[الدرس التاسع] اعداد ال Modsecurity بشكل مناسب ولايتعارض مع اي من السكربتات.

تم تحميل الصفحة في 0,6071431 ثانية
[الدرس التاسع] اعداد ال Modsecurity بشكل مناسب ولايتعارض مع اي من السكربتات.
الحالة
مغلق و غير مفتوح للمزيد من الردود.

Opps !

Beginner Developer
rank
إنضم
14 يوليو 2014
المشاركات
39
الإعجابات
39
النقاط
0
الإقامة
Texas
آلسلآم عليكمَ ورحمة الله وبركاتة

موضوعنا اليوم عن modsecurity سنحل بعض المشاكل ونضع رولز ،



في البداية سنسترجع المود سكيورتي للاصدار القديم ، لانة الجديد لزم كل رولز له ايدي.

نفذ التآلي ،

[PHPCODE]yum -y install httpd-devel
yum -y install apr-devel
yum -y install apr-util-devel
yum -y install pcre-devel
[/PHPCODE]

ومن ثم ،

[PHPCODE]wget http://garr.dl.sourceforge.net/project/mod-security/modsecurity-apache/2.6.8/modsecurity-apache_2.6.8.tar.gz
cd modsecurity-apache_2.6.8
./configure
cd apache2
make
make install
service httpd restart[/PHPCODE]

الان نروح ، للسي بانل من ثم plugins وندخل الى mod_security نضع هاذا الرولز..

[PHPCODE]SecRule REQUEST_FILENAME "\.pl"
SecRule REQUEST_FILENAME "perl .*\.pl(\s|\t)*\;"
SecRule REQUEST_FILENAME "\;(\s|\t)*perl .*\.pl"

SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI ".htaccess"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "sql_passwd"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/root"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/boot"



#Master list of known malware script file names
#SecRule REQUEST_URI "(?:eek:gg|gopher|zlib|(?:ht|f)tps?)\:/" \
#"capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390500,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - Malware Script Blacklist: Malware Script detected in URL',logdata:'%{TX.0}'"
#SecRule REQUEST_URI "@pmFromFile malware_scripts.txt"

#SecRule ARGS|REQUEST_FILENAME "@pmFromFile malware_scripts.txt" \ "capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390501,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - Malware Script Blacklist: Malware Script detected in ARGS',logdata:'%{TX.0}'"

SecDefaultAction "log,deny,auditlog,phase:2,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace"

SecRule REQUEST_URI "!(horde/services/go\.php|tiki-view_cache\.php|event\.ng/type=click|^/\?out=http://.*/.*\?ref=.*|^event\.ng/|^/hiphop2/=http|homeCounter\.php\?offerid=.*&ureferrer=http)" \
"capture,chain,id:390144,rev:16,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Command ****************l attack: Generic Attempt to remote include command ****************l',logdata:'%{TX.0}'"

SecRule ARGS|!ARGS:message "(?:\.(?:dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(?:cmd|inc|name)=|/trf/traf\.php)" \

#rootkit patterns
SecRule REQUEST_URI "!(?:/event\.ng/|horde/services/go\.php|tiki-view_cache\.php|^/\?out=http://|homecounter\.php\?offerid=.*ureferrer=http|__utm\.gif\?)" \
"capture,chain,id:390145,rev:6,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Rootkit attack: Generic Attempt to install rootkit',logdata:'%{TX.0}'"
SecRule REQUEST_URI "=(?:eek:gg|gopher|zlib|(?:ht|f)tps?)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\?"

#Body sigs
SecRule REQUEST_HEADERS_NAMES "x_(?:key|file)\b" \
"capture,phase:2,t:none,t:lowercase,status:404,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Backdoor access',id:390146,severity:'2',logdata:'%{TX.0}'"

#c99 root****************l
SecRule REQUEST_URI "(?:\.php\?act=(chmod&f|cmd|ls|f&f)|cx529\.php|\.php\?(?:phpinfo|mtnf|p0k3r)|/****************l[0-9]?\.php|/\.get\.php)" \
"capture,id:390146,rev:17,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Command ****************l attack: PHP exploit ****************l attempting to run command',logdata:'%{TX.0}'"

# known PHP attack ****************ls
SecRule REQUEST_URI "(?:wiki_up/(?:(?:gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)|.*\.(?:php(3|4)?|tml|cgi|sh))|(?:/|^)phpterm|(?:c(?:99|100)|c(?:99|100)****************l)\.(txt|php)\?|iblis\.htm\?|/gif\.gif\?|/go\.php\.txt\?|sh[0-9]\.(gif|jpe?g|txt|bmp|png)\?|iys\.(gif|jpe?g|txt|bmp|png)\?|****************l[0-9]\.(gif|jpe?g|txt|bmp|png)\?|zehir\.asp|aflast\.txt\?|sikat\.txt\?&cmd|/lukka\?&|btn_lists\.(gif|jpe?g|txt|bmp|png)\?|dsoul/tool\?|phpbb2?_patch\?&|anggands\.(gif|jpe?g|txt|bmp|png)\?|newfile[0-9]\.(gif|jpe?g|txt|bmp|png)\?|/vsf\.vsf\?&|\.k4ka\.txt\?|(?:php|test|sql)\.txt\?|/oops?&|/maint64/index.php|/fx29sh/|fx29id[0-9]|fx29sh_update|/cyberz\.txt|/pshyco\.txt)" \
"capture,id:390147,rev:9,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Rootkit attack: Known rootkit or remote ****************l',logdata:'%{TX.0}'"

#|temp)/(?:(?:gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)|.*\.(?:php(3|4)?|tml|cgi|sh))

#URI sigs
SecRule REQUEST_URI "/(?:(?:cse|cmd)\.(?:c|dat|gif|jpe?g|png|sh|txt|bmp|dat|txt|js|tmp|php(?:3|4|5)?|asp)|(?:terminatorX-?exp|[a-z](?:cmd|command)[0-9]?)\.(?:gif|jpe?g|txt|bmp|php(?:3|4|5)?|png)\?|cmd(?:\.php(?:3|4|5)?|dat)|/(?:a|ijoo|oinc|s|sep|ipn|pro18|(php(?:3|4|5)?)?|****************l|(?:eek:|0|p)wn(?:e|3)d|xpl|ssh2|too20|php(?:3|4|5)?backdoor|dblib|sfdg2)\.(?:c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php(?:3|4|5)?|asp)\?&(?:command|cmd)=|\.it/viewde|/(?:gif|jpe?g|ion|lala|****************l|/ipn|php(?:3|4|5)?****************l)\.(?:php?(?:3|4|5)?|tml)|tool[12][0-9]?\.(?:ph(?:p(?:3|4|5)?|tml)|js)\?|therules25?\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?|\.dump/(bash|httpd)\.(?:txt|php?(?:3|4|5)?|gif|jpe?g|dat|bmp|png|\;| )|suntzu\.php?(?:3|4|5)?\?cmd|********************sx\.(?:gif|jpe?g|bmp|txt|asp|png)\?|****************l.txt|scan1\.0/scan/|(?:/bind|/juax|linuxdaybot)\.(gif|jpe?g|txt|bmp|png)|docLib/cmd\.asp)" \
"capture,id:390800,rev:3,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible Rootkit attack: Generic Attempt to run rootkit',logdata:'%{TX.0}'"


SecRule REQUEST_URI "/(?:(?:linuxdaybot|suntzu|****************l_vup|****************l|(?:eek:|0|p)wn(?:e|3)d|xpl|ssh2?|too20|backdoor|terminatorx-?exp)\.(?:dat|gif|jpe?g|png|sh|txt|bmp|dat|txt|js|s?html?|tmp|php(?:3|4|5)?|asp)|(?:r57|fx29|c(?:99|100))\.(?:txt|php))" \
"capture,id:390148,rev:12,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible Rootkit attack: Generic Attempt to run rootkit',logdata:'%{TX.0}'"

#Request Body patterns
#trick them with a 404
SecRule RESPONSE_BODY "(?:(?:<title>[^<]*?(?:\b(?:(?:c(?:ehennemden|gi-telnet)|gamma web ****************l)\b|imhabirligi phpftp)|(?:r(?:emote explorer|57 ?****************l)|aventis klasvayv|zehir)\b|\.::(?:news remote php ****************l injection::\.| rhtools\b)|ph(?:p(?:(?: commander|-terminal)\b|remoteview)|vayv)|my****************l)|\b(?:(?:(?:microsoft windows\b.{,10}?\bversion\b.{,20}?\(c\) copyright 1985-.{,10}?\bmicrosoft corp|ntdaddy v[0-9]\.[0-9] - obzerve \| fux0r inc)\.|(?:www\.sanalteror\.org - indexer and read|haxplor)er|php(?:konsole| ?****************l)|(c99|c100|r57) ?****************l)\b|aventgrup\.<br>|drwxr| - n3t))|This is (an|a)? exploit from < ?a|php ?(4|5).+ safe_mode ?(\&|/|and)? ?open_basedir ?bypass|feelcomzfeelcomz|id: feelcomz|shirohigeshirohige|lusif3r_666|was here \.\..*uname.*uid.*gid.*free.*used|b\.o\.v sience 20[0-1][0-9]|emp3ror undetectable|(o|0)wned by hacker|feelcomz rfi scanner|by pshyco, Â. 2008 error|safemodeexecdir|sh-(inf|err): )" \
"phase:4,t:none,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Backdoor access',id:'390149',rev:11,severity:'2'"

#ASP sigs
SecRule REQUEST_URI "\.asp\?(?:.*theact=inject&thepath=|pagename=appfileexplorer|.*showupload&thepath=)" \
"capture,id:390150,rev:5,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Rootkit attack: ASP rootkit attempt',logdata:'%{TX.0}'"

#generic payload
#if (isset($_GET['cmd'])) passthru(stripslashes($_GET['cmd']));
SecRule REQUEST_URI|ARGS|REQUEST_BODY "(?:<\? ?php (echo ?\"hi ?master |.*(system|passthru|****************l_exec|exec) ?\()|error_reporting\(.*\) ?\; ?if ?\(isset ?\(.*\) ?\) (system|passthru|****************l_exec|exec) ?\(|(stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\()" \
"capture,id:390801,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible Rootkit attack: Generic Attempt to insert rootkit code',logdata:'%{TX.0}'"
SecRule REQUEST_URI|ARGS|REQUEST_BODY "(?:<\? ?php (echo ?\"hi ?master|.*(system|passthru|****************l_exec|exec) ?\()|error_reporting\(.*\) ?\; ?if ?\(isset ?\(.*\) ?\) (system|passthru|****************l_exec|exec) ?\(|(stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\()" \
"capture,t:hexDecode,id:390801,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible Rootkit attack: Generic Attempt to insert rootkit code',logdata:'%{TX.0}'"
SecRule REQUEST_URI|ARGS|REQUEST_BODY "(?:<\? ?php (echo ?\"hi ?master|.*(system|passthru|****************l_exec|exec) ?\()|error_reporting\(.*\) ?\; ?if ?\(isset ?\(.*\) ?\) (system|passthru|****************l_exec|exec) ?\(|(stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\()" \
"capture,t:base64Decode,id:390801,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible Rootkit attack: Generic Attempt to insert rootkit code',logdata:'%{TX.0}'"


#Generic remote perl execution with .pl extension
SecRule REQUEST_URI "(?:perl .*\.pl(\s|\t)*\;|\;(\s|\t)*perl .*\.pl|perl (?:xpl\.pl|kut|viewde|httpd\.txt)|\./xkernel\;|/kaiten\.c|/mampus\?&(?:cmd|command)|trojan\.htm|/(?:r57|c99|c100)\.(?:php|txt)|r57****************l\.(?:php|txt))" \
"capture,id:390802,rev:3,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible Rootkit attack: Known Rootkit',logdata:'%{TX.0}'"

#some broken attack program
SecRule REQUEST_URI|ARGS|REQUEST_BODY "(?:[email protected]@[email protected]@|netenberg |psybnc |fantastico_de_luxe |arta\.zip )" \
"capture,id:390803,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Known Wormsign',logdata:'%{TX.0}'"

#wormsign sigs

#New SEL attack seen
SecRule REQUEST_URI|ARGS|REQUEST_BODY "(?:select.*from.*information_schema\.tables|and.+char\(.*\).+user.+char\(.*\))" \
"capture,id:390804,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Known rootkit SQL payload',logdata:'%{TX.0}'"

SecRule RESPONSE_BODY "(?:add (?:new emailbases to database|high prioritet emails))" \
"phase:4,t:none,t:lowercase,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible spamtool installed on system',id:'390150',severity:'2'"

#Rapid Leech blocks
SecRule RESPONSE_BODY "(?:<b>rapidleech checker script|rapidleech plugmod - auto download|<title>rapidleech|You are not allowed to leech from|alt=\"rapidleech plugmod|<center>.*<a href=http://www\.rapidleech\.com>rapidleech</a>|src=\"http://www\.rapidleech\.com/logo\.gif)" \
"phase:4,t:lowercase,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Unauthorized Download Client - Rapidleech',id:'390900',rev:8,severity:'2'"
SecRule RESPONSE_HEADERS:WWW-Authenticate "basic realm.*rapidleech" \
"capture,phase:3,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Unauthorized Download Client - Rapidleech',id:'390903',rev:1,severity:'2',logdata:'%{TX.0}'"

SecRule ARGS_POST "^(ht|f)tps?://([a-z0-9_\.?]+\.)?((rapidshare|mega(?:upload|shares?)|filefactory|mediafire|depositfiles|sendspace|badongo|uploading|savefile|cocshare|axifile|turboupload|gigasize|ziddu|uploadpalace|filefront|momupload|speedyshare|rnbload|adrive|easy-share|megarotic|egoshare)\.com|ifolder\.ru|files\.to|cocoshare\.cc|(?:usaupload|bitroad)\.net|netload\.in|rapidshare\.de)/.+" \
"capture,id:390902,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible Unauthorized Download Client',logdata:'%{TX.0}'"
#SecRule ARGS_POST "^http://(rapidshare|megaupload)\.com.+" \
#"capture,id:390901,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Unauthorized Download Client - Rapidleech',logdata:'%{TX.0}'"


#WWW-Authenticate: Basic realm=\"RAPIDLEECH PLUGMOD
SecRule ARGS:cmd "(?:ls -|find /|mysqldump |ifconfig |php |echo |perl |killall |kill |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |wget |lwp-(?:download|request|mirror|rget) |uname |cvs |svn |(?:s|r)(?:cp|sh) |net(?:stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |g?cc |cpp |g\+\+ |/s?bin/(?:xterm|id|bash|sh|echo|kill|chmod|ch?sh|python|perl|nasm|ping|mail|ssh|netstat|php|route))" \
"capture,id:390904,rev:4,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible PHP ****************l Command Attempt',logdata:'%{TX.0}'"
SecRule ARGS:ev "^print [0-9];" \
"capture,id:390905,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible PHP ****************l Command Attempt',logdata:'%{TX.0}'"

<LocationMatch homeCounter.php>
SecRuleRemoveById 390144
SecRuleRemoveById 390145
</LocationMatch>
<LocationMatch moderation.php>
SecRuleRemoveById 390148
</LocationMatch>
<LocationMatch /paadmin/file_manager.php>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /__utm.gif>
SecRuleRemoveById 390144
</LocationMatch>
<LocationMatch /administrator/index.php>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /ota/admin/file_manager.php>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /admin/shop_file_manager.php>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /admin/file_manager.php>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /modules/mod_oneononechat/chatfiles/*>
SecRuleRemoveById 390147
</LocationMatch>
<LocationMatch /fud/adm/admbrowse.php>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /wp-cron.php>
SecRuleRemoveById 390147
</LocationMatch>
<LocationMatch /admin/mods/easymod/easymod_install.php>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /e107_plugins/autogallery/autogallery.php>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /alfresco/scripts/onload.js>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /e107_plugins/autogallery/autogallery.php>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /assets/Files/who/>
SecRuleRemoveById 390147
</LocationMatch>
<LocationMatch /forum/viewtopic.php>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /setup/>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /administrator/index2.php>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /sales/soap.php>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /twg177/admin/>
SecRuleRemoveById 390149
</LocationMatch>
<LocationMatch /images/smilies/>
SecRuleRemoveById 390148
</LocationMatch>
<LocationMatch /admin/dogen_display.php>
SecRuleRemoveById 390801
</LocationMatch>
<LocationMatch /horde/themes/graphics/>
SecRuleRemoveById 390148
</LocationMatch>
<LocationMatch /whois/quick.php>
SecRuleRemoveById 390145
</LocationMatch>
<LocationMatch /ubbthreads.php>
SecRuleRemoveById 390902
</LocationMatch>[/PHPCODE]





انتهآء ،

اخوكم في الله

ابو خالد
 
الحالة
مغلق و غير مفتوح للمزيد من الردود.

الأعضاء النشطين حاليآ الذين يشاهدون هذا الموضوع (1 عضو و 0 ضيف)

خيارات الاستايل

نوع الخط
مودك
اخفاء السايدر بار OFF
توسيط المنتدى OFF
فصل الأقسام OFF
الأقسام الفرعية OFF
عرض المشاركات
حجم الخط
معلومات العضو OFF
إخفاء التوقيع OFF

إرجاع خيارات الإستايل