Results 1 to 14 of 14
  1. #1

    Lightbulb Setting the right rules for Mod Security

    We were recently hacked on our dedicated server and the hacker managed to insert php files that generated thousands of doorway pages in one of our images folder on our site. We have done an extensive cleanup of our site, removing all malicious files and are locking down the server. We have already updated to the latest versions of PHP and Wordpress,not to mention change all database passwords and admin password. My question is about mod_security for apache.

    We were told Mod_security can prevent this from happening again but it must be configured correctly.

    We have already set rules for mod_security. The rules set up are in the files in the directory, /etc/httpd/modsecurity.d/modsec. We were told that the file 10_asl_rules.conf specifically has filters to prevent SQL injection attacks.

    These are are current rules:
    ----------------------------------------------------------------------
    /etc/httpd/modsecurity.d/modsec
    # ls
    05_asl_exclude.conf 30_asl_antispam.conf domain-blacklist-local.txt malware-blacklist.txt
    05_asl_scanner.conf 30_asl_antispam_referrer.conf domain-blacklist.txt sql.txt
    10_asl_antimalware.conf 40_asl_apache2-rules.conf domain-spam-whitelist.conf trusted-domains.conf
    10_asl_rules.conf 50_asl_rootkits.conf domain-spam-whitelist.txt trusted-domains.txt
    11_asl_data_loss.conf 60_asl_recons.conf malware-blacklist-high.txt whitelist.txt
    20_asl_useragents.conf 99_asl_exclude.conf malware-blacklist-local.txt
    30_asl_antimalware.conf 99_asl_jitp.conf malware-blacklist-low.txt
    -----------------------------------------------------------------

    Can anyone help me understand this a little more and what else I can do to prevent this or tune up apache mod_security from letting this happen again. We are so paranoid that we are now checking our access log files for POST commands every day?

    Thanks so much for your help......
    TT

  2. #2
    Join Date
    Jan 2008
    Location
    England
    Posts
    573
    mod_security will help but IMO it is unnecessary, with sensible permissions, a properly configured php.ini, and up to date software you'll be better off and you wont take a performance hit.

  3. #3
    Thanks for the response, could you make a suggestion on the proper configured php.ini that can prevent these types of attacks...

  4. #4
    Join Date
    Jan 2008
    Location
    England
    Posts
    573
    Are you doing shared hosting? How many sites on the server?

  5. #5
    VPS hosting....... with only one site on it....
    Have access to ssh and all root files..

  6. #6
    Join Date
    Jan 2008
    Location
    England
    Posts
    573
    Heres a quick list; If possible turn php safe mode on, use open_basedir, make sure the permissions on your files/folders are the minimum required, make use of the disabled_functions feature in php.ini, maybe install suhosin. Make sure all your software is up to date, change SSH port and possibly disable root login (make sure you have a secondy account added and you know the password before you do this!). Make sure all your passwords are strong. There are other things but these are the main bits to do (anyone reading feel free to add anything I forgot to mention).

  7. #7
    Join Date
    Mar 2007
    Location
    India
    Posts
    115
    Hi

    See the site for all the rules http://www.gotroot.com/
    LENOVOhost Network Solutions, designs the technology of Tomorrow
    RVSkins, Fantastico, 24/7 Support, FFMPEG, SLA Uptime, Daily Backups, End-User Support & More
    Support Desk Software | Sales, Billing & Tech End-user Support | Hosting Templates

  8. #8
    Yeah, gotroot.com seems to have very good rules.
    Support Facility | 24/7 web hosting technical support services
    Technical support | Server management | Data migration

    Technical Articles

  9. #9
    Join Date
    Nov 2004
    Location
    India
    Posts
    1,100
    Mod_security is one method of preventing attacks like this but relying solely on it alone is not enough. You need to check permissions mainly if you are using php based applications, one insecure permission for a config.php will lead whole server hack and if you are giving shell access to the clients then it should be stopped immediately. In your case I strongly believe that the particular image directory might had insecure permissions.
    AssistanZ - Beyond Boundaries...
    Cloudstack Consultancy / 24x7 Web Hosting Support / 24x7 Server Management / Infrastructure Management Services
    Web & Mobile Apps Development / Web Designing Services / Php, Grails, Java Development

  10. #10
    Quote Originally Posted by sam250 View Post
    Heres a quick list; If possible turn php safe mode on, use open_basedir, make sure the permissions on your files/folders are the minimum required, make use of the disabled_functions feature in php.ini, maybe install suhosin. Make sure all your software is up to date, change SSH port and possibly disable root login (make sure you have a secondy account added and you know the password before you do this!). Make sure all your passwords are strong. There are other things but these are the main bits to do (anyone reading feel free to add anything I forgot to mention).
    Sam,

    Thanks so much for your suggestion, I will be working on them today. I am a newbie o all this but do have access to ssh and know my way around a little. Would it be to much to ask for a crash corse on how to access the php.ini though ssh so I can make these changes you suggest? And will turning on safe mod and using open_basedir affect Joomla or wordpress CMS?

