Güvenlik » Güvenlik Soru ve Cevaplar
mod_security kural zinciri hakkında
WHM/cPanel Support Platform
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
|
#11
26.03.08, 00:19
| ||||
| ||||
|
aynı cümleler senin içinde geçerli ilyas ya yalnış yapmışındır. veyahut versiyonun uyuşmuyordur  versiyonun aynı değilse 2x versiyonu için ruleler yukarıdaki ekte
        |
|
#12
26.03.08, 00:25
| ||||
| ||||
| Quote:
Demek sitelerin yayını senin kuralların apache 1.x için olmasından kaynaklandı bende apache 2.x kullanıyorum abiciğim belirttin şu versiyonları bakın hata bende apachim 2.x yazsaydım gece gece kriz yaşamıyacaktım neyseki bir dostum el attı temizledi ruleleriEdit: mod securitynin versiyonuda 2 küsür |
|
#13
26.03.08, 00:29
| ||||
| ||||
|
Burada sürüyle kural var, bana sadece mod_security test edebileceğim basit bir kural yazabilir misiniz? Mesela, şu çalışmasın, error 403 versin: site.com/index.php?cmd=
__________________ Profesyonel phpBB3 hizmetleri |
|
#14
29.03.08, 00:30
| ||||
| ||||
|
Bu konu gerçekten önemli bir konu fakat kimse güvenliği önemsemyor veya açıklar ile yaşamaktan mutlu |
|
#15
29.03.08, 01:32
| ||||
| ||||
| Quote:
bunu eskiden her ay güncellerdim otomatik cron yapmıştık herkesin makinasına buradan çekerdi apache restart olurdu ama artık bu tür bash script işleri ile uğraşacak zamanım olmuyor bunu incelemeni tavsiye ederim misal bak demişsinki index.php?cmd= bunu engellemek istiyorum benim kural dosyamda SecFilterSelective THE_REQUEST "act=chmod" bunları görmüşsündür bunlar ya c99 için ya r57 için bunların tamamı değişkenler şimdi sen gider bunu SecFilterSelective THE_REQUEST "php?cmd=" yaparsan işini görecektir yada SecFilterSelective THE_REQUEST "cmd=" ama sandığın gibi değil bu R57 c99 gibi şeyleri yapan elemanlar bazı hazır scriptlerin değişkenlerini kullanarak yapmış (modsec ile bunu önlerlerse hazır scriptlerin çalışmaması için) bu nedenle kural dosyasında şunları göreceksin SecFilterSelective THE_REQUEST "act=tools" SecFilterSelective THE_REQUEST "act=gof" SecFilterSelective THE_REQUEST "act=ls" SecFilterSelective THE_REQUEST "act=mk" SecFilterSelective THE_REQUEST "act=f&" SecFilterSelective THE_REQUEST "act=sql" SecFilterSelective THE_REQUEST "act=gofile" SecFilterSelective THE_REQUEST "act=mkdir" SecFilterSelective THE_REQUEST "act=ftpquickbrute" SecFilterSelective THE_REQUEST "act=d" SecFilterSelective THE_REQUEST "act=phpinfo" SecFilterSelective THE_REQUEST "act=security" SecFilterSelective THE_REQUEST "act=makefile" SecFilterSelective THE_REQUEST "act=encoder" SecFilterSelective THE_REQUEST "act=fsbuff" SecFilterSelective THE_REQUEST "act=selfremove" SecFilterSelective THE_REQUEST "act=update" SecFilterSelective THE_REQUEST "act=feedback" SecFilterSelective THE_REQUEST "act=search" SecFilterSelective THE_REQUEST "act=chmod" SecFilterSelective THE_REQUEST "act=upload " SecFilterSelective THE_REQUEST "act=delete" SecFilterSelective THE_REQUEST "act=paste" SecFilterSelective THE_REQUEST "act=copy" SecFilterSelective THE_REQUEST "act=cut" etc. etc.. bu şekilde devam ediyor tüm bunları değişken ve eşitlikleri tek tek yazmamızdaki sebep act yi bir başka hazır scriptin kullanıyor olması bu kural dosyasına bakarak tamamen kendi özel kural dosyalarınızı yazabilirsiniz Unutmadan yaptıklarınızı paylaşmayı unutmayın! Kolay gelsin.
__________________ Netinternet Telekom Artık daha çok zamanınız var! Üyelik ve Partnerlikler :cPanel INC. , Parallels , DirectAdmin , Netenberg , RIPE , Redhat , Microsoft(Bitmedi) ,GeoTurst |
|
#16
30.03.08, 00:46
| ||||
| ||||
|
Osman hocam verdiğiniz adresteki dosyayı biraz inceledim sanırım dosyadaki kural zincirleri mod_security 1.x için 2.x versiyonu için olanı yokmudur?
|
|
#17
30.08.08, 14:47
| |||
| |||
|
ayni durumdan bende magdur oldum mod_security1 den 2 ye yukseldim diger versionlar ile birlikte default olarak gelen kurallar her seyin calismasini engelliyor uygun sartlarda kati olmayan yada bu surekli 501 ve 406 gibi hatalari verip durmayan bir rule set olusturlursa cok iyi olur version henuz yeni olmasi nedeniyle fazla kaynak yok umarim yakin zamanda seslerimizi duyanlar cikar
|
|
#18
03.09.08, 01:32
| |||
| |||
| Code: Today I had time for another shot at my new .htaccess, and I can tell you that it got better. I think it's pretty much done now, and I am really happy with it. I also got a couple of questions about how it exactly works. So I post my latest .htaccess here, plus a walkthrough on the various mod_rewrite rules I use.
First off, here is my latest beauty:
RewriteEngine On
Options +FollowSymLinks
ServerSignature Off
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(\\r|\\n|%0A|%0D).* [NC,OR]
RewriteCond %{HTTP_REFERER} ^(.*)(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
RewriteCond %{HTTP_COOKIE} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|">|"<|/|\\\.\.\\).{0,9999}.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(libwww-perl|curl|wget|python|nikto|scan).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(localhost|loopback|127\.0\.0\.1).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*\.[A-Za-z0-9].* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC]
RewriteRule ^(.*)$ access_log.php
First we set the basic configuration in order to utilize the Apache mod_rewrite module.
RewriteEngine On
Options +FollowSymLinks
Then our first basic rule is to turn off the server signature, which can be helpful in order to stop banner grabbing:
ServerSignature Off
I use 2 different flags, namely:
NC - Not Case sensitive
OR - Or the next rule
The first rule is based upon the REQUEST_METHOD. The request method is the method on which a client wishes to connect to our server. I only want GET or POST requests, so I limit methods which I think should not request my server at all. TRACE and TRACK should be blocked in any case, because of the violation of the browsers same origin policy rules. DELETE is optional, but since I won't use it I block it anyway. I also block HEAD request methods, a HEAD request is usually made by law abiding scanners that usually perform banner grabbing and do not want to fetch the whole page. While that might sound reasonable to allow, I block it.
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
THE_REQUEST is the full request that is being made by a client and consist of a long string. This is usefull to sanitize, because I do not want a client sending me dual headers, or dual requests that can lead to http response splitting, or CRLF injection as it was called in the old days.
RewriteCond %{THE_REQUEST} ^.*(\\r|\\n|%0A|%0D).* [NC,OR]
HTTP_REFERER can contain characters that could be used to pentest a webapplication, or it can carry a worm payload vector. Blocking characters that will likely never happen in a legitimate request, we make sure that it cannot do something malicious.
RewriteCond %{HTTP_REFERER} ^(.*)(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
The HTTP_COOKIE is equal important, and often a place to store pentest characters or payload.
RewriteCond %{HTTP_COOKIE} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
The REQUEST_URI is important in server protection. Mostly overflow protection, or canonicalization issues like happened with Apache Tomcat for example. With a max of 9999 duplicate characters. Please notice that the REQUEST_URI always contains unencoded (verbatim) characters.
RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|">|"<|/|\\\.\.\\).{0,9999}.* [NC,OR]
This rule set checks the USER_AGENT. Of course, it can be forged. But that is not the point. Wget and cURL are somewhat harder to forge on a platform, and many penetration software packages have a hard coded user-agent which sometimes cannot be changed, when it is proprietary software for example. This is only to thwart the less experienced hackers and massive generic bots, which will also save us bandwidth and log annoyances! The first rule checks for an empty user-agent. The lynx browser -for crontabs for example- is allowed because it has libwww-FM as a user agent, whereas I block the libwww-perl user-agent, since scripts can use the Perl libraries to attack.
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(libwww-perl|curl|wget|python|nikto|scan).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
The QUERY_STRING is probably the most important of all, because that is where most of the actual action is happening. In the rules below I check for a common SQL injection pattern, pentest characters for XSS, and also for remote shell injection in the 3rd rule because periods should actually not be present in the QueryString in my opinion.
RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(localhost|loopback|127\.0\.0\.1).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*\.[A-Za-z0-9].* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC]
Finally, we rewrite the request to a fail-safe page. This can be a script that logs all the information -which I do not recommend- If possible send it to a forbidden page. Anything you wish.
RewriteRule ^(.*)$ access_log.php
Considerations.
Working with Apache modules always takes caution from your side. This tiny Apache firewall is meant to block requests that are malformed and usually never happen on a legitimate request. It is advised to take notice that it can break some poorly coded applications on your server. In such a way, that when it blocks an application it is advised to modify this application, because it is likely doing something that is almost certainly dangerous. It depends whether you have access to your httpd.conf, but if you consider to use these rules it is recommended to place them in your httpd.conf instead of a .htaccess for better performance. Please also remember that it does not protect you from data that comes through POST. I hope that explains it some more and that you can use it, because it really can be another layer of defense. Not only can it protect holes you are not aware of, it also blocks generic abuse of webapplications.
__________________ Fabrikadan yeni cikmis bir makineden, bir akademisyen ile rekabet etmesini beklemek hic de adil degildir - Alan Turing |
|
#19
03.09.08, 01:41
| |||
| |||
| Quote:
REGISTER_GLOBALS'in ayibi. Super Globals kullanilabilir!? 
__________________ Fabrikadan yeni cikmis bir makineden, bir akademisyen ile rekabet etmesini beklemek hic de adil degildir - Alan Turing Last edited by GODAttach; 03.09.08 at 01:46. |
|
| Thread Tools | |
| Display Modes | |
Linear Mode
| |
Similar Threads | ||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| mod_security kurulumu | CaLViN | Güvenlik Makaleler | 50 | 20.11.08 08:41 |
| Örnek Mod Security Kural Zinciri | McLee | Güvenlik Makaleler | 3 | 20.07.08 13:45 |
| Mod_security 2.5.0 Kurulumu | hamzam | WHM Soru ve Cevaplar | 2 | 19.03.08 22:44 |
| Mod_Security Installation | CaLViN | Security | 0 | 08.11.07 21:14 |
| veri tabanı hakkında hakkında | prozac | WHM Soru ve Cevaplar | 12 | 15.10.07 18:43 |
WHMDestek.Com © Nisan 2007 | Her Hakkı Saklıdır. | WHMDestek.Com © 2007 April | All rights reserved.
Lütfen, Alıntı yaparken kaynağı belirtmeyi unutmayınız. | Please dont forget to remember citing our name when quoting. (ybsg)
