTTP_USER_AGENT cgichk SecFilterSelective HTTP_USER_AGENT "DataCha0s/2\.0" #Damn fine UA SecFilterSelective HTTP_USER_AGENT ".*THIS IS AN EXPLOIT*" SecFilterSelective HTTP_USER_AGENT "Morzilla" #CIRT.DK Webroot auditing tool SecFilterSelective HTTP_USER_AGENT ".*WebRoot " #Exploit UA SecFilterSelective HTTP_USER_AGENT ".*T H A T \' S G O T T A H U R T*" #XML RPC exploit tool SecFilterSelective HTTP_USER_AGENT "xmlrpc exploit*" #A friendly little exploit banner for a WP vuln SecFilterSelective HTTP_USER_AGENT "Wordpress Hash Grabber" #Blocks scripts SecFilterSelective HTTP_USER_AGENT lwp #Web leaches SecFilterSelective HTTP_USER_AGENT "Web Downloader" SecFilterSelective HTTP_USER_AGENT WebZIP SecFilterSelective HTTP_USER_AGENT WebCopier SecFilterSelective HTTP_USER_AGENT Webster SecFilterSelective HTTP_USER_AGENT WebZIP SecFilterSelective HTTP_USER_AGENT WebStripper SecFilterSelective HTTP_USER_AGENT "teleport pro" SecFilterSelective HTTP_USER_AGENT combine SecFilterSelective HTTP_USER_AGENT "Black Hole" SecFilterSelective HTTP_USER_AGENT "SiteSnagger" SecFilterSelective HTTP_USER_AGENT "ProWebWalker" SecFilterSelective HTTP_USER_AGENT "CheeseBot" #Bogus Mozilla UA lines SecFilterSelective HTTP_USER_AGENT "Mozilla/(4|5)\.0$" SecFilterSelective HTTP_USER_AGENT "Mozilla/3\.Mozilla/2\.01$" #Bogus IE UA line SecFilterSelective HTTP_USER_AGENT "Microsoft Internet Explorer/5\.0$" #Bogus UA SecFilterSelective HTTP_USER_AGENT "FooBar/42" #Nessus Vuln scanner UA SecFilterSelective HTTP_USER_AGENT ".*Nessus" #Nikto vuln scanner UA SecFilterSelective HTTP_USER_AGENT ".*Nikto" #BAd/Bogus UAs SecFilterSelective HTTP_USER_AGENT "Indy Library" SecFilterSelective HTTP_USER_AGENT "Faxobot" SecFilterSelective HTTP_USER_AGENT ".*SAFEXPLORER TL" #Spam spinder UAs SecFilterSelective HTTP_USER_AGENT ".*fantomBrowser" SecFilterSelective HTTP_USER_AGENT ".*fantomCrew Browser" #VB development library used by many spammers, might block legite VBscripts #comment out if you have problems SecFilterSelective HTTP_USER_AGENT "Crescent Internet ToolPak" #Borland Delphi signature, as above, comment out if it gives you problems #spammers sometimes use these UAs SecFilterSelective HTTP_USER_AGENT "NEWT ActiveX\; Win32" SecFilterSelective HTTP_USER_AGENT "Mozilla.*NEWT" #Part of the Microsoft MSINET.OCX, as above, spammers sometimes use this, if #it causes problems, comment out. If you are a member of the Microsoft Site #Builder Network, you probably do NOT want to block this ID. #SecFilterSelective HTTP_USER_AGENT "Microsoft URL Control" #SecFilterSelective HTTP_USER_AGENT "^Microsoft URL" #e-mail collectors and spammers SecFilterSelective HTTP_USER_AGENT "WebBandit" SecFilterSelective HTTP_USER_AGENT "WEBMOLE" SecFilterSelective HTTP_USER_AGENT "Telesoft*" SecFilterSelective HTTP_USER_AGENT "WebEMailExtractor" SecFilterSelective HTTP_USER_AGENT "CherryPicker*" SecFilterSelective HTTP_USER_AGENT NICErsPRO SecFilterSelective HTTP_USER_AGENT "Advanced Email Extractor*" SecFilterSelective HTTP_USER_AGENT EmailSiphon SecFilterSelective HTTP_USER_AGENT Extractorpro SecFilterSelective HTTP_USER_AGENT webbandit SecFilterSelective HTTP_USER_AGENT EmailCollector SecFilterSelective HTTP_USER_AGENT "WebEMailExtrac*" SecFilterSelective HTTP_USER_AGENT EmailWolf #Spiders that eat up bandwidth for their customers #Not a spammer, just a spider, comment out if you like SecFilterSelective HTTP_USER_AGENT "CopyRightCheck" SecFilterSelective HTTP_USER_AGENT "CopyGuard" SecFilterSelective HTTP_USER_AGENT "Digimarc WebReader" #MArketing spiders SecFilterSelective HTTP_USER_AGENT "Zeus .*Webster Pro*" #Poker spam SecFilterSelective HTTP_USER_AGENT "8484 Boston Project" #collectors SecFilterSelective HTTP_USER_AGENT "autoemailspider" SecFilterSelective HTTP_USER_AGENT "ecollector" SecFilterSelective HTTP_USER_AGENT "grub crawler" #referrer spam, not the real weblogs SecFilterSelective HTTP_USER_AGENT "^www\.weblogs\.com" #spam bots SecFilterSelective HTTP_USER_AGENT "DTS Agent" SecFilterSelective HTTP_USER_AGENT "POE-Component-Client" SecFilterSelective HTTP_USER_AGENT "WISEbot" SecFilterSelective HTTP_USER_AGENT "^Shockwave Flash" SecFilterSelective HTTP_USER_AGENT "Missigua" #comment spam sign SecFilterSelective HTTP_USER_AGENT "compatible \; MSIE" #Some regexps to catch silly bots SecFilterSelective REQUEST_URI "!/ps(zones\|comp).txt1" chain SecFilterSelective HTTP_USER_AGENT "^(google|i?explorer?\.exe|(MS)?IE( [0-9.]+)?[ ]?(Compatible( Browser)?)?)$" SecFilterSelective HTTP_USER_AGENT "^(Mozilla( [0-9.]+)?[ ]?\((Windows|Linux|(IE )?Compatible)\))$" SecFilterSelective HTTP_USER_AGENT "^Mozilla/5\.0 \(X11; U; Linux i686; en-US; rv\:0\.9\.6\+\) Gecko/2001112$" SecFilterSelective HTTP_USER_AGENT "^Mozilla/[0-9.]+ \(compatible; MSIE [0-9.]+; Windows( NT)?( [0-9.]*)?;[0-9./ ]*\)?$" SecFilterSelective HTTP_USER_AGENT "^Mozilla/.+[. ]+$" #spammer SecFilterSelective HTTP_USER_AGENT "Butch__2\.1\.1" SecFilterSelective HTTP_USER_AGENT "agdm79@mail\.ru" #Fake Gameboy UA SecFilterSelective HTTP_USER_AGENT "GameBoy\, Powered by Nintendo" #bogus amiga UA SecFilterSelective HTTP_USER_AGENT "Amiga-AWeb/3\.4" #exploit UA SecFilterSelective HTTP_USER_AGENT "Internet Ninja x\.0" #bogus googlebot UA SecFilterSelective HTTP_USER_AGENT "Nokia-WAPToolkit.* googlebot.*googlebot" #recently caught sending spam referrals, from their actual crawler IP SecFilterSelective HTTP_USER_AGENT "BecomeBot" #Suverybot SecFilterSelective HTTP_USER_AGENT "SurveyBot" #exploit SecFilterSelective HTTP_USER_AGENT "S\.T\.A\.L\.K\.E\.R\." SecFilterSelective HTTP_USER_AGENT "NeuralBot/0\.2" SecFilterSelective HTTP_USER_AGENT "Kenjin Spider" #WebvulnScan SecFilterSelective HTTP_USER_AGENT "WebVulnScan" #broken spam tool SecFilterSelective HTTP_USER_AGENT "Mozilla/4\.0 \(compatible\; MSIE 6\.0\; Windows NT 5\.1$" #PHPBB worm UA SecFilterSelective HTTP_USER_AGENT "INTERNET EXPLOITER SUX" #fake UA SecFilterSelective HTTP_USER_AGENT "Windows-Update-Agent" #exploit SecFilterSelective HTTP_USER_AGENT "Internet-exprorer" ########################################## # Proxy Protection Security Rules ########################################## SecFilterSelective THE_REQUEST "(http|https|ftp)\:/*217\.106\.232\.38" SecFilterSelective THE_REQUEST "(http|https|ftp)\:/*65\.54\.190\.230" SecFilterSelective THE_REQUEST "(http|https|ftp)\:/*66\.96\.85\.136" SecFilterSelective THE_REQUEST "msa-mx.*\.hinet\.net" SecFilterSelective THE_REQUEST "^POST (http|https|ftp)\:/" SecFilterSelective THE_REQUEST "^GET (http|https|ftp)\:/"
__________________ You think love is to pray, But i'm sorry i don't pray that way...         |
|
30.11.07, 07:59 PM
| ||||
| ||||
| httpd server çalışmıyor bu kural zincirini ekleyince
__________________ MyBBHost.Net - MyBB Hosting 7/24 Ticket Support %100 MyBB compatible hosting solution. |
|
29.03.08, 12:48 AM
| ||||
| ||||
| Versiyonlarınız farklıdır 1.x veya 2.x versiyon farkına dikkat edin yoksa rulelerden dolayı httpd yeniden başlamaz |
|
LinkBacks (?)
LinkBack to this Thread: http://forum.whmdestek.com/guvenlik-makaleleri/319-ornek-mod-security-kural-zinciri.html | ||||
| Konuyu Başlatan | For | Type | Tarih | |
| index.php inurl pagina php ru site | This thread | Trackback | 29.08.07 10:05 PM | |
| Seçenekler | |
| Stil | |
Normal
| |
WHMDestek.Com © Nisan 2007 | Her Hakkı Saklıdır. | WHMDestek.Com © 2007 April | All rights reserved.
Lütfen, Alıntı yaparken kaynağı belirtmeyi unutmayınız. | Please dont forget to remember citing our name when quoting. (ybsg)