  11. #11
    Join Date
    Jan 2003
    Location
    U.S.A.
    Posts
    3,911
    Quote Originally Posted by ttmaxer View Post
    Sam,

    Thanks so much for your suggestion, I will be working on them today. I am a newbie o all this but do have access to ssh and know my way around a little. Would it be to much to ask for a crash corse on how to access the php.ini though ssh so I can make these changes you suggest? And will turning on safe mod and using open_basedir affect Joomla or wordpress CMS?
    It is typically located in /usr/local/lib/php.ini and you can find it with the command "locate php.ini"

  12. #12
    Join Date
    Jan 2008
    Location
    England
    Posts
    573
    Quote Originally Posted by ttmaxer View Post
    Sam,

    Thanks so much for your suggestion, I will be working on them today. I am a newbie o all this but do have access to ssh and know my way around a little. Would it be to much to ask for a crash corse on how to access the php.ini though ssh so I can make these changes you suggest? And will turning on safe mod and using open_basedir affect Joomla or wordpress CMS?
    Safe Mode may cause conflicts with some scripts (most of the scripts that aren't compatable are poorly coded) 'WP Super Cache' requires safe mode to be turned off and a few other plugins might, but the default installs of both Joomla and Wordpress will be fine.

    Quote Originally Posted by Matt - HostPenguin View Post
    It is typically located in /usr/local/lib/php.ini and you can find it with the command "locate php.ini"
    /etc/php.ini is also common. Before running "locate php.ini" you might need to "updatedb".

  13. #13
    Join Date
    Apr 2009
    Location
    Kerala, India
    Posts
    19
    Quote Originally Posted by sam250 View Post
    mod_security will help but IMO it is unnecessary, with sensible permissions, a properly configured php.ini, and up to date software you'll be better off and you wont take a performance hit.
    I disagree with sam250. mod_security is a web application firewall. This really is essential on a shared environment or when other application based security has not been taken into while designing software that runs on your server.

    Over 70% of all attacks are carried out over the web application level. This makes application firewalls a real necessity. For example, if there was a bug in an outdated Wordpress installation, you could cover up the security issues with mod_security. Mod_security could prevent PHP/SQL injections by blocking code/requests containing the malicious string.

    You may download pre-written mod_security rules for specific applications or write your own rules.

    Regards,
    Shain Padmajan
    Freelance System Administrator

  14. #14
    Join Date
    Jan 2008
    Location
    England
    Posts
    573
    Quote Originally Posted by Shain P View Post
    I disagree with sam250. mod_security is a web application firewall. This really is essential on a shared environment or when other application based security has not been taken into while designing software that runs on your server.

    Over 70% of all attacks are carried out over the web application level. This makes application firewalls a real necessity. For example, if there was a bug in an outdated Wordpress installation, you could cover up the security issues with mod_security. Mod_security could prevent PHP/SQL injections by blocking code/requests containing the malicious string.

    You may download pre-written mod_security rules for specific applications or write your own rules.

    Regards,
    Its not so much a firewall, more of an anti-virus, protecting against known vulnerabilities. If the vulnerability is known then you're probably running out of date scripts/software. mod_security isn't an excuse to use out of date or poor coding.

    It may well help but it doesn't offer 100% protection, it also increases resource usage because every request has to be scrutinized by mod_security. It can also suffer from false positives which can be a pain especially in a shared hosting enviroment.
    Last edited by sam0; 11-08-2009 at 01:33 AM.

Similar Threads

  1. Setting passwords and security
    By Jon12345 in forum Hosting Security and Technology
    Replies: 2
    Last Post: 08-28-2007, 03:02 PM
  2. Setting up Security
    By kmkeen71 in forum Hosting Security and Technology
    Replies: 5
    Last Post: 06-08-2005, 05:06 AM
  3. Best Security and Optimizing Setting & Programs
    By goolex in forum Hosting Security and Technology
    Replies: 4
    Last Post: 11-08-2004, 12:50 PM
  4. authorize security setting
    By Mike006 in forum Ecommerce Hosting & Discussion
    Replies: 2
    Last Post: 08-25-2004, 11:59 PM
  5. Help Setting UP IPtables Rules
    By Huminie in forum Hosting Security and Technology
    Replies: 2
    Last Post: 01-11-2004, 10:37 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •