Install mod_security through WHM
-
Background:
Mod_Security is an open source intrusion detection and prevention engine for web applications. Operating as an Apache Web server module, the purpose of Mod_Security is to increase web application security, protecting web applications from known and unknown attacks.Official web site: http://www.modsecurity.org
More information:
1. Log to your Web Host Manager via your favorite web browser.2. On the left frame, scroll all the way down till you have reached the cPanel section, then click on Addon Modules.
3. A new window will appear on the right frame. Scroll down until you see modsecurity, check the Install and Keep Updated field, and click on Save.
cPanel will now begin to download Mod_Security and add a basic security scheme. Mod_Security will be added to Apache configuration file which is located at /usr/local/apache/conf/, and will include its main security configuration file which can be found at /usr/local/apache/conf/modsec.conf
That’s it. mod_security is now installed on your server. Now, all that is left for you to do is to edit and add security filters.
You can edit Mod_Security as configuration file either through Web Host Manager, or from shell (SSH).
Web Host Manager
Once the installation has been completed, a new section will be added to WHM by the name of Add-ons. Scroll down on the left frame until you see it, and click on the Mod Security link.Note: If you are still logged to your WHM and don’t see the Add-ons section, try refreshing your browser.
Shell
cPanel includes three configuration files: modsec.conf, modsec.user.conf, and modsec.user.conf.default.The ones that are in effect are modsec.conf, and modsec.user.conf. The file modsec.user.conf is blank by default, however, modsec.user.conf.default contains common security filters which can be applied to modsec.user.conf.
I recommend viewing modsec.user.conf.default before copying, and applying any security filters. Misconfiguration can do more harm than good.
Hope you all like this post
Leave a Comment
vending machine c...
injection molding
rugged lcd monitors
One Theme
February 2nd, 2009 at 3:15 am
Great post brother.
Just wanted to add that here is a good general config that you can use for your apache server, its the one I use and I find it to be quite efficent. Be warned that I installed mod_security manually, before cPanel supported it, but the rules should be identical, with only file placement being different.
(inside httpd.conf) I KNOW it’s a long file, copy and paste should work fine, just ignore the “AddModule mod_security.c” line.
DOUBLE CHECK the paths, make sure they match your cPanel build. Make sure to add this to your /usr/local/apache/conf/modsec.conf if you installed this using cPanel’s built-in “Add-on” modules link. If you are using a standard mod_security build, then this should be pasted into your httpd.conf file directly.
— Begin mod_security security parameters —
AddModule mod_security.c
# Turn the filtering engine On or Off
SecFilterEngine Off
# Change Server: string
SecServerSignature ” ”
# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On
# This setting should be set to On only if the Web site is
# using the Unicode encoding. Otherwise it may interfere with
# the normal Web site operation.
SecFilterCheckUnicodeEncoding On
# Only allow bytes from this range
SecFilterForceByteRange 1 255
# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis. “On” will log everything,
# “DynamicOrRelevant” will log dynamic requests or violations,
# and “RelevantOnly” will only log policy violations
SecAuditEngine RelevantOnly
# The name of the audit log file
SecAuditLog /var/log/httpd/audit_log
# Should mod_security inspect POST payloads
SecFilterScanPOST On
# Action to take by default
SecFilterDefaultAction “deny,log,status:500″
# Require HTTP_USER_AGENT and HTTP_HOST in all requests
#SecFilterSelective “HTTP_USER_AGENT|HTTP_HOST” “^$”
# This causes problems with some php scripts so commented out
# Weaker XSS protection but allows common HTML tags
SecFilter “<[[:space:]]*script”
# Very crude filters to prevent SQL injection attacks
SecFilter “delete[[:space:]]+from”
SecFilter “insert[[:space:]]+into”
#Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID “!^[0-9a-z]*$”
SecFilterSelective COOKIE_PHPSESSID “!^[0-9a-z]*$”
# WEB-ATTACKS ps command attempt
SecFilterSelective THE_REQUEST “/bin/ps”
# WEB-ATTACKS /bin/ps command attempt
SecFilterSelective THE_REQUEST “ps\x20″
# WEB-ATTACKS wget command attempt
SecFilter “wget\x20″
# WEB-ATTACKS uname -a command attempt
SecFilter “uname\x20-a”
# WEB-ATTACKS /usr/bin/id command attempt
SecFilterSelective THE_REQUEST “/usr/bin/id”
# WEB-ATTACKS id command attempt
SecFilter “\;id”
# WEB-ATTACKS kill command attempt
SecFilterSelective THE_REQUEST “/bin/kill”
# WEB-ATTACKS chsh command attempt
SecFilterSelective THE_REQUEST “/usr/bin/chsh”
# WEB-ATTACKS tftp command attempt
SecFilter “tftp\x20″
# WEB-ATTACKS /usr/bin/gcc command attempt
SecFilterSelective THE_REQUEST “/usr/bin/gcc”
# WEB-ATTACKS gcc command attempt
SecFilter “gcc\x20-o”
# WEB-ATTACKS /usr/bin/cc command attempt
SecFilterSelective THE_REQUEST “/usr/bin/cc”
# WEB-ATTACKS cc command attempt
SecFilter “cc\x20″
# WEB-ATTACKS /usr/bin/cpp command attempt
SecFilterSelective THE_REQUEST “/usr/bin/cpp”
# WEB-ATTACKS cpp command attempt
SecFilter “cpp\x20″
# WEB-ATTACKS /usr/bin/g++ command attempt
SecFilterSelective THE_REQUEST “/usr/bin/g\+\+”
# WEB-ATTACKS g++ command attempt
SecFilter “g\+\+\x20″
# WEB-ATTACKS bin/python access attempt
SecFilterSelective THE_REQUEST “bin/python”
# WEB-ATTACKS python access attempt
SecFilter “python\x20″
# WEB-ATTACKS bin/tclsh execution attempt
SecFilter “bin/tclsh”
# WEB-ATTACKS tclsh execution attempt
SecFilter “tclsh8\x20″
# WEB-ATTACKS bin/nasm command attempt
SecFilterSelective THE_REQUEST “bin/nasm”
# WEB-ATTACKS nasm command attempt
SecFilter “nasm\x20″
# WEB-ATTACKS perl execution attempt
SecFilter “perl\x20″
# WEB-ATTACKS traceroute command attempt
SecFilter “traceroute\x20″
# WEB-ATTACKS ping command attempt
SecFilterSelective THE_REQUEST “/bin/ping”
# WEB-ATTACKS netcat command attempt
SecFilter “nc\x20″
# WEB-ATTACKS nmap command attempt
SecFilter “nmap\x20″
# WEB-ATTACKS xterm command attempt
SecFilterSelective THE_REQUEST “/usr/X11R6/bin/xterm”
# WEB-ATTACKS X application to remote host attempt
SecFilter “\x20-display\x20″
# WEB-ATTACKS lsof command attempt
SecFilter “lsof\x20″
# WEB-ATTACKS rm command attempt
SecFilter “rm\x20″
# WEB-ATTACKS mail command attempt
SecFilterSelective THE_REQUEST “/bin/mail”
# WEB-ATTACKS /bin/ls command attempt
SecFilterSelective THE_REQUEST “/bin/ls”
# WEB-ATTACKS /etc/shadow access
SecFilter “/etc/shadow”
# WEB-ATTACKS .htgroup access
SecFilterSelective THE_REQUEST “\.htgroup”
# WEB-CGI websitepro path access
SecFilter ” /HTTP/1\.”
# WEB-CGI formmail arbitrary command execution attempt
SecFilterSelective THE_REQUEST “/formmail” chain
SecFilter “\x0a”
# WEB-CGI formmail access
SecFilterSelective THE_REQUEST “/formmail” log,pass
# WEB-CGI phf arbitrary command execution attempt
SecFilterSelective THE_REQUEST “/phf” chain
SecFilter “\x0a/”
# WEB-CGI phf access
SecFilterSelective THE_REQUEST “/phf” log,pass
# WEB-CGI phf arbitrary command execution attempt
SecFilterSelective THE_REQUEST “/phf” chain
SecFilter “\x0a/”
# WEB-CGI phf access
SecFilterSelective THE_REQUEST “/phf” log,pass
# WEB-CGI rksh access
SecFilterSelective THE_REQUEST “/rksh”
# WEB-CGI bash access
SecFilterSelective THE_REQUEST “/bash” log,pass
# WEB-CGI zsh access
SecFilterSelective THE_REQUEST “/zsh”
# WEB-CGI csh access
SecFilterSelective THE_REQUEST “/csh”
# WEB-CGI tcsh access
SecFilterSelective THE_REQUEST “/tcsh”
# WEB-CGI rsh access
SecFilterSelective THE_REQUEST “/rsh”
# WEB-CGI ksh access
SecFilterSelective THE_REQUEST “/ksh”
# WEB-CLIENT Javascript URL host spoofing attempt
SecFilter “javascript\://”
# WEB-FRONTPAGE fpsrvadm.exe access
SecFilterSelective THE_REQUEST “/fpsrvadm\.exe” log,pass
# WEB-FRONTPAGE fpremadm.exe access
SecFilterSelective THE_REQUEST “/fpremadm\.exe” log,pass
# WEB-FRONTPAGE fpadmin.htm access
SecFilterSelective THE_REQUEST “/admisapi/fpadmin\.htm” log,pass
# WEB-FRONTPAGE fpadmcgi.exe access
SecFilterSelective THE_REQUEST “/scripts/Fpadmcgi\.exe” log,pass
# WEB-FRONTPAGE orders.txt access
SecFilterSelective THE_REQUEST “/_private/orders\.txt” log,pass
# WEB-FRONTPAGE form_results access
SecFilterSelective THE_REQUEST “/_private/form_results\.txt” log,pass
# WEB-FRONTPAGE registrations.htm access
SecFilterSelective THE_REQUEST “/_private/registrations\.htm” log,pass
# WEB-FRONTPAGE cfgwiz.exe access
SecFilterSelective THE_REQUEST “/cfgwiz\.exe” log,pass
# WEB-FRONTPAGE authors.pwd access
SecFilterSelective THE_REQUEST “/authors\.pwd” log,pass
# WEB-FRONTPAGE author.exe access
SecFilterSelective THE_REQUEST “/_vti_bin/_vti_aut/author\.exe” log,pass
# WEB-FRONTPAGE administrators.pwd access
SecFilterSelective THE_REQUEST “/administrators\.pwd” log,pass
# WEB-FRONTPAGE form_results.htm access
SecFilterSelective THE_REQUEST “/_private/form_results\.htm” log,pass
# WEB-FRONTPAGE access.cnf access
SecFilterSelective THE_REQUEST “/_vti_pvt/access\.cnf” log,pass
# WEB-FRONTPAGE register.txt access
SecFilterSelective THE_REQUEST “/_private/register\.txt” log,pass
# WEB-FRONTPAGE registrations.txt access
SecFilterSelective THE_REQUEST “/_private/registrations\.txt” log,pass
# WEB-FRONTPAGE service.cnf access
SecFilterSelective THE_REQUEST “/_vti_pvt/service\.cnf” log,pass
# WEB-FRONTPAGE service.pwd
SecFilterSelective THE_REQUEST “/service\.pwd” log,pass
# WEB-FRONTPAGE service.stp access
SecFilterSelective THE_REQUEST “/_vti_pvt/service\.stp” log,pass
# WEB-FRONTPAGE services.cnf access
SecFilterSelective THE_REQUEST “/_vti_pvt/services\.cnf” log,pass
# WEB-FRONTPAGE shtml.exe access
SecFilterSelective THE_REQUEST “/_vti_bin/shtml\.exe” log,pass
# WEB-FRONTPAGE svcacl.cnf access
SecFilterSelective THE_REQUEST “/_vti_pvt/svcacl\.cnf” log,pass
# WEB-FRONTPAGE users.pwd access
SecFilterSelective THE_REQUEST “/users\.pwd” log,pass
# WEB-FRONTPAGE writeto.cnf access
SecFilterSelective THE_REQUEST “/_vti_pvt/writeto\.cnf” log,pass
# WEB-FRONTPAGE dvwssr.dll access
SecFilterSelective THE_REQUEST “/dvwssr\.dll” log,pass
# WEB-FRONTPAGE register.htm access
SecFilterSelective THE_REQUEST “/_private/register\.htm” log,pass
# WEB-FRONTPAGE /_vti_bin/ access
SecFilterSelective THE_REQUEST “/_vti_bin/” log,pass
# WEB-MISC cross site scripting \(img src=javascript\) attempt
SecFilter “img src=javascript”
# WEB-MISC .htpasswd access
SecFilter “\.htpasswd”
# WEB-MISC .htaccess access
SecFilter “\.htaccess”
# WEB-MISC cd..
SecFilter “cd\.\.”
# WEB-MISC ///cgi-bin access
SecFilterSelective THE_REQUEST “///cgi-bin”
# WEB-MISC /cgi-bin/// access
SecFilterSelective THE_REQUEST “/cgi-bin///”
# WEB-MISC /~root access
SecFilterSelective THE_REQUEST “/~root”
# WEB-MISC /~ftp access
SecFilterSelective THE_REQUEST “/~ftp”
# WEB-MISC cat%20 access
SecFilter “cat\x20″
# WEB-MISC rpm_query access
SecFilterSelective THE_REQUEST “/rpm_query”
# WEB-MISC htgrep attempt
SecFilterSelective THE_REQUEST “/htgrep” chain
SecFilter “hdr=/”
# WEB-MISC htgrep access
SecFilterSelective THE_REQUEST “/htgrep” log,pass
# WEB-MISC .history access
SecFilterSelective THE_REQUEST “/\.history”
# WEB-MISC .bash_history access
SecFilterSelective THE_REQUEST “/\.bash_history”
# WEB-MISC /~nobody access
SecFilterSelective THE_REQUEST “/~nobody”
# WEB-MISC *%0a.pl access
SecFilterSelective THE_REQUEST “/*\x0a\.pl”
# WEB-MISC Apache Chunked-Encoding worm attempt
SecFilter “CCCCCCC\: AAAAAAAAAAAAAAAAAAA”
# WEB-MISC Transfer-Encoding\: chunked
SecFilter “chunked”
# WEB-PHP squirrel mail theme arbitrary command attempt
SecFilterSelective THE_REQUEST “/left_main\.php” chain
SecFilter “cmdd=”
# WEB-PHP DNSTools administrator authentication bypass attempt
SecFilterSelective THE_REQUEST “/dnstools\.php” chain
SecFilter “user_dnstools_administrator=true”
# WEB-PHP DNSTools authentication bypass attempt
SecFilterSelective THE_REQUEST “/dnstools\.php” chain
SecFilter “user_logged_in=true”
# WEB-PHP DNSTools access
SecFilterSelective THE_REQUEST “/dnstools\.php” log,pass
# WEB-PHP Blahz-DNS dostuff.php modify user attempt
SecFilterSelective THE_REQUEST “/dostuff\.php\?action=modify_user”
# WEB-PHP Blahz-DNS dostuff.php access
SecFilterSelective THE_REQUEST “/dostuff\.php” log,pass.
# WEB-PHP PHP-Wiki cross site scripting attempt
SecFilterSelective THE_REQUEST “<script”
# WEB-PHP strings overflow
SecFilterSelective THE_REQUEST “\?STRENGUR”
# WEB-PHP PHPLIB remote command attempt
SecFilter “_PHPLIB\[libdir\]”
— End —
Just make sure to restart your apache service for the changes to take affect
August 16th, 2010 at 5:00 pm
i’m new… expectancy to brief around more time after time!
August 20th, 2010 at 4:53 am
i’m new… promise to despatch around more oftentimes!
January 4th, 2012 at 10:26 am
We attacks are on the increase and some of the most used websites have not been spared by these attacks . It is important to always make sure that your computer is secure against web attacks which may occur at any time.