Jun
9
Installing a Proxy Server on FreeBSD - Privoxy
Filed Under General, Security, Networking | Leave a Comment
Setting up proxy on a FreeBSD server is very easy and helps to create a secure environment for your network, and also allows your whole network to access internet using a single internet connection.
Privoxy is a good proxy server. It’s very easy to use and worked well.
Installation
# cd /usr/ports/www/privoxy
# make install clean
# rehash
The configuration file is /usr/local/etc/privoxy/config, there is one line which must be changed:
listen-address 192.168.0.1:8119
The IP should be changed to your server’s internal LAN IP address. Also, it’s better to use a non-default port number for security reasons.
May
30
Modsecurity Rules
Filed Under Security, Apache | Leave a Comment
There are many articles on how to setup modsecurity in google, so i’m not including it here, but from my experience, many admins have problem with adding rules for modsecurity. After lot of research in google, and my own research, i’ve made the list of some modseucrity rules, some of them are as under, sorry if i forgot to include credit for any site, these rules really help, though they might cause problem with some site/scripts, but most of them just works fine:
#really broad furl_fopen attack sig
#tune this for your system
#MTS
SecFilterSelective REQUEST_URI “!(/tiki-objectpermissions|aardvarkts/install/index|/gallery/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)” “chain,id:300018,rev:1,severity:2,msg:’Generic PHP code injection protection’”
SecFilterSelective REQUEST_URI “\.php(3|4|5)?(\?|&).*=(ht|f)tps?:/.*(\?|&)”
#Genenric PHP body attack
SecFilterSelective THE_REQUEST “(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)” chain
SecFilterSelective POST_PAYLOAD “^PHP\:*((cd|mkdir)[[:space:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])”
#Generic PHP remote file injection
SecFilterSelective REQUEST_URI “!((galler(y|i)/do_command))” chain
SecFilterSelective REQUEST_URI “\.php\?.*=(http|http|ftp)\:/.*(cmd|command)=”
#remote file inclusion generic attack signature
SecFilterSelective REQUEST_URI “\.php\?.*=(http|https|ftp)\:/.*\?&cmd=”
#PHP remote path attach generic signature
SecFilterSelective REQUEST_URI “\.ph(p(3|4)?).*path=(http|https|ftp)\:/”
SecFilterSelective REQUEST_URI “\.php.*path=(http|https|ftp)\:/”
#PHP Injection Attack generic signature
SecFilterSelective REQUEST_URI “\.php” chain
SecFilter “(\?((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|path|pathtoroot|cat|pagina|path|include_location|root|page|gorumDir|site|topside|pun_root|open|seite)=(http|https|ftp)\:/|(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |id|cmd|pwd|wget |lwp-(download|request|mirror|rget) |uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./|whoami|killall |rm \-[a-z|A-Z]))”
#PHP Injection Attack generic signature
SecFilterSelective REQUEST_URI “\.php\?(((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|pagina|path|pathtoroot|cat|include_location|gorumDir|root|page|site|topside|pun_root|open|seite)=(http|https|ftp)\:/|.*(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z]))”
#Generic PHP remote file inclusion attack signature
SecFilterSelective REQUEST_URI “\.php\?” chain
SecFilter “(http|https|ftp)\:/” chain
SecFilter “(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])”
#Generic PHP remote file inclusion attack signature
SecFilterSelective REQUEST_URI “\.php\?” chain
SecFilter “(http|https|ftp)\:/” chain
SecFilter “(cmd|command)=.*(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])”
#PHP defenses
SecFilterSelective ARG_PHPSESSID “!^[0-9a-z]*$”
#PHP defenses
SecFilterSelective ARGS_NAMES “^(globals($|\[)|php:/)”
#PHP defenses
SecFilterSelective COOKIE_PHPSESSID “!^[0-9a-z]*$”
#generic sig for more bad PHP functions
SecFilterSelective THE_REQUEST “chr\(([0-9]{1,3})\)”
SecFilterSelective ARGS_NAMES “^php:/”
SecFilterSelective THE_REQUEST “cd \.\.”
SecFilterSelective THE_REQUEST “/\.(history|bash_history) HTTP\/(0\.9|1\.0|1\.1)$”
#generic block for fwrite fopen uploads
SecFilterSelective THE_REQUEST “fwrite” chain
SecFilterSelective THE_REQUEST “fopen”
# WEB-MISC Tomcat view source attempt
SecFilterSelective THE_REQUEST “\x252ejsp”
# TIKIWIKI
SecFilterSelective REQUEST_URI “/tiki-map.phtml\?mapfile=\.\./\.\./”
#SMTP redirects
SecFilterSelective THE_REQUEST ^(http|https)\:/.+:25
#These are VERY experiemental, please report false positives/negatives, etc.
#very experimental generic remote download sig
#foo IP or FQDN, or foo http/https/ftp://whatever
SecFilterSelective THE_REQUEST “(perl|t?ftp|links|elinks|lynx|ncftp|(s|r)(cp|sh)|wget|lwp-(download|request|mirror|rget)|curl|cvs|svn).*\x20((http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)”
#Command inline detection
SecFilterSelective THE_REQUEST “( |\;|/|\’|,|\&|\=|\.)((s|r)(sh|cp)) *(.*\@.*|(http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)”
#very experimental connect command sig
SecFilterSelective THE_REQUEST “( |\;|/|\’|,|\&|\=|\.)(perl|nc|telnet|(rs)sh|rexec) .*([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[A-Za-z|0-9]\.[a-zA-Z]{2,4}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)”
# Web-attacks chdir
SecFilterSelective REQUEST_URI “&(cmd|command)=chdir\x20″
#Don’t accept chunked encodings
#modsecurity can not look at these, so this is a hole
#that can bypass your rules, the rule before this one
#should cover this, but hey paranoia is cheap
SecFilterSelective HTTP_Transfer-Encoding “chunked” “id:300003,rev:1,severity:2,msg:’Chunked Transfer Encoding denied’”
#Code injection via content length
SecFilterSelective HTTP_Content-Length “\;(system|passthru|exec)\(” “id:330003,rev:1,severity:2,msg:’Code Injection in Content-Length header’”
#broad cross site scripting rule
#False alarms are a problem with this, use with caution
#SecFilterSelective THE_REQUEST “<(.|\n)+>”
#generic recursion signatures
SecFilterSelective REQUEST_URI “!(alt_mod_frameset\.php)” “chain,id:300004,rev:1,severity:2,msg:’Generic Path Recursion denied’”
SecFilterSelective THE_REQUEST “\.\./\.\./”
#generic path recurision sig
#generic recursion signatures
SecFilterSelective THE_REQUEST “\.\|\./\.\|\./\.\|” “id:300005,rev:1,severity:2,msg:’Generic Path Recursion denied’”
#generic bogus path sigs
SecFilterSelective THE_REQUEST “\.\.\./” “id:300006,rev:1,severity:2,msg:’Bogus Path denied’”
SecFilterSelective POST_PAYLOAD “[[:space:]]+\.\.\.+\;” “id:300007,rev:1,severity:2,msg:’Bogus Path denied’”
#Generic PHP exploit signatures
SecFilterSelective THE_REQUEST “(chr|fwrite|fopen|system|e?chr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;” “id:330001,rev:1,severity:2,msg:’Generic PHP exploit pattern denied’”
#Generic PHP exploit signatures
SecFilterSelective POST_PAYLOAD|REQUEST_URI “<\?php (chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;” “id:330002,rev:1,severity:2,msg:’Generic PHP exploit pattern denied’”
#slightly tighter rules with narrower focus
SecFilterSelective REQUEST_URI|POST_PAYLOAD “(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;” “id:300008,rev:1,severity:2,msg:’Generic PHP exploit pattern denied’”
#generic XSS PHP attack types
SecFilterSelective REQUEST_URI “\.php\?” “chain,id:300010,rev:1,severity:2,msg:’Generic PHP XSS exploit pattern denied’”
SecFilter “(javascript\:/(.*new\x20ActiveXObject.*Sh\.regwrite|.*window\.opener\.document\.body.\innerHTML=window\.opener\.document\.body\.innerHTML\.replace)|onmouseover=\’javascript)”
#Prevent SQL injection in cookies
SecFilterSelective COOKIE_VALUES “((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\’.*\’.*,[0-9].*INTO.*FROM)” “id:300011,rev:1,severity:2,msg:’Generic SQL injection in cookie’”
#Prevent command injection through cookies
SecFilterSelective COOKIE_VALUES “\; cmd=”
#Prevent SQL injection in UA
SecFilterSelective HTTP_USER_AGENT “((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\’.*\’.*,[0-9].*INTO.*FROM)” “id:300012,rev:1,severity:2,msg:’Generic SQL injection in User Agent header’”
# Generic filter to prevent SQL injection attacks
# Understand that all SQL filters are very limited and are very difficult
# to prevent false postives and negatives.
# Pplease report false positives/negatives to mike@gotroot.com
SecFilterSelective REQUEST_URI “!((/wp-admin/post|privmsg|/ticket/admin|/misc|tiki-editpage|/post|/horde3?/imp/compose|/posting)\.php|/modules\.php\?op=modload&name=(Downloads|Submit_News)|/admin\.php\?module=NS\-AddStory\&op=|/index\.php\?name=PNphpBB2&file=posting&mode=reply.*|/phpMyAdmin/|/PNphpBB2-posting\.html|/otrs/index\.pl|tiki-index\.php\?page=|/index\.php\?title=.*&action=edit|/_mmServerScripts/|/node/[0-9]+/edit|/_vti_bin/.*\.exe/)” “chain,id:300013,rev:1,severity:2,msg:’Generic SQL injection protection’”
SecFilter “((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\’.*\’.*,[0-9].*INTO.*FROM)”
#Generic SQL sigs
SecFilterSelective ARGS “(or.+1[[:space:]]*=[[:space:]]1|(or 1=1|’.+)–’)” “id:300014,rev:1,severity:2,msg:’Generic SQL injection protection’”
#Generic SQL sigs
SecFilterSelective ARGS “((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)” “id:300015,rev:1,severity:2,msg:’Generic SQL injection protection’”
#Generic SQL sigs
SecFilterSelective REQUEST_URI “!(/node/[0-9]+/edit|/forum/posting\.php|/admins/wnedit\.php|/alt_doc\.php\?returnUrl=.*edit|/admin/categories\.php\?cPath=.*|modules\.php\?name=Forums&file=posting&mode=.*)” “chain,id:300016,rev:1,severity:2,msg:’Generic SQL injection protection’”
SecFilterSelective ARGS “(insert[[:space:]]+into.+values|select.+from|bulk[[:space:]]+insert|union.+select)”
#Generic command line attack filter
SecFilterSelective REQUEST_URI “!(/Count\.cgi)” “chain,id:300017,rev:1,severity:2,msg:’Generic command line attack filter’”
SecFilterSelective THE_REQUEST “\|+.*[\x20].*[\x20].*\|”
#Generic PHP bad functions protection
#PHP copy() function: http://securitytracker.com/alerts/2006/Apr/1015882.html
SecFilterSelective ARGS_VALUES compress\.zlib:
#Generic XSS filter
#please report false positives
SecFilterSelective REQUEST_URI “!/mt\.cgi” chain
SecFilter “<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>”
#XSS in referrer and UA headers
SecFilterSelective HTTP_REFERER|HTTP_USER_AGENT “<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>”
#script, perl, etc. code in HTTP_Referer string
SecFilterSelective HTTP_Referer “\#\!.*/”
#generic command line attack
SecFilterSelective REQUEST_URI|ARGS “\|*id\;echo*\|”
#remote file inclusion generic attack signature
SecFilterSelective THE_REQUEST “\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?” chain
SecFilter “((name|pm_path|pagina|path|include_location|root|page|open)=(http|https|ftp)|(cmd|command|inc)=)”
#remote file inclusion generic attack signature
SecFilterSelective THE_REQUEST “\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(cmd|command|inc|name)=”
#remote file inclusion generic attack signature
SecFilterSelective ARGS “\.(dat|gif|jpg|png|bmp|txt|vir|dot)” chain
SecFilter “\?\&(cmd|inc|name)=”
#remote file inclusion generic attack signature
SecFilterSelective ARGS “\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(cmd|inc|name)=”
#Bogus file extensions generic signature
SecFilterSelective THE_REQUEST “[A-Za-z0-9]\.(gif|jpg|png|bmp)\.txt”
#generic attack sig
SecFilterSelective THE_REQUEST “cd\x20*\;(cd|\;|echo|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)”
# WEB-ATTACKS uname -a command attempt
SecFilterSelective THE_REQUEST “uname” chain
SecFilter “\x20-a”
#Enforce proper HTTP requests
SecFilterSelective SERVER_PROTOCOL “!^HTTP/(0\.9|1\.0|1\.1)$” “id:340000,rev:1,severity:1,msg:’Bad HTTP Protocol’”
# Don’t accept transfer encodings we know we don’t handle
# (and you don’t need it anyway)
SecFilterSelective HTTP_Transfer-Encoding “!^$” “id:340004,rev:1,severity:2,msg:’Dis-allowed Transfer Encoding’”
#HTTP response spilting generic sigs
SecFilter “Content-Length\:.*Content-Type\:.*Content-Type\:” “id:340005,rev:1,severity:2,msg:’HTTP response splitting’”
#HTTP response spilting generic sigs
SecFilter “Content-Length\:” “chain,id:340006,rev:1,severity:2,msg:’HTTP response splitting’”
SecFilter “Content-Type\:” chain
SecFilter “Content-Type\:”
#deny TRACE method
SecFilterSelective REQUEST_METHOD “TRACE” “id:340007,rev:1,severity:2,msg:’TRACE method denied’”
#XSS insertion into Content-Type
SecFilterSelective THE_REQUEST “Content-Type\:.*(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)” “id:300002,rev:1,severity:2,msg:’XSS attack in Content-type header’”
#Generic argument protection rule against bad meta characters
#SecFilterSelective “ARGS” “!^[A-Za-z0-9.&/?@_%=:;, -]*$”
#generic php attack sigs
SecFilterSelective REQUEST_URI “(&(cmd|command)=(id|uname)\x20|cmd\?(cmd|command)=|(spy|cmd|cmd_out|sh)\.(gif|jpg|png|bmp|txt)\?&(cmd|command)=|\.php\?&(cmd|command)=)”
# WEB-ATTACKS xterm command attempt
SecFilterSelective THE_REQUEST “/usr/X11R6/bin/xterm”
# WEB-ATTACKS /etc/shadow access
SecFilterSelective THE_REQUEST “/etc/shadow”
# WEB-ATTACKS /bin/ps command attempt
SecFilterSelective THE_REQUEST “/bin/ps”
# WEB-ATTACKS /usr/bin/id command attempt
SecFilterSelective THE_REQUEST “/usr/bin/id” chain
SecFilter “\x20″
# WEB-ATTACKS echo command attempt
SecFilterSelective THE_REQUEST “/bin/echo” chain
SecFilter “\x20″
# WEB-ATTACKS kill command attempt
SecFilterSelective THE_REQUEST “/bin/kill” chain
SecFilter “\x20″
# WEB-ATTACKS chmod command attempt
SecFilterSelective THE_REQUEST “/bin/chmod” chain
SecFilter “\x20″
# WEB-ATTACKS chsh command attempt
SecFilterSelective THE_REQUEST “/usr/bin/chsh”
# WEB-ATTACKS gcc command attempt
SecFilterSelective THE_REQUEST “gcc” chain
SecFilter “x20-o”
# WEB-ATTACKS /usr/bin/cc command attempt
SecFilterSelective THE_REQUEST “/usr/bin/cc” chain
SecFilter “\x20″
# WEB-ATTACKS /usr/bin/cpp command attempt
SecFilterSelective THE_REQUEST “/usr/bin/cpp” chain
SecFilter “\x20″
# WEB-ATTACKS /usr/bin/g++ command attempt
SecFilterSelective THE_REQUEST “/usr/bin/g\+\+” chain
SecFilter “\x20″
# WEB-ATTACKS g++ command attempt
SecFilterSelective THE_REQUEST “g\+\+\x20″ chain
SecFilter “\x20″
# WEB-ATTACKS bin/python access attempt
SecFilterSelective THE_REQUEST “bin/python” chain
SecFilter “\x20″
# WEB-ATTACKS python access attempt
#SecFilter “python\x20″
# WEB-ATTACKS bin/tclsh execution attempt
SecFilterSelective THE_REQUEST “bin/tclsh”
# WEB-ATTACKS tclsh execution attempt
SecFilterSelective THE_REQUEST “tclsh8\x20″
# WEB-ATTACKS bin/nasm command attempt
SecFilterSelective THE_REQUEST “bin/nasm”
# WEB-ATTACKS nasm command attempt
SecFilterSelective THE_REQUEST “nasm\x20″
# WEB-ATTACKS /usr/bin/perl execution attempt
SecFilterSelective THE_REQUEST “/usr/bin/perl”
# WEB-ATTACKS traceroute command attempt
SecFilterSelective THE_REQUEST “traceroute” chain
SecFilter “\x20([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)”
# WEB-ATTACKS ping command attempt
SecFilterSelective THE_REQUEST “/bin/ping” chain
SecFilter “\x20″
# WEB-ATTACKS X application to remote host attempt
SecFilterSelective THE_REQUEST “\x20-display\x20″
# WEB-ATTACKS mail command attempt
SecFilterSelective THE_REQUEST “/bin/mail” chain
SecFilter “\x20″
# WEB-ATTACKS /bin/ls command attempt
SecFilterSelective THE_REQUEST “/bin/ls” chain
SecFilter “\x20″
# WEB-ATTACKS /etc/inetd.conf access
SecFilterSelective THE_REQUEST “/etc/inetd\.conf”
# WEB-ATTACKS /etc/motd access
SecFilterSelective THE_REQUEST “/etc/motd”
# WEB-ATTACKS conf/httpd.conf attempt
SecFilterSelective THE_REQUEST “conf/httpd\.conf”
# WEB-MISC .htpasswd access
SecFilterSelective THE_REQUEST “\.htpasswd”
# WEB-MISC /etc/passwd access
SecFilterSelective REQUEST_URI “/etc/passwd”
# WEB-MISC nessus 1.X 404 probe
SecFilterSelective REQUEST_URI “/nessus_is_probing_you_”
# WEB-MISC nessus 2.x 404 probe
SecFilterSelective REQUEST_URI “/NessusTest”
# WEB-MISC ls%20-l
SecFilterSelective THE_REQUEST “ls” chain
SecFilter “\x20-l”
# WEB-MISC apache directory disclosure attempt
SecFilterSelective THE_REQUEST “////////”
#musicat empower attempt
SecFilterSelective REQUEST_URI “/empower\?DB=”
# WEB-MISC Apache Chunked-Encoding worm attempt
SecFilter “CCCCCCC\: AAAAAAAAAAAAAAAAAAA”
# WEB-MISC *%0a.pl access
SecFilterSelective REQUEST_URI “/*\x0a\.pl”
#PHPBB worm sigs
SecFilterSelective REQUEST_URI “!(tiki-searchindex\.php)” chain
SecFilterSelective ARG_highlight “(\x27|%27|\x2527|%2527)”
# WEB-FRONTPAGE …. request
SecFilterSelective THE_REQUEST “\.\.\.\./”
#experimental CSS rule
#SecFilterSelective REQUEST_URI “/(\x3C|<)(\x2F|\/)*[a-z0-9\%]+(\x3E|>)”
#Generic attack rules pcre format
#cross site scripting attempt IMG onerror or onload
SecFilterSelective THE_REQUEST “\
#cross site scripting attempt STYLE + JAVASCRIPT
SecFilterSelective THE_REQUEST “TYPE\s*=\s*[\’\”]application\/x-javascript”
#cross site scripting attempt STYLE + JSCRIPT
SecFilterSelective THE_REQUEST “TYPE\s*=\s*[\’\”]text\/jscript”
# cross site scripting attempt STYLE + VBSCRIPT
SecFilterSelective THE_REQUEST “TYPE\s*=\s*[\’\”]text\/vbscript”
#cross site scripting attempt STYLE + VBSCRIPT
SecFilterSelective THE_REQUEST “TYPE\s*=\s*[\’\”]application\/x-vbscript”
#cross site scripting attempt STYLE + ECMACRIPT
SecFilterSelective THE_REQUEST “TYPE\s*=\s*[\’\”]text\/ecmascript”
# cross site scripting attempt STYLE + EXPRESSION
SecFilterSelective THE_REQUEST “STYLE[\s]*=[\s]*[^>]expression[\s]*\(”
#cross site scripting attempt STYLE + EXPRESSION
SecFilterSelective THE_REQUEST “[\s]*expression[\s]*\([^}]}[\s]*<\/STYLE>”
# cross site scripting attempt using XML
SecFilterSelective THE_REQUEST “SCRIPT”
#cross site scripting attempt executing hidden Javascript
SecFilterSelective THE_REQUEST “eval[\s]*\([\s]*[^\.]\.innerHTML[\s]*\)”
#cross site scripting attempt executing hidden Javascript
SecFilterSelective THE_REQUEST “window\.execScript[\s]*\(”
#cross site scripting attempt to execute Javascript code
SecFilterSelective THE_REQUEST “/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\’\”]*javascript[\:]”
#cross site scripting stealth attempt to execute Javascript code
#may false alarm for some language sets
SecFilterSelective REQUEST_URI “!(/index\.php\?module=Blocks&type=admin&func=update|/index\.php\?go=.*&edit=)” chain
SecFilter “(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\’\”]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]”
#cross site scripting HTML Image tag set to javascript attempt
SecFilterSelective THE_REQUEST “img xsrc=javascript”
#Apache /server-info accessible
SecFilterSelective REQUEST_URI “/server-info” chain
SecFilterSelective REMOTE_ADDR “!^127\.0\.0\.1$”
#Apache /server-status accessible
#Modified so apache-protect can run
SecFilterSelective REQUEST_URI “^/server-status/$” chain
SecFilterSelective REMOTE_ADDR “!^127\.0\.0\.1$”
#generic Common HTTP vulnerability
SecFilterSelective THE_REQUEST “/\?cwd=/”
#General [url] php forum protections (phpbb and others, to protect against script injection attacks in url links)
SecFilterSelective THE_REQUEST “\.php\?” chain
SecFilter “\[url=(script|javascript|applet|about|chrome|activex)\:/.*\].*\[/url\]”
#Experimental XML-RPC generic attack sigs
SecFilter “\’\,\’\’\)\)\;”
SecFilter “\
\.*\’\)\;”#XML-RPC generic attack sigs
SecFilterSelective POST_PAYLOAD “^Content-Type\: application/xml” chain
SecFilter “(\<.*xml)” chain
SecFilter “(echo( |\(|\’).*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;” chain
SecFilter “methodCall\>”
#Specific XML-RPC attacks on xmlrpc.php
SecFilterSelective THE_REQUEST “(/xmlrpc|.*xmlrpc_services)\.php” chain
SecFilter “(\<.*xml)” chain
SecFilter “(echo( |\(|\’).*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;”
#Too generic, unless you know you won’t see this in any of the fields of an XMLRPC message on your system
#SecFilterSelective THE_REQUEST “/xmlrpc\.php” chain
#SecFilter “(cd|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname |cvs |svn |(s|r)(cp|sh) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)”
#XML-RPC SQL injection generic signature
SecFilterSelective THE_REQUEST “(/xmlrpc|.*xmlrpc_services)\.php” chain
SecFilter “.*.*.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view).*methodName\>”
#generic remote file inclusion vulns
SecFilterSelective THE_REQUEST “/index\.php\?do=.*&page=(http|https|ftp)\:/”
SecFilterSelective THE_REQUEST “/index\.php\?kietu\[.*\]=(http|https|ftp)\:/”
SecFilterSelective THE_REQUEST “/index\.php\?libDir=http://xxxxxxxx”
SecFilterSelective THE_REQUEST “/init\.php\?HTTP_POST_VARS\[GALLERY_BASEDIR\]=(http|https|ftp)\:/”
#Virus HTTP Challenge/Reponse Auth
SecFilterSelective THE_REQUEST “^Authorization\: Negotiate” chain
SecFilter “YIIQegYGKwYBBQUCoIIQbjCCEGqhghBmI4IQYgOCBAEAQUFBQUFBQUFBQUFBQUFB”
#catch smuggling attacks
SecFilter “^(GET|POST).*Host:.*^(GET|POST)”
#Drupal remote command execution vulnerability exploit signature
#This is already covered in another generic signature, but just in case you leave it out, here it is
#again with a slightly tigher regexp
SecFilter “\<.*php .*\(.*\)\;system\(.*\).*php*\>”
#Slightly stronger version of the above
SecFilter “\<.*php .*\(.*\)\;(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\).*php*\>”
#Generic PHP attack sig
SecFilterSelective THE_REQUEST “system\(getenv\(HTTP_PHP\)\)”
#Generic Nessus request filter
SecFilterSelective THE_REQUEST “NessusTest*\.html”
#Generic PHP payload command injection and upload vulnerabilities
SecFilterSelective POST_PAYLOAD “<\?php” chain
SecFilter “((fputs|fread)\(.*\,.*\)\;|fsockopen\(gethostbyname|chr\(.*\)\.chr\(.*\)\.chr\(|(fclose|fgets)\(.*\)\;|(system|exec)\(.*\)\;)” chain
SecFilter “\<\?php”
#Generic XML RPC attack sig
SecFilterSelective POST_PAYLOAD “\’(______BEGIN______|_____FIM_____)\’\;”
#HTTP header PHP code injection attacks
SecFilterSelective HTTP_CLIENT_IP|HTTP_USER_AGENT|HTTP_Referer “(<\?php|<[[:space:]]?\?[[:space:]]?php|<\? php)”
#wormsign
SecFilter “XXXXXXXXXXXXXXX\: \+\+\+\+\+\+\+\+\+\+\+\+\+”
SecFilterSelective THE_REQUEST “THMC\.\$dbhost\.THMC\.\$dbname\.THMC\.\$dbuser\.THMC\.\$dbpasswd\.THMC”
#phpbb wormsign
SecFilterSelective THE_REQUEST “echo _GHC/RST_”
#Generic PHP avatar upload exploits
SecFilterSelective REQUEST_URI “\.php” chain
SecFilterSelective POST_PAYLOAD “Content-Disposition\: form-data\; name=\”avatar\”\;” chain
SecFilter “\<\?php” chain
SecFilter “\?>”
#Fake image file shell attacvk
SecFilterSelective HTTP_Content-Type “image/.*”
SecFilterSelective POST_PAYLOAD “chr\(”
#bogus graphics file
SecFilterSelective HTTP_Content-Disposition “\.php” chain
SecFilterSelective HTTP_Content-Type “(image/gif|image/jpg|image/png|image/bmp)”
#wormsign
SecFilterSelective REQUEST_URI “Hacked.*by.*member.*of.*SCC”
#Special account protection
SecFilterSelective THE_REQUEST “/~(root|ftp|bin|nobody|named|guest|logs|sshd)(/\S*)? HTTP/(0\.9|1\.[01])$”
SecFilterSelective REQUEST_URI “/~(root|ftp|bin|nobody|named|guest|logs|sshd)/”
#Generic PHP fopen sig
SecFilterSelective THE_REQUEST “fp=fopen\(”
# above filters added by kapil from http://www.gotroot.com/downloads/ftp/mod_security/rules.conf
# WEB-ATTACKS passwd command attempt - added by kapil
SecFilterSelective THE_REQUEST “/etc/passwd”
# WEB-ATTACKS passwd command attempt - added by kapil
SecFilterSelective THE_REQUEST “passwd”
# WEB-ATTACKS wget command attempt
SecFilterSelective THE_REQUEST “wget”
# WEB-ATTACKS wget command attempt
SecFilterSelective THE_REQUEST “wget ”
# WEB-ATTACKS uname -a command attempt
SecFilterSelective THE_REQUEST “uname -a”
# WEB-ATTACKS .htgroup access
SecFilterSelective THE_REQUEST “\.htgroup”
# WEB-ATTACKS .htaccess access
SecFilterSelective THE_REQUEST “\.htaccess”
# WEB-CLIENT Javascript URL host spoofing attempt
SecFilter “javascript\://”
# WEB-MISC cross site scripting \(img xsrc=javascript\) attempt
SecFilter “img xsrc=javascript”
# WEB-MISC cd..
SecFilterSelective THE_REQUEST “cd\.\.”
# WEB-MISC ///cgi-bin access
SecFilterSelective THE_REQUEST “///cgi-bin”
# WEB-MISC /cgi-bin/// access
SecFilterSelective THE_REQUEST “/cgi-bin///”
# WEB-MISC /~root access
SecFilterSelective THE_REQUEST “/~root”
# WEB-MISC /~ftp access
SecFilterSelective THE_REQUEST “/~ftp”
# WEB-MISC htgrep attempt
SecFilterSelective THE_REQUEST “/htgrep” chain
SecFilter “hdr=/”
# WEB-MISC htgrep access
SecFilterSelective THE_REQUEST “/htgrep” log,pass
# WEB-MISC .history access
SecFilterSelective THE_REQUEST “/\.history”
# WEB-MISC .bash_history access
SecFilterSelective THE_REQUEST “/\.bash_history”
# WEB-MISC /~nobody access
SecFilterSelective THE_REQUEST “/~nobody”
# WEB-PHP PHP-Wiki cross site scripting attempt
SecFilterSelective THE_REQUEST ”
# WEB-PHP strings overflow
SecFilterSelective THE_REQUEST “\?STRENGUR”
# WEB-PHP PHPLIB remote command attempt
SecFilter “_PHPLIB\[libdir\]”
May
30
How to restrict a user only to portforwarding in SSH Tunnel
Filed Under General, Security | Leave a Comment
This sounds strange, what? Ok, let me tell you for what you would need that…I have a user which works with my MySQL-database by Windows-ODBC. The usual communication between client and server runs unencrypted. So I decided to tunnel the communication through an ssh-tunnel.
- Problem 1: User has shell-access and the user has the opportunity to log into my system and do things I don’t like.
Solution 1: Don’t give him shell-access, but a program which runs forever and the user gets some output on his terminal to get no timeout. - Problem 2: User could port-forward not only mysql-protocol but also SMTP, POP3… whatever. But I don’t want that.
Restrict him to forward only special ports.
Create a file ~user/.ssh/authorized_keys like this
# -> command=”…” # this command simply prints something to prevent a timeout while # the ssh-session is running. quoting-character like double quotes # in this command must be quoted with backslash # -> permitopen=”127.0.0.1:3306″ # restrict the person using this key to only portforwarding # 3306 to localhost # -> from=… # only allow connections from this host (not needed but sometimes useful) # the rest is the public key command=”/usr/bin/perl -e ‘$|=1;while (1) { print scalar localtime() . ”n”;sleep 30}’”, permitopen=”127.0.0.1:3308″, from=”box1.freebsd.org.in” ssh-dss AAAAB3NzaC1kc3MAAACBAJ4vXg== some@comment_for_key
May
30
Increase local FreeBSD security by Locking Admin screen or console
Filed Under Security | Leave a Comment
This is especially useful for systems which have multiple users with access to the console. One user may lock his or her session while still allowing other users to use the system on other virtual consoles. If desired, the entire console may be locked and virtual console switching disabled. This is really a good idea to lock your workstation which is use to control other servers in your network environment. Generally, KDE and Gnome include a locking feature. The idea is very simple secure your terminal from unwanted people.
Shell variables to auto-logout
Almost all-modern shell support some sort of auto logout option. Under BASH you need to use TMOUT variable. You can setup TMOUT in seconds, bash terminates after waiting for that number of seconds if input does not arrive. For example if you setup TMOUT 60 seconds:
$ export TMOUT=60
So, if no input (command typed) arrived it will terminate shell with following message:
timed out waiting for input: auto-logout
You can add TMOUT to your shell configuration file ~/.bash_profile file.
However, I liked tcsh shell (the default shell under FreeBSD) autologout variable. Genral syntax is as follows:
$ set autologout = (VAL1 VAL2)
Where,
VAL1 : The number of minutes of inactivity before automatic logout
VAL2 : The number of minutes of inactivity before automatic locking will take place this is optional.
For example, you can set autologout as follows.
$ set autologout = (5 10)
You can add autologout to your shell configuration file ~/.cshrc OR ~/.tcshrc.
Using lock command under FreeBSD
The lock command requests a password from the user, reads it again for verification and then will normally not relinquish the terminal until the password is repeated.
$ lock
Key: Again: lock: /dev/ttyp0 on fbsd6.freebsd.org.in. timeout in 15 minutes. time now is Tue May 30 20:46:14 IST 2007 Key: