Türkce » WHM cPanel

Örnek Mod Security Kural Zinciri

http://forum.whmdestek.com/

Go Back   WHM/cPanel Support Platform » Türkce » WHM cPanel
Reload this Page Örnek Mod Security Kural Zinciri
 

Reply
 
LinkBack (1) Thread Tools Display Modes
  1 links from elsewhere to this Post. Click to view. #1  
Old 01.08.07, 14:39
McLee's Avatar
Atari
  
Join Date: Jul 2007
Posts: 4
Rep Power: 0
McLee has much to be proud ofMcLee has much to be proud ofMcLee has much to be proud ofMcLee has much to be proud ofMcLee has much to be proud ofMcLee has much to be proud ofMcLee has much to be proud ofMcLee has much to be proud of
Arrow Örnek Mod Security Kural Zinciri
Merhaba,

Kendi sunucumda kullandigim örnek mod security conf dosyasini sizinle yaplasayim.

Sunucunuzda cPanel-WHM kullaniyorsaniz eger mod security kurulu degilse WHM den cPanel menüsüne gelin ve ordan pluginslere tiklayin karsiniza Addon Modules cikacaktir.
cikan listede modsecurity nin altina Install and Keep Updated yazan yere tick atin ve save deyin. Artik mod security kuruldu. simdi Conf dosyamizi hazirlayacaz.

Mod security kurduktan sonra WHM den plugins lere tiklayin ve acilan yerde mod security görünecektir. Tiklayin mod security e ve en yukarda bulunan edit config butonuna basin.

Acilan yerde asagida verecegim örnek kural zincirini ekleyin ve elttan Save Configuration butonuna basin.

Bunlari yaptiktan sonra Apache ye bi restart atin tamamdir

Örnek Mod Security Kural Zinciri;
Code:
###########################################
#Generic SQL injection rule exclusions
###########################################
#generic PHP forum posting exclusion
<LocationMatch "/posting.php">
SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog
</LocationMatch>
#PhpBB posting
<LocationMatch "/index.php?name=PNphpBB2&file=posting&mode=reply.*">
SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog
</LocationMatch>
#Postnuke uploads
<LocationMatch "/modules.php?op=modload&name=Downloads.*">
SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog
</LocationMatch>
#Squirrel mail and Horde postings
<LocationMatch "/horde/imp/compose.php">
SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog
</LocationMatch>
#Phorum posting
<LocationMatch "/phorum/post.php">
SecFilterSelective POST_PAYLOAD "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog
</LocationMatch>
<LocationMatch "/tiki-editpage.php">
SecFilterSelective POST_PAYLOAD "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog
</LocationMatch>
<LocationMatch "/misc.php">
SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]" pass,nolog
</LocationMatch>

###########################################
#Double pipe exclusion rules
###########################################
<LocationMatch "/_vti_bin/fpcount.exe">
SecFilterSelective THE_REQUEST "\|+.*[\x20].*[\x20].*\|" pass,nolog
</LocationMatch>
###########################################
#Front page exclusions
###########################################
<LocationMatch "/_vti_bin/_vti_aut/author.exe">
  SecFilterInheritance Off
</LocationMatch>
#Enforce proper HTTP requests
SecFilterSelective THE_REQUEST "!HTTP\/(0\.9|1\.0|1\.1)$" "id:340000,rev:1,severity:1,msg:'Bad HTTP Protocol'"
# Only accept request encodings we know how to handle
# we exclude GET requests from this because some (automated)
# clients supply "text/html" as Content-Type
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD|POST|PUT|PROPFIND|OPTIONS)$" "chain,id:340001,rev:1,severity:2,msg:'Restricted HTTP function'"
SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)" 
# Don't accept transfer encodings we know we don't handle
# (and you don't need it anyway)
SecFilterSelective HTTP_Transfer-Encoding "!^$" "id:340004,rev:1,severity:2,msg:'Dis-allowed Transfer Encoding'"
#HTTP response spilting generic sigs
SecFilter "Content-Length\:.*Content-Type\:.*Content-Type\:" "id:340005,rev:1,severity:2,msg:'HTTP response splitting'"
SecFilter "Content-Length\:" "chain,id:340006,rev:1,severity:2,msg:'HTTP response splitting'"
SecFilter "Content-Type\:" chain
SecFilter "Content-Type\:"
#deny TRACE method
SecFilterSelective REQUEST_METHOD "TRACE" "id:340007,rev:1,severity:2,msg:'TRACE method denied'"
#Generic PHP exploit signatures
SecFilterSelective THE_REQUEST "\;(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:300007,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"
#slightly tighter rules with narrower focus
SecFilterSelective REQUEST_URI "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:300008,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"
SecFilterSelective POST_PAYLOAD "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:300009,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"
#Prevent SQL injection in cookies
SecFilterSelective COOKIE_VALUES "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" "id:300011,rev:1,severity:2,msg:'Generic SQL injection in cookie'"
#Prevent SQL injection in UA
SecFilterSelective HTTP_USER_AGENT "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" "id:300012,rev:1,severity:2,msg:'Generic SQL injection in User Agent header'"
#simple buffer overflow protection
#there is an issue with positives with this, so use with care
#SecFilterSelective THE_REQUEST "!^[\x0a\x0d\x20-\x7f]+$" "id:300013,rev:1,severity:2,msg:'Generic Simple Buffer Overflow protection'"
# Generic filter to prevent SQL injection attacks
# Understand that all SQL filters are very limited and are very difficult 
# to prevent false postives and negatives.  
# Pplease report false positives/negatives to mike@gotroot.com
SecFilterSelective REQUEST_URI "!((/wp-admin/post|privmsg|/ticket/admin|/misc|tiki-editpage|/post|/horde/imp/compose|/posting)\.php|/modules\.php\?op=modload&name=(Downloads|Submit_News)|/admin\.php\?module=NS\-AddStory\&op=|/index\.php\?name=PNphpBB2&file=posting&mode=reply.*|/phpMyAdmin/|/PNphpBB2-posting\.html|/otrs/index\.pl|tiki-index\.php\?page=|/index\.php\?title=.*&action=edit|/_mmServerScripts/)" "chain,id:300013,rev:1,severity:2,msg:'Generic SQL injection protection'"
SecFilter "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)"
#SecFilter "([[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)"
#Generic command line attack filter
SecFilterSelective REQUEST_URI "!(/Count\.cgi)" chain
SecFilterSelective THE_REQUEST "\|+.*[\x20].*[\x20].*\|"
#PHP Injection Attack generic signature
SecFilterSelective REQUEST_URI  "\.php" chain
SecFilter "(\?((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|path|pathtoroot|cat|pagina|path|include_location|root|page|gorumDir|site|topside|pun_root|open|seite)=(http|https|ftp)\:/|(cmd|command)=(cd|\;|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |id|cmd|pwd|wget |uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./|whoami|killall |rm \-[a-z|A-Z]))"
SecFilterSelective REQUEST_URI  "\.php\?(((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|pagina|path|pathtoroot|cat|include_location|gorumDir|root|page|site|topside|pun_root|open|seite)=(http|https|ftp)\:/|.*(cmd|command)=(cd|\;|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z]))"
#Generic PHP remote file inclusion attack signature
SecFilterSelective REQUEST_URI "\.php\?" chain
SecFilter "(http|https|ftp)\:/" chain
SecFilter "(cmd|command)=(cd|\;|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"
SecFilterSelective REQUEST_URI "\.php\?" chain
SecFilter "(http|https|ftp)\:/" chain
SecFilter "(cmd|command)=.*(cd|\;|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"
#really broad furl_fopen attack sig
#tune this for your system
#SecFilterSelective REQUEST_URI "!(banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main)" chain
#SecFilterSelective REQUEST_URI "\.php\?.*=(http|https|ftp)\:/.*\?" 
#Genenric PHP body attack
SecFilterSelective THE_REQUEST "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)" chain
SecFilterSelective POST_PAYLOAD "^PHP\:*((cd|mkdir)[[:space:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"
#Generic PHP remote file injection
SecFilterSelective REQUEST_URI "!((galler(y|i)/do_command))" chain
SecFilterSelective REQUEST_URI "\.php\?.*=(http|http|ftp)\:/.*(cmd|command)="
#script, perl, etc. code in HTTP_Referer string
SecFilterSelective HTTP_Referer "\#\!.*/"
#phpMyAdmin Export.PHP File Disclosure Vulnerability
SecFilterSelective SCRIPT_FILENAME "export\.php$" chain
SecFilterSelective ARG_what "\.\." 
#faqmanager.cgi arbitrary file access attempt
SecFilterSelective REQUEST_URI "/faqmanager\.cgi\?toc=*/"
SecFilterSelective REQUEST_URI "/faqmanager\.cgi\?(cd|\;|perl|python|rpm|yum|apt-get|emerge|lynx|links|mkdir|elinks|cmd|pwd|wget|id|uname|cvs|svn|(s|r)(cp|sh)|rexec|smbclient|t?ftp|ncftp|curl|telnet|gcc|cc|g\+\+|\./)"
#honeypot
SecFilterSelective REQUEST_URI "/tiki-view_forum_thread\.php\?forumId=.*&comments_parentId=.*&topics_offset=.*onmouseover=\'javascript"
#wormsign
SecFilterSelective REQUEST_URI "Hacked.*by.*member.*of.*SCC"
#phpMyAdmin Cross-Site Scripting Vulnerabilities
SecFilterSelective ARG_HTTP_HOST "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)"
##########################################
# Known rootkits, remote toolkits, etc. signatures
##########################################
SecFilterSelective THE_REQUEST "/cse\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/terminatorX-exp.*\.(gif|jpg|txt|bmp|php|png)\?"
SecFilterSelective THE_REQUEST "/\.it/viewde"
SecFilterSelective THE_REQUEST "/cmd\?&(command|cmd)="
SecFilterSelective THE_REQUEST "/cmd\.php\.ns\?&(command|cmd)="
SecFilterSelective THE_REQUEST "/cmd\.php\?&(command|cmd)="
SecFilterSelective THE_REQUEST "/cmd\.dat\?&(command|cmd)="
SecFilterSelective THE_REQUEST "/sep\.txt\?&(command|cmd)="
SecFilterSelective THE_REQUEST "/s\.txt\?&(cmd|command)="
SecFilterSelective THE_REQUEST "/pro18\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/shell\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/bash\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/(o|0|p)wn(e|3)d\.(gif|jpg|txt|bmp|png)\?&(cmd|command)="
SecFilterSelective THE_REQUEST "/get\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/root\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/spy\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/nmap\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/asc\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/lila\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/sh\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/new(cmd|command)\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/(cmd|command)\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/(cmd|command)[0-9]\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/[a-z](cmd|command)\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/[a-z](cmd|command)[0-9]\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/ijoo\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/oinc\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/a\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/gif\.ph(p(3|4)?|tml)\?"
SecFilterSelective THE_REQUEST "/jpg\.ph(p(3|4)?|tml)\?"
SecFilterSelective THE_REQUEST "/ion\.ph(p(3|4)?|tml)\?"
SecFilterSelective THE_REQUEST "/lala\.ph(p(3|4)?|tml)\?"
SecFilterSelective THE_REQUEST "/shell\.ph(p(3|4)?|tml)\?"
SecFilterSelective THE_REQUEST "/phpshell\.ph(p(3|4)?|tml)\?"
SecFilterSelective THE_REQUEST "/tool[12][05]\.ph(p(3|4)?|tml)\?"
SecFilterSelective THE_REQUEST "/tool[12]\.ph(p(3|4)?|tml)\?"
SecFilterSelective THE_REQUEST "/tool[12][0-9]\.js"
SecFilterSelective THE_REQUEST "/tool25\.js"
#Known rootkits
SecFilterSelective THE_REQUEST "perl xpl\.pl"
SecFilterSelective THE_REQUEST "perl kut"
SecFilterSelective THE_REQUEST "perl viewde"
SecFilterSelective THE_REQUEST "perl httpd\.txt"
SecFilterSelective THE_REQUEST "\./xkernel\;"
SecFilterSelective THE_REQUEST "/kaiten\.c"
SecFilterSelective THE_REQUEST "/mampus\?&(cmd|command)"
#Generic remote perl execution with .pl extension
SecFilterSelective REQUEST_URI "perl .*\.pl(\s|\t)*\;"
SecFilterSelective REQUEST_URI "\;(\s|\t)*perl .*\.pl"
#Known rootkit Defacing Tool 2.0
SecFilterSelective THE_REQUEST "/tool(12)[0-9]\.(d(ao)t|gif|jpg|bmp|txt|png)\?&(cmd|command)="
SecFilterSelective THE_REQUEST "/tool\.(d(ao)t|gif|jpg|bmp|txt|png)\?&(cmd|command)="
SecFilterSelective THE_REQUEST "/tool25\.(d(ao)t|gif|jpg|bmp|txt|png)\?&(cmd|command)="
SecFilterSelective THE_REQUEST "/tool(12)\.(d(ao)t|gif|jpg|bmp|txt|png)\?&(cmd|command)="
SecFilterSelective THE_REQUEST "/therules25\.(d(ao)t|gif|jpg|bmp|txt|png)\?(cmd|command)="
SecFilterSelective THE_REQUEST "/tool25\.jpg\?"
SecFilterSelective THE_REQUEST "/tool25\.dat\?"
#other known tools
SecFilterSelective THE_REQUEST "/xpl\.php\?&(cmd|command)="
SecFilterSelective THE_REQUEST "/ssh\.php"
SecFilterSelective THE_REQUEST "/ssh2\.php"
SecFilterSelective THE_REQUEST "/sfdg2\.php" 
#New kit
SecFilterSelective THE_REQUEST "/\.dump/(bash|httpd)(\;|\w)"
SecFilterSelective THE_REQUEST "/\.dump/(bash|httpd)\.(txt|php|gif|jpg|dat|bmp|png)(\;|\w)"
#new kir
SecFilterSelective THE_REQUEST "/dblib\.php\?&(cmd|command)="
#suntzu
SecFilterSelective THE_REQUEST "/suntzu\.php\?cmd="
SecFilterSelective THE_REQUEST "/suntzu.*\.php\?cmd="
SecFilterSelective HTTP_Content-Disposition "suntzu\.php"
#proxysx.gif?
SecFilterSelective THE_REQUEST "/proxysx\.(gif|jpg|bmp|txt)\?"
#phpbackdoor
SecFilterSelective THE_REQUEST "/phpbackdoor\.php\?cmd="
SecFilterSelective THE_REQUEST "/phpbackdoor.*\.php\?cmd="
#new unknown kit
SecFilterSelective REQUEST_URI "/oops?&"
# known PHP attack shells
#value of these sigs, pretty low, but here to catch
# any lose threads, honeypoting, etc.
SecFilterSelective THE_REQUEST   "/img/wiki_up/.*\.(php(3|4)?|tml|cgi|sh)"
SecFilterSelective THE_REQUEST   "wiki_up/gif\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST   "wiki_up/ion\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST   "wiki_up/jpg\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST   "wiki_up/lala\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST   "wiki_up/.*\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST   "/phpshell\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST   "/shell\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST   "/tool20\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST   "/tool20\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST   "/temp/gif\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST   "/temp/lala\.ph(p(3|4)?|tml)"
SecFilterSelective REQUEST_URI   "/phpterm"
#Frantastico worm
SecFilterSelective THE_REQUEST "netenberg "
SecFilterSelective THE_REQUEST "psybnc "
SecFilterSelective THE_REQUEST "fantastico_de_luxe "
SecFilterSelective THE_REQUEST "arta\.zip "
#new unknown kits
SecFilterSelective THE_REQUEST   "/iblis\.htm\?" 
SecFilterSelective THE_REQUEST   "/gif\.gif\?" 
SecFilterSelective THE_REQUEST   "/go\.php\.txt\?" 
SecFilterSelective THE_REQUEST   "/sh[0-9]\.(gif|jpg|txt|bmp|png)\?" 
SecFilterSelective THE_REQUEST   "/iys\.(gif|jpg|txt|bmp|png)\?" 
SecFilterSelective THE_REQUEST   "/shell[0-9]\.(gif|jpg|txt|bmp|png)\?" 
SecFilterSelective THE_REQUEST   "/zehir\.asp"
SecFilterSelective THE_REQUEST   "/aflast\.txt\?"
SecFilterSelective THE_REQUEST   "/sikat\.txt\?&cmd" 
SecFilterSelective THE_REQUEST   "/t\.gif\?" 
SecFilterSelective THE_REQUEST   "/phpbb_patch\?&"
SecFilterSelective THE_REQUEST   "/phpbb2_patch\?&"
SecFilterSelective THE_REQUEST   "/lukka\?&"
#new kit
SecFilterSelective THE_REQUEST   "/c99shell\.txt"
#remote bash shell
SecFilterSelective REQUEST_URI "/shell\.php\&cmd="
SecFilterSelective ARGS "/shell\.php\&cmd="
#zencart exploit
SecFilterSelective REQUEST_URI "/ipn\.php\?cmd="
#new pattern
SecFilterSelective REQUEST_URI "btn_lists\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective REQUEST_URI "dsoul/tool\?"
#generic suntzu payload
SecFilterSelective THE_REQUEST   "HiMaster\!\<\?php system\("
SecFilterSelective THE_REQUEST   "error_reporting\(.*\)\;if\(isset\(.*\)\)\{system"
SecFilterSelective REQUEST_URI   "help_text_vars\.php\?suntzu="
#25dec new one
SecFilterSelective REQUEST_URI   "anggands\.(gif|jpg|txt|bmp|png)\?"
#26dec new kit
SecFilterSelective REQUEST_URI   "newfile[0-9]\.(gif|jpg|txt|bmp|png)\?"
SecFilterSelective REQUEST_URI   "/vsf\.vsf\?&"
#27dec
SecFilterSelective REQUEST_URI   "/scan1\.0/scan/"
SecFilterSelective REQUEST_URI   "test\.txt\?&"
#30dec
SecFilterSelective REQUEST_URI   "\.k4ka\.txt\?"
#31dec
SecFilterSelective REQUEST_URI   "/php\.txt\?"
#1 jan
SecFilterSelective REQUEST_URI   "/sql\.txt\?"
SecFilterSelective REQUEST_URI   "bind\.(gif|jpg|txt|bmp|png)\?"
# added by kamihacker from TSS
#SecFilterSelective THE_REQUEST "delmalstr"
 
##########################################
# Search Engine Recon/Google Hacks Security Rules
##########################################
# Note: For modsecurity 1.9.x and above only
SecFilterSelective HTTP_Referer  "Powered by Gravity Board" "id:350000,rev:1,severity:2,msg:'Gravity Board Google Recon attempt'"
SecFilterSelective HTTP_Referer  "Powered by SilverNews" "id:350001,rev:1,severity:2,msg:'SilverNews Google Recon attempt'"
SecFilterSelective HTTP_Referer  "Powered.*PHPBB.*2\.0\.\ inurl\:" "id:350002,rev:1,severity:2,msg:'PHPBB 2.0 Google Recon attempt'"
SecFilterSelective HTTP_Referer  "PHPFreeNews inurl\:Admin\.php" "id:350003,rev:1,severity:2,msg:'PHPFreeNews Google Recon attempt'"
SecFilterSelective HTTP_Referer  "inurl.*/cgi-bin/query" "id:350004,rev:1,severity:2,msg:'/cgi-bin/guery Google Recon attempt'"
SecFilterSelective HTTP_Referer  "inurl.*tiki-edit_submission\.php" "id:350005,rev:1,severity:2,msg:'tiki-edit Google Recon attempt'"
SecFilterSelective HTTP_Referer  "inurl.*wps_shop\.cgi" "id:350006,rev:1,severity:2,msg:'wps_shop.cgi Google Recon attempt'"
SecFilterSelective HTTP_Referer  "inurl.*edit_blog\.php.*filetype\:php" "id:350007,rev:1,severity:2,msg:'edit_blog.php Google Recon attempt'"
SecFilterSelective HTTP_Referer  "inurl.*passwd.txt.*wwwboard.*webadmin" "id:350008,rev:1,severity:2,msg:'passwd.txt Google Recon attempt'"
SecFilterSelective HTTP_Referer  "inurl.*admin\.mdb" "id:350008,rev:1,severity:2,msg:'admin.mdb Google Recon attempt'"
SecFilterSelective HTTP_Referer  "filetype:sql \x28\x22passwd values.*password values.*pass values"
SecFilterSelective HTTP_Referer  "filetype.*blt.*buddylist"
SecFilterSelective HTTP_Referer  "File Upload Manager v1\.3.*rename to"
SecFilterSelective HTTP_Referer  "filetype\x3Aphp HAXPLORER .*Server Files Browser"
SecFilterSelective HTTP_Referer  "inurl.*passlist\.txt"
SecFilterSelective HTTP_Referer  "wwwboard WebAdmininurl\x3Apasswd\.txt wwwboard\x7Cwebadmin"
SecFilterSelective HTTP_Referer  "Enter ip.*inurl\x3A\x22php-ping\.php\x22"
SecFilterSelective HTTP_Referer  "intitle\.*PHP Shell.*Enable stderr.*filetype\.php"
SecFilterSelective HTTP_Referer  "inurl\.*install.*install\.php"
SecFilterSelective HTTP_Referer  "Powered by PHPFM.*filetype\.php -username"
SecFilterSelective HTTP_Referer  "inurl\.*phpSysInfo.*created by phpsysinfo"
SecFilterSelective HTTP_Referer  "SquirrelMail version 1\.4\.4.*inurl:src ext\.php"
SecFilterSelective HTTP_Referer  "inurl\.*webutil\.pl"
##########################################
#Bad clients, known bogus useragents and other signs of malware
##########################################
#Comment spam header line
SecFilter "x-aaaaaa.*"
SecFilterSelective POST_PAYLOAD "X-AAAAAA.*"
#check for bad meta characters in User-Agent field
#SecFilterSelective HTTP_USER_AGENT ".*\'"
#XSS in the UA field
SecFilterSelective HTTP_USER_AGENT "<(.|\s|\n)?(script|about|applet|activex|chrome|object)(.|\s|\n)?>.*<(.|\s|\n)?(script|about|applet|activex|chrome|object)"
#PHP code injection attack
SecFilterSelective HTTP_USER_AGENT "(<\?php|<[[:space:]]*\?[[:space:]]*php)"
SecFilterSelective HTTP_USER_AGENT ".*HTTP_GET_VARS"
#For now, logging this to see what legitimate software does this
#must have a useragent string and not be from ourself
#Some hosting software does not send a UA, so use with caution
SecFilterSelective REMOTE_ADDR "!^127\.0\.0\.1$" chain
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$" "log,pass"
#Exploit agent
SecFilterSelective HTTP_USER_AGENT "Mosiac 1\.*"
#Bad agent
SecFilterSelective HTTP_USER_AGENT "Brutus/AET"
#CGI vuln scan tool
SecFilterSelective HTTP_USER_AGENT cgichk
SecFilterSelective HTTP_USER_AGENT "DataCha0s/2\.0"
#Damn fine UA
SecFilterSelective HTTP_USER_AGENT ".*THIS IS AN EXPLOIT*"
SecFilterSelective HTTP_USER_AGENT "Morzilla"
#CIRT.DK Webroot auditing tool
SecFilterSelective HTTP_USER_AGENT ".*WebRoot "
#Exploit UA
SecFilterSelective HTTP_USER_AGENT ".*T H A T \' S  G O T T A  H U R T*"
#XML RPC exploit tool
SecFilterSelective HTTP_USER_AGENT "xmlrpc exploit*"
#A friendly little exploit banner for a WP vuln
SecFilterSelective HTTP_USER_AGENT "Wordpress Hash Grabber"
#Blocks scripts
SecFilterSelective HTTP_USER_AGENT lwp
#Web leaches
SecFilterSelective HTTP_USER_AGENT "Web Downloader"
SecFilterSelective HTTP_USER_AGENT WebZIP
SecFilterSelective HTTP_USER_AGENT WebCopier
SecFilterSelective HTTP_USER_AGENT Webster
SecFilterSelective HTTP_USER_AGENT WebZIP
SecFilterSelective HTTP_USER_AGENT WebStripper
SecFilterSelective HTTP_USER_AGENT "teleport pro"
SecFilterSelective HTTP_USER_AGENT combine
SecFilterSelective HTTP_USER_AGENT "Black Hole"
SecFilterSelective HTTP_USER_AGENT "SiteSnagger" 
SecFilterSelective HTTP_USER_AGENT "ProWebWalker" 
SecFilterSelective HTTP_USER_AGENT "CheeseBot" 
#Bogus Mozilla UA lines
SecFilterSelective HTTP_USER_AGENT "Mozilla/(4|5)\.0$"
SecFilterSelective HTTP_USER_AGENT "Mozilla/3\.Mozilla/2\.01$"
#Bogus IE UA line
SecFilterSelective HTTP_USER_AGENT "Microsoft Internet Explorer/5\.0$"
#Bogus UA
SecFilterSelective HTTP_USER_AGENT "FooBar/42"
#Nessus Vuln scanner UA
SecFilterSelective HTTP_USER_AGENT ".*Nessus"
#Nikto vuln scanner UA
SecFilterSelective HTTP_USER_AGENT ".*Nikto"
#BAd/Bogus UAs
SecFilterSelective HTTP_USER_AGENT "Indy Library"
SecFilterSelective HTTP_USER_AGENT "Faxobot"
SecFilterSelective HTTP_USER_AGENT ".*SAFEXPLORER TL"
#Spam spinder UAs
SecFilterSelective HTTP_USER_AGENT ".*fantomBrowser"
SecFilterSelective HTTP_USER_AGENT ".*fantomCrew Browser"
#VB development library used by many spammers, might block legite VBscripts
#comment out if you have problems
SecFilterSelective HTTP_USER_AGENT "Crescent Internet ToolPak"
#Borland Delphi signature, as above, comment out if it gives you problems
#spammers sometimes use these UAs
SecFilterSelective HTTP_USER_AGENT "NEWT ActiveX\; Win32"
SecFilterSelective HTTP_USER_AGENT "Mozilla.*NEWT"
#Part of the Microsoft MSINET.OCX, as above, spammers sometimes use this, if
#it causes problems, comment out.  If you are a member of the Microsoft Site 
#Builder Network, you probably do NOT want to block this ID.
#SecFilterSelective HTTP_USER_AGENT "Microsoft URL Control"
#SecFilterSelective HTTP_USER_AGENT  "^Microsoft URL"
#e-mail collectors and spammers
SecFilterSelective HTTP_USER_AGENT "WebBandit"
SecFilterSelective HTTP_USER_AGENT "WEBMOLE"
SecFilterSelective HTTP_USER_AGENT "Telesoft*"
SecFilterSelective HTTP_USER_AGENT "WebEMailExtractor"
SecFilterSelective HTTP_USER_AGENT "CherryPicker*"
SecFilterSelective HTTP_USER_AGENT NICErsPRO
SecFilterSelective HTTP_USER_AGENT "Advanced Email Extractor*"
SecFilterSelective HTTP_USER_AGENT EmailSiphon
SecFilterSelective HTTP_USER_AGENT Extractorpro
SecFilterSelective HTTP_USER_AGENT webbandit
SecFilterSelective HTTP_USER_AGENT EmailCollector
SecFilterSelective HTTP_USER_AGENT "WebEMailExtrac*"
SecFilterSelective HTTP_USER_AGENT EmailWolf
#Spiders that eat up bandwidth for their customers
#Not a spammer, just a spider, comment out if you like
SecFilterSelective HTTP_USER_AGENT "CopyRightCheck"
SecFilterSelective HTTP_USER_AGENT "CopyGuard"
SecFilterSelective HTTP_USER_AGENT "Digimarc WebReader"
#MArketing spiders
SecFilterSelective HTTP_USER_AGENT  "Zeus .*Webster Pro*"
#Poker spam
SecFilterSelective HTTP_USER_AGENT  "8484 Boston Project"
#collectors
SecFilterSelective HTTP_USER_AGENT  "autoemailspider"
SecFilterSelective HTTP_USER_AGENT  "ecollector"
SecFilterSelective HTTP_USER_AGENT  "grub crawler"
#referrer spam, not the real weblogs
SecFilterSelective HTTP_USER_AGENT  "^www\.weblogs\.com"
#spam bots
SecFilterSelective HTTP_USER_AGENT  "DTS Agent"
SecFilterSelective HTTP_USER_AGENT  "POE-Component-Client"
SecFilterSelective HTTP_USER_AGENT  "WISEbot"
SecFilterSelective HTTP_USER_AGENT  "^Shockwave Flash"
SecFilterSelective HTTP_USER_AGENT  "Missigua"
#comment spam sign
SecFilterSelective HTTP_USER_AGENT  "compatible \; MSIE"
#Some regexps to catch silly bots
SecFilterSelective REQUEST_URI "!/ps(zones\|comp).txt1" chain
SecFilterSelective HTTP_USER_AGENT "^(google|i?explorer?\.exe|(MS)?IE( [0-9.]+)?[ ]?(Compatible( Browser)?)?)$"
SecFilterSelective HTTP_USER_AGENT "^(Mozilla( [0-9.]+)?[ ]?\((Windows|Linux|(IE )?Compatible)\))$"
SecFilterSelective HTTP_USER_AGENT "^Mozilla/5\.0 \(X11; U; Linux i686; en-US; rv\:0\.9\.6\+\) Gecko/2001112$"
SecFilterSelective HTTP_USER_AGENT "^Mozilla/[0-9.]+ \(compatible; MSIE [0-9.]+; Windows( NT)?( [0-9.]*)?;[0-9./ ]*\)?$"
SecFilterSelective HTTP_USER_AGENT "^Mozilla/.+[. ]+$"
#spammer
SecFilterSelective HTTP_USER_AGENT "Butch__2\.1\.1"
SecFilterSelective HTTP_USER_AGENT "agdm79@mail\.ru"
#Fake Gameboy UA
SecFilterSelective HTTP_USER_AGENT "GameBoy\, Powered by Nintendo"
#bogus amiga UA
SecFilterSelective HTTP_USER_AGENT "Amiga-AWeb/3\.4"
#exploit UA
SecFilterSelective HTTP_USER_AGENT "Internet Ninja x\.0"
#bogus googlebot UA
SecFilterSelective HTTP_USER_AGENT "Nokia-WAPToolkit.* googlebot.*googlebot"
#recently caught sending spam referrals, from their actual crawler IP
SecFilterSelective HTTP_USER_AGENT "BecomeBot"
#Suverybot
SecFilterSelective HTTP_USER_AGENT "SurveyBot"
#exploit
SecFilterSelective HTTP_USER_AGENT "S\.T\.A\.L\.K\.E\.R\."
SecFilterSelective HTTP_USER_AGENT "NeuralBot/0\.2"
SecFilterSelective HTTP_USER_AGENT "Kenjin Spider"
#WebvulnScan
SecFilterSelective HTTP_USER_AGENT "WebVulnScan"
#broken spam tool
SecFilterSelective HTTP_USER_AGENT "Mozilla/4\.0 \(compatible\; MSIE 6\.0\; Windows NT 5\.1$"
#PHPBB worm UA
SecFilterSelective HTTP_USER_AGENT "INTERNET EXPLOITER SUX"
#fake UA
SecFilterSelective HTTP_USER_AGENT "Windows-Update-Agent"
#exploit
SecFilterSelective HTTP_USER_AGENT "Internet-exprorer"
##########################################
# Proxy Protection Security Rules
##########################################
SecFilterSelective THE_REQUEST "(http|https|ftp)\:/*217\.106\.232\.38"
SecFilterSelective THE_REQUEST "(http|https|ftp)\:/*65\.54\.190\.230"
SecFilterSelective THE_REQUEST "(http|https|ftp)\:/*66\.96\.85\.136"
SecFilterSelective THE_REQUEST "msa-mx.*\.hinet\.net"
SecFilterSelective THE_REQUEST "^POST (http|https|ftp)\:/"
SecFilterSelective THE_REQUEST "^GET (http|https|ftp)\:/"
__________________
You think love is to pray, But i'm sorry i don't pray that way...
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
Reply With Quote
  #2  
Old 30.11.07, 20:59
Tickhi's Avatar
Athlon Dual Core
  
Join Date: Jul 2007
Location: Bulgaria
Posts: 369
Rep Power: 7
Tickhi is just really niceTickhi is just really niceTickhi is just really niceTickhi is just really niceTickhi is just really nice
Send a message via MSN to Tickhi Send a message via Yahoo to Tickhi Send a message via Skype™ to Tickhi
httpd server calismiyor bu kural zincirini ekleyince
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
Reply With Quote
  #3  
Old 29.03.08, 01:48
byilyas's Avatar
Athlon
  
Join Date: Mar 2008
Location: istanbul
Posts: 136
Rep Power: 12
byilyas has much to be proud ofbyilyas has much to be proud ofbyilyas has much to be proud ofbyilyas has much to be proud ofbyilyas has much to be proud ofbyilyas has much to be proud ofbyilyas has much to be proud ofbyilyas has much to be proud of
Versiyonlariniz farklidir 1.x veya 2.x versiyon farkina dikkat edin yoksa rulelerden dolayi httpd yeniden baslamaz
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
Reply With Quote
  #4  
Old 20.07.08, 13:45
Celeron
  
Join Date: Feb 2008
Location: ankara
Posts: 74
Rep Power: 3
SIZINTI is on a distinguished road
ben apache 2.2 kurdum apachi sustu
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
Reply With Quote
  #5  
Old 13.03.10, 23:07
P4
  
Join Date: Oct 2007
Posts: 155
Rep Power: 0
KLAMP is infamous around these partsKLAMP is infamous around these partsKLAMP is infamous around these partsKLAMP is infamous around these partsKLAMP is infamous around these parts
Send a message via MSN to KLAMP
Bu Kural Zinciri Mod Security1. x
Mod Security2 . x Hangisi için Acaba Belirtirseniz
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
Reply With Quote
Reply

« Fantastico ve RVSkin lisansı alınacaktır... | APF (Advanced Policy Firewall) Kurulumu »

Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

LinkBacks (?)
LinkBack to this Thread: http://forum.whmdestek.com/whm-cpanel/319-ornek-mod-security-kural-zinciri.html
Posted By For Type Date
index.php inurl pagina php ru site This thread Trackback 29.08.07 23:05



netinternet

Navigasyon
WHM
cPanel
Site, Server Genel
Oyun Sunuculari
IRC Sunuculari
Güvenlik
FTP
Database
DNS
SSH
Apache
Mail
Hosting ve Network
OS-isletim Sistemleri
Hardware
Menü
Contact Us
Anasayfa
Archive
Privacy
Top



WHMDestek.Com © Nisan 2007 | Her Hakki Saklidir. | WHMDestek.Com © 2007 April | All rights reserved.
Lütfen, Alinti yaparken kaynagi belirtmeyi unutmayiniz. | Please dont forget to remember citing our name when quoting. (ybsg)
WHMDestek.com and all its content are owned and powered by all forum users who have been supporting us since years. | WHMDestek.com ve tüm icerigi tüm forum kullanicilarimiza aittir.