FreeBSD India

The ports are mounted with mount_nullfs.

M=”/sbin/mount_nullfs -o rdonly /jailsata/PORTS/ports ”
$M /afs1/JAIL/Somejail1/usr/ports

In all jails there is a /etc/make.conf with in it
# jail
WRKDIRPREFIX = /var/tmp
PORTS_INDEX = /var/tmp/INDEX
DISTDIR = /var/tmp/distfiles
This make the ports work inside the jail with the ports collection mounted readonly.

Edit /usr/local/etc/pkgtools.conf
Use this setting;

module PkgConfig
ENV[’PORTSDIR’] ||= ‘/usr/ports’
ENV[’PORTS_INDEX’] ||= ENV[’PORTS_DBDIR’] + ‘/INDEX’
ENV[’PORTS_DBDIR’] ||= ‘/var/ports/db’
ENV[’PKG_DBDIR’] ||= ‘/var/db/pkg’
# a lot lower in the file!
#ENV[’PACKAGES’] ||= ENV[’PORTSDIR’] + ‘/packages’
#ENV[’PKG_PATH’] ||= ENV[’PACKAGES’] + ‘/All’
ENV[’PKG_BACKUP_DIR’] ||= ENV[’PKG_PATH’]

And make the dir with mkdir -p /var/ports/db

There is a patch available, not official though, so use it at your own risk:

http://people.freebsd.org/~pjd/patches/jail_2006012001.patch

for more details please visit:

http://blog.cg.nu/?cat=5

If you have freebsd 4.x or lower, you need to first install portsnap from ports.

If you have freebsd 5.x or above, portsnap comes with the base, so you don’t need to install it.

If you are using portsnap for the first type

type

portsnap fetch extract update

then after whenever you want to run portsnapt just issue the following command:

portsnap update.

If you are searching for a sample sysctl.conf for your high traffic server, you may try the below mentioned parameters, some of the tweaks for freebsd to improve it’s performance under high load:
security.bsd.see_other_uids=0
net.inet.tcp.recvspace=65535
net.inet.tcp.sendspace=65535
#kern.ps_showallprocs=0
kern.ipc.shmmax=67108864
kern.ipc.shmall=32768
net.inet.tcp.inflight.enable=1
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
net.inet.ip.rtexpire=2
net.inet.ip.rtminexpire=2
kern.ipc.somaxconn=1024
net.inet.ip.check_interface=1
kern.maxfiles=32768
kern.maxfilesperproc=2000
kern.ipc.maxsockets=163840
kern.ipc.maxsockbuf=2097152
net.inet.ip.fw.dyn_syn_lifetime=1
net.inet.ip.fw.dyn_max=65535
net.inet.ip.fw.dyn_buckets=256
net.inet.ip.fw.dyn_udp_lifetime=5
net.inet.tcp.msl=7500

If your server/box gets stuck at fsck after a reboot or a crash, then just add the following lines to /etc/rc.conf:
fsck_y_enable=”YES”
It will run fsck automatically and will avoid your box getting stuck after reboot waiting for somebody to manually run fsck.

IF you don’t want to recompile kernel, just because you want to enable ipfw, you can use the following command to do so:

kldload ipfw && ipfw add 65534 allow all from any to any

Never issue the above command without ipfw add 65534 allow all from any to any else you might end up with a locked box.

Your kernel needs the following in its kernel configuration file:

options QUOTA

For instructions on how to create a new kernel, refer to the Configuring the FreeBSD Kernel section in the FreeBSD handbook. Pay special attention to the section on Building and Installing a Custom Kernel.

Specify the partitions:

Decide what partitions you want to enable quota checking on and modify /etc/fstab accordingly. For each partition for which you want quotas enabled, modify that line in the file. userquota is for individual user quotas whereas. groupquota is for entire group quotas (i.e. the restrictions apply to groups as a whole).

For example:

/dev/ad0s1f /home ufs rw,userquota,groupquota 2 2

quotacheck:

Start out by typing:

quotacheck -a

This will create all the needed database files for the next command to work

quotaon/quotaoff :

The following command will enable quotas for all quota-flagged partitions listed in /etc/fstab:

quotaon -a

You can also issue this command to enable quotas only for the partition /mount_point (replace /mount_point with the partition applicable to your needs):

quotaon /mount_point

quotaoff has the same syntax as quotaon, but as the name implies, it’s used to turn off quota.

user quotas :

To edit user quotas, issue the following command:

edquota -u username

This excerpt from the edquota man page should help with editing quotas:

Users are permitted to exceed their soft limits for a grace period that may be specified per filesystem. Once the grace period has expired, the soft limit is enforced as a hard limit. The default grace period for a filesystem is specified in /usr/include/ufs/ufs/quota.h. The -t flag can be used to change the grace period.

After you’re done editing the quota file, save your changes and exit the editor.

Repeat this step for each user that you want to have a quota. If you have a bunch of users that will use the same quota settings, type something like the following:

edquota -u -p user1 user2 user3 user4

This will copy the quota settings from user1 to user2, user3, and user4. Specify as many users as you need to copy the quotas.

group quotas :

You can edit the quotas for a group by typing: edquota -g groupname

Starting quotas at boot time:

To ensure quotas are enforced after a reboot, add the following line to /etc/rc.conf:

quota_enable="YES"
check_quotas="YES"

Checking the usage

There will come a time that you will want to check your quota usage. Simply type the following command to check your quota:

quota

Or, if you’re root, you can check quotas of other users by typing:

quota username

There are many articles on how to setup modsecurity in google, so i’m not including it here, but from my experience, many admins have problem with adding rules for modsecurity. After lot of research in google, and my own research, i’ve made the list of some modseucrity rules, some of them are as under, sorry if i forgot to include credit for any site, these rules really help, though they might cause problem with some site/scripts, but most of them just works fine:

#really broad furl_fopen attack sig
#tune this for your system
#MTS
SecFilterSelective REQUEST_URI “!(/tiki-objectpermissions|aardvarkts/install/index|/gallery/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)” “chain,id:300018,rev:1,severity:2,msg:’Generic PHP code injection protection’”
SecFilterSelective REQUEST_URI “\.php(3|4|5)?(\?|&).*=(ht|f)tps?:/.*(\?|&)”

#Genenric PHP body attack
SecFilterSelective THE_REQUEST “(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)” chain
SecFilterSelective POST_PAYLOAD “^PHP\:*((cd|mkdir)[[:space:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])”

#Generic PHP remote file injection
SecFilterSelective REQUEST_URI “!((galler(y|i)/do_command))” chain
SecFilterSelective REQUEST_URI “\.php\?.*=(http|http|ftp)\:/.*(cmd|command)=”

#remote file inclusion generic attack signature
SecFilterSelective REQUEST_URI “\.php\?.*=(http|https|ftp)\:/.*\?&cmd=”

#PHP remote path attach generic signature
SecFilterSelective REQUEST_URI “\.ph(p(3|4)?).*path=(http|https|ftp)\:/”
SecFilterSelective REQUEST_URI “\.php.*path=(http|https|ftp)\:/”

#PHP Injection Attack generic signature
SecFilterSelective REQUEST_URI “\.php” chain
SecFilter “(\?((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|path|pathtoroot|cat|pagina|path|include_location|root|page|gorumDir|site|topside|pun_root|open|seite)=(http|https|ftp)\:/|(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |id|cmd|pwd|wget |lwp-(download|request|mirror|rget) |uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./|whoami|killall |rm \-[a-z|A-Z]))”

#PHP Injection Attack generic signature
SecFilterSelective REQUEST_URI “\.php\?(((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|pagina|path|pathtoroot|cat|include_location|gorumDir|root|page|site|topside|pun_root|open|seite)=(http|https|ftp)\:/|.*(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z]))”

#Generic PHP remote file inclusion attack signature
SecFilterSelective REQUEST_URI “\.php\?” chain
SecFilter “(http|https|ftp)\:/” chain
SecFilter “(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])”

#Generic PHP remote file inclusion attack signature
SecFilterSelective REQUEST_URI “\.php\?” chain
SecFilter “(http|https|ftp)\:/” chain
SecFilter “(cmd|command)=.*(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])”

#PHP defenses
SecFilterSelective ARG_PHPSESSID “!^[0-9a-z]*$”

#PHP defenses
SecFilterSelective ARGS_NAMES “^(globals($|\[)|php:/)”

#PHP defenses
SecFilterSelective COOKIE_PHPSESSID “!^[0-9a-z]*$”

#generic sig for more bad PHP functions
SecFilterSelective THE_REQUEST “chr\(([0-9]{1,3})\)”
SecFilterSelective ARGS_NAMES “^php:/”

SecFilterSelective THE_REQUEST “cd \.\.”
SecFilterSelective THE_REQUEST “/\.(history|bash_history) HTTP\/(0\.9|1\.0|1\.1)$”

#generic block for fwrite fopen uploads
SecFilterSelective THE_REQUEST “fwrite” chain
SecFilterSelective THE_REQUEST “fopen”

# WEB-MISC Tomcat view source attempt
SecFilterSelective THE_REQUEST “\x252ejsp”

# TIKIWIKI
SecFilterSelective REQUEST_URI “/tiki-map.phtml\?mapfile=\.\./\.\./”

#SMTP redirects
SecFilterSelective THE_REQUEST ^(http|https)\:/.+:25

#These are VERY experiemental, please report false positives/negatives, etc.
#very experimental generic remote download sig
#foo IP or FQDN, or foo http/https/ftp://whatever
SecFilterSelective THE_REQUEST “(perl|t?ftp|links|elinks|lynx|ncftp|(s|r)(cp|sh)|wget|lwp-(download|request|mirror|rget)|curl|cvs|svn).*\x20((http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)”

#Command inline detection
SecFilterSelective THE_REQUEST “( |\;|/|\’|,|\&|\=|\.)((s|r)(sh|cp)) *(.*\@.*|(http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)”

#very experimental connect command sig
SecFilterSelective THE_REQUEST “( |\;|/|\’|,|\&|\=|\.)(perl|nc|telnet|(rs)sh|rexec) .*([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[A-Za-z|0-9]\.[a-zA-Z]{2,4}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)”

# Web-attacks chdir
SecFilterSelective REQUEST_URI “&(cmd|command)=chdir\x20″

#Don’t accept chunked encodings
#modsecurity can not look at these, so this is a hole
#that can bypass your rules, the rule before this one
#should cover this, but hey paranoia is cheap
SecFilterSelective HTTP_Transfer-Encoding “chunked” “id:300003,rev:1,severity:2,msg:’Chunked Transfer Encoding denied’”

#Code injection via content length
SecFilterSelective HTTP_Content-Length “\;(system|passthru|exec)\(” “id:330003,rev:1,severity:2,msg:’Code Injection in Content-Length header’”

#broad cross site scripting rule
#False alarms are a problem with this, use with caution
#SecFilterSelective THE_REQUEST “<(.|\n)+>”

#generic recursion signatures
SecFilterSelective REQUEST_URI “!(alt_mod_frameset\.php)” “chain,id:300004,rev:1,severity:2,msg:’Generic Path Recursion denied’”
SecFilterSelective THE_REQUEST “\.\./\.\./”
#generic path recurision sig

#generic recursion signatures
SecFilterSelective THE_REQUEST “\.\|\./\.\|\./\.\|” “id:300005,rev:1,severity:2,msg:’Generic Path Recursion denied’”

#generic bogus path sigs
SecFilterSelective THE_REQUEST “\.\.\./” “id:300006,rev:1,severity:2,msg:’Bogus Path denied’”
SecFilterSelective POST_PAYLOAD “[[:space:]]+\.\.\.+\;” “id:300007,rev:1,severity:2,msg:’Bogus Path denied’”

#Generic PHP exploit signatures
SecFilterSelective THE_REQUEST “(chr|fwrite|fopen|system|e?chr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;” “id:330001,rev:1,severity:2,msg:’Generic PHP exploit pattern denied’”

#Generic PHP exploit signatures
SecFilterSelective POST_PAYLOAD|REQUEST_URI “<\?php (chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;” “id:330002,rev:1,severity:2,msg:’Generic PHP exploit pattern denied’”

#slightly tighter rules with narrower focus
SecFilterSelective REQUEST_URI|POST_PAYLOAD “(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;” “id:300008,rev:1,severity:2,msg:’Generic PHP exploit pattern denied’”

#generic XSS PHP attack types
SecFilterSelective REQUEST_URI “\.php\?” “chain,id:300010,rev:1,severity:2,msg:’Generic PHP XSS exploit pattern denied’”
SecFilter “(javascript\:/(.*new\x20ActiveXObject.*Sh\.regwrite|.*window\.opener\.document\.body.\innerHTML=window\.opener\.document\.body\.innerHTML\.replace)|onmouseover=\’javascript)”

#Prevent SQL injection in cookies
SecFilterSelective COOKIE_VALUES “((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\’.*\’.*,[0-9].*INTO.*FROM)” “id:300011,rev:1,severity:2,msg:’Generic SQL injection in cookie’”

#Prevent command injection through cookies
SecFilterSelective COOKIE_VALUES “\; cmd=”

#Prevent SQL injection in UA
SecFilterSelective HTTP_USER_AGENT “((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\’.*\’.*,[0-9].*INTO.*FROM)” “id:300012,rev:1,severity:2,msg:’Generic SQL injection in User Agent header’”

# Generic filter to prevent SQL injection attacks
# Understand that all SQL filters are very limited and are very difficult
# to prevent false postives and negatives.
# Pplease report false positives/negatives to mike@gotroot.com
SecFilterSelective REQUEST_URI “!((/wp-admin/post|privmsg|/ticket/admin|/misc|tiki-editpage|/post|/horde3?/imp/compose|/posting)\.php|/modules\.php\?op=modload&name=(Downloads|Submit_News)|/admin\.php\?module=NS\-AddStory\&op=|/index\.php\?name=PNphpBB2&file=posting&mode=reply.*|/phpMyAdmin/|/PNphpBB2-posting\.html|/otrs/index\.pl|tiki-index\.php\?page=|/index\.php\?title=.*&action=edit|/_mmServerScripts/|/node/[0-9]+/edit|/_vti_bin/.*\.exe/)” “chain,id:300013,rev:1,severity:2,msg:’Generic SQL injection protection’”
SecFilter “((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\’.*\’.*,[0-9].*INTO.*FROM)”
#Generic SQL sigs
SecFilterSelective ARGS “(or.+1[[:space:]]*=[[:space:]]1|(or 1=1|’.+)–’)” “id:300014,rev:1,severity:2,msg:’Generic SQL injection protection’”

#Generic SQL sigs
SecFilterSelective ARGS “((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)” “id:300015,rev:1,severity:2,msg:’Generic SQL injection protection’”

#Generic SQL sigs
SecFilterSelective REQUEST_URI “!(/node/[0-9]+/edit|/forum/posting\.php|/admins/wnedit\.php|/alt_doc\.php\?returnUrl=.*edit|/admin/categories\.php\?cPath=.*|modules\.php\?name=Forums&file=posting&mode=.*)” “chain,id:300016,rev:1,severity:2,msg:’Generic SQL injection protection’”
SecFilterSelective ARGS “(insert[[:space:]]+into.+values|select.+from|bulk[[:space:]]+insert|union.+select)”

#Generic command line attack filter
SecFilterSelective REQUEST_URI “!(/Count\.cgi)” “chain,id:300017,rev:1,severity:2,msg:’Generic command line attack filter’”
SecFilterSelective THE_REQUEST “\|+.*[\x20].*[\x20].*\|”

#Generic PHP bad functions protection
#PHP copy() function: http://securitytracker.com/alerts/2006/Apr/1015882.html
SecFilterSelective ARGS_VALUES compress\.zlib:

#Generic XSS filter
#please report false positives
SecFilterSelective REQUEST_URI “!/mt\.cgi” chain
SecFilter “<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>”

#XSS in referrer and UA headers
SecFilterSelective HTTP_REFERER|HTTP_USER_AGENT “<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>”

#script, perl, etc. code in HTTP_Referer string
SecFilterSelective HTTP_Referer “\#\!.*/”

#generic command line attack
SecFilterSelective REQUEST_URI|ARGS “\|*id\;echo*\|”

#remote file inclusion generic attack signature
SecFilterSelective THE_REQUEST “\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?” chain
SecFilter “((name|pm_path|pagina|path|include_location|root|page|open)=(http|https|ftp)|(cmd|command|inc)=)”

#remote file inclusion generic attack signature
SecFilterSelective THE_REQUEST “\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(cmd|command|inc|name)=”

#remote file inclusion generic attack signature
SecFilterSelective ARGS “\.(dat|gif|jpg|png|bmp|txt|vir|dot)” chain
SecFilter “\?\&(cmd|inc|name)=”

#remote file inclusion generic attack signature
SecFilterSelective ARGS “\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(cmd|inc|name)=”

#Bogus file extensions generic signature
SecFilterSelective THE_REQUEST “[A-Za-z0-9]\.(gif|jpg|png|bmp)\.txt”

#generic attack sig
SecFilterSelective THE_REQUEST “cd\x20*\;(cd|\;|echo|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)”

# WEB-ATTACKS uname -a command attempt
SecFilterSelective THE_REQUEST “uname” chain
SecFilter “\x20-a”

#Enforce proper HTTP requests
SecFilterSelective SERVER_PROTOCOL “!^HTTP/(0\.9|1\.0|1\.1)$” “id:340000,rev:1,severity:1,msg:’Bad HTTP Protocol’”

# Don’t accept transfer encodings we know we don’t handle
# (and you don’t need it anyway)
SecFilterSelective HTTP_Transfer-Encoding “!^$” “id:340004,rev:1,severity:2,msg:’Dis-allowed Transfer Encoding’”

#HTTP response spilting generic sigs
SecFilter “Content-Length\:.*Content-Type\:.*Content-Type\:” “id:340005,rev:1,severity:2,msg:’HTTP response splitting’”

#HTTP response spilting generic sigs
SecFilter “Content-Length\:” “chain,id:340006,rev:1,severity:2,msg:’HTTP response splitting’”
SecFilter “Content-Type\:” chain
SecFilter “Content-Type\:”

#deny TRACE method
SecFilterSelective REQUEST_METHOD “TRACE” “id:340007,rev:1,severity:2,msg:’TRACE method denied’”

#XSS insertion into Content-Type
SecFilterSelective THE_REQUEST “Content-Type\:.*(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)” “id:300002,rev:1,severity:2,msg:’XSS attack in Content-type header’”

#Generic argument protection rule against bad meta characters
#SecFilterSelective “ARGS” “!^[A-Za-z0-9.&/?@_%=:;, -]*$”

#generic php attack sigs
SecFilterSelective REQUEST_URI “(&(cmd|command)=(id|uname)\x20|cmd\?(cmd|command)=|(spy|cmd|cmd_out|sh)\.(gif|jpg|png|bmp|txt)\?&(cmd|command)=|\.php\?&(cmd|command)=)”

# WEB-ATTACKS xterm command attempt
SecFilterSelective THE_REQUEST “/usr/X11R6/bin/xterm”

# WEB-ATTACKS /etc/shadow access
SecFilterSelective THE_REQUEST “/etc/shadow”

# WEB-ATTACKS /bin/ps command attempt
SecFilterSelective THE_REQUEST “/bin/ps”

# WEB-ATTACKS /usr/bin/id command attempt
SecFilterSelective THE_REQUEST “/usr/bin/id” chain
SecFilter “\x20″

# WEB-ATTACKS echo command attempt
SecFilterSelective THE_REQUEST “/bin/echo” chain
SecFilter “\x20″

# WEB-ATTACKS kill command attempt
SecFilterSelective THE_REQUEST “/bin/kill” chain
SecFilter “\x20″

# WEB-ATTACKS chmod command attempt
SecFilterSelective THE_REQUEST “/bin/chmod” chain
SecFilter “\x20″

# WEB-ATTACKS chsh command attempt
SecFilterSelective THE_REQUEST “/usr/bin/chsh”

# WEB-ATTACKS gcc command attempt
SecFilterSelective THE_REQUEST “gcc” chain
SecFilter “x20-o”

# WEB-ATTACKS /usr/bin/cc command attempt
SecFilterSelective THE_REQUEST “/usr/bin/cc” chain
SecFilter “\x20″

# WEB-ATTACKS /usr/bin/cpp command attempt
SecFilterSelective THE_REQUEST “/usr/bin/cpp” chain
SecFilter “\x20″

# WEB-ATTACKS /usr/bin/g++ command attempt
SecFilterSelective THE_REQUEST “/usr/bin/g\+\+” chain
SecFilter “\x20″

# WEB-ATTACKS g++ command attempt
SecFilterSelective THE_REQUEST “g\+\+\x20″ chain
SecFilter “\x20″

# WEB-ATTACKS bin/python access attempt
SecFilterSelective THE_REQUEST “bin/python” chain
SecFilter “\x20″

# WEB-ATTACKS python access attempt
#SecFilter “python\x20″

# WEB-ATTACKS bin/tclsh execution attempt
SecFilterSelective THE_REQUEST “bin/tclsh”

# WEB-ATTACKS tclsh execution attempt
SecFilterSelective THE_REQUEST “tclsh8\x20″

# WEB-ATTACKS bin/nasm command attempt
SecFilterSelective THE_REQUEST “bin/nasm”

# WEB-ATTACKS nasm command attempt
SecFilterSelective THE_REQUEST “nasm\x20″

# WEB-ATTACKS /usr/bin/perl execution attempt
SecFilterSelective THE_REQUEST “/usr/bin/perl”

# WEB-ATTACKS traceroute command attempt
SecFilterSelective THE_REQUEST “traceroute” chain
SecFilter “\x20([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)”

# WEB-ATTACKS ping command attempt
SecFilterSelective THE_REQUEST “/bin/ping” chain
SecFilter “\x20″

# WEB-ATTACKS X application to remote host attempt
SecFilterSelective THE_REQUEST “\x20-display\x20″

# WEB-ATTACKS mail command attempt
SecFilterSelective THE_REQUEST “/bin/mail” chain
SecFilter “\x20″

# WEB-ATTACKS /bin/ls command attempt
SecFilterSelective THE_REQUEST “/bin/ls” chain
SecFilter “\x20″

# WEB-ATTACKS /etc/inetd.conf access
SecFilterSelective THE_REQUEST “/etc/inetd\.conf”

# WEB-ATTACKS /etc/motd access
SecFilterSelective THE_REQUEST “/etc/motd”
# WEB-ATTACKS conf/httpd.conf attempt
SecFilterSelective THE_REQUEST “conf/httpd\.conf”

# WEB-MISC .htpasswd access
SecFilterSelective THE_REQUEST “\.htpasswd”

# WEB-MISC /etc/passwd access
SecFilterSelective REQUEST_URI “/etc/passwd”

# WEB-MISC nessus 1.X 404 probe
SecFilterSelective REQUEST_URI “/nessus_is_probing_you_”

# WEB-MISC nessus 2.x 404 probe
SecFilterSelective REQUEST_URI “/NessusTest”

# WEB-MISC ls%20-l
SecFilterSelective THE_REQUEST “ls” chain
SecFilter “\x20-l”

# WEB-MISC apache directory disclosure attempt
SecFilterSelective THE_REQUEST “////////”

#musicat empower attempt
SecFilterSelective REQUEST_URI “/empower\?DB=”

# WEB-MISC Apache Chunked-Encoding worm attempt
SecFilter “CCCCCCC\: AAAAAAAAAAAAAAAAAAA”

# WEB-MISC *%0a.pl access
SecFilterSelective REQUEST_URI “/*\x0a\.pl”

#PHPBB worm sigs
SecFilterSelective REQUEST_URI “!(tiki-searchindex\.php)” chain
SecFilterSelective ARG_highlight “(\x27|%27|\x2527|%2527)”

# WEB-FRONTPAGE …. request
SecFilterSelective THE_REQUEST “\.\.\.\./”

#experimental CSS rule
#SecFilterSelective REQUEST_URI “/(\x3C|<)(\x2F|\/)*[a-z0-9\%]+(\x3E|>)”

#Generic attack rules pcre format
#cross site scripting attempt IMG onerror or onload
SecFilterSelective THE_REQUEST “\

#cross site scripting attempt STYLE + JAVASCRIPT
SecFilterSelective THE_REQUEST “TYPE\s*=\s*[\’\”]application\/x-javascript”

#cross site scripting attempt STYLE + JSCRIPT
SecFilterSelective THE_REQUEST “TYPE\s*=\s*[\’\”]text\/jscript”

# cross site scripting attempt STYLE + VBSCRIPT
SecFilterSelective THE_REQUEST “TYPE\s*=\s*[\’\”]text\/vbscript”

#cross site scripting attempt STYLE + VBSCRIPT
SecFilterSelective THE_REQUEST “TYPE\s*=\s*[\’\”]application\/x-vbscript”

#cross site scripting attempt STYLE + ECMACRIPT
SecFilterSelective THE_REQUEST “TYPE\s*=\s*[\’\”]text\/ecmascript”

# cross site scripting attempt STYLE + EXPRESSION
SecFilterSelective THE_REQUEST “STYLE[\s]*=[\s]*[^>]expression[\s]*\(”

#cross site scripting attempt STYLE + EXPRESSION
SecFilterSelective THE_REQUEST “[\s]*expression[\s]*\([^}]}[\s]*<\/STYLE>”

# cross site scripting attempt using XML
SecFilterSelective THE_REQUEST “SCRIPT”

#cross site scripting attempt executing hidden Javascript
SecFilterSelective THE_REQUEST “eval[\s]*\([\s]*[^\.]\.innerHTML[\s]*\)”

#cross site scripting attempt executing hidden Javascript
SecFilterSelective THE_REQUEST “window\.execScript[\s]*\(”

#cross site scripting attempt to execute Javascript code
SecFilterSelective THE_REQUEST “/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\’\”]*javascript[\:]”

#cross site scripting stealth attempt to execute Javascript code
#may false alarm for some language sets
SecFilterSelective REQUEST_URI “!(/index\.php\?module=Blocks&type=admin&func=update|/index\.php\?go=.*&edit=)” chain
SecFilter “(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\’\”]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]”

#cross site scripting HTML Image tag set to javascript attempt
SecFilterSelective THE_REQUEST “img xsrc=javascript”

#Apache /server-info accessible
SecFilterSelective REQUEST_URI “/server-info” chain
SecFilterSelective REMOTE_ADDR “!^127\.0\.0\.1$”

#Apache /server-status accessible
#Modified so apache-protect can run
SecFilterSelective REQUEST_URI “^/server-status/$” chain
SecFilterSelective REMOTE_ADDR “!^127\.0\.0\.1$”

#generic Common HTTP vulnerability
SecFilterSelective THE_REQUEST “/\?cwd=/”

#General [url] php forum protections (phpbb and others, to protect against script injection attacks in url links)
SecFilterSelective THE_REQUEST “\.php\?” chain
SecFilter “\[url=(script|javascript|applet|about|chrome|activex)\:/.*\].*\[/url\]”

#Experimental XML-RPC generic attack sigs
SecFilter “\’\,\’\’\)\)\;”
SecFilter “\

\.*\’\)\;”#XML-RPC generic attack sigs
SecFilterSelective POST_PAYLOAD “^Content-Type\: application/xml” chain
SecFilter “(\<.*xml)” chain
SecFilter “(echo( |\(|\’).*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;” chain
SecFilter “methodCall\>”

#Specific XML-RPC attacks on xmlrpc.php
SecFilterSelective THE_REQUEST “(/xmlrpc|.*xmlrpc_services)\.php” chain
SecFilter “(\<.*xml)” chain
SecFilter “(echo( |\(|\’).*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;”

#Too generic, unless you know you won’t see this in any of the fields of an XMLRPC message on your system
#SecFilterSelective THE_REQUEST “/xmlrpc\.php” chain
#SecFilter “(cd|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname |cvs |svn |(s|r)(cp|sh) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)”

#XML-RPC SQL injection generic signature
SecFilterSelective THE_REQUEST “(/xmlrpc|.*xmlrpc_services)\.php” chain
SecFilter “.*.*.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view).*methodName\>”

#generic remote file inclusion vulns
SecFilterSelective THE_REQUEST “/index\.php\?do=.*&page=(http|https|ftp)\:/”
SecFilterSelective THE_REQUEST “/index\.php\?kietu\[.*\]=(http|https|ftp)\:/”
SecFilterSelective THE_REQUEST “/index\.php\?libDir=http://xxxxxxxx”
SecFilterSelective THE_REQUEST “/init\.php\?HTTP_POST_VARS\[GALLERY_BASEDIR\]=(http|https|ftp)\:/”

#Virus HTTP Challenge/Reponse Auth
SecFilterSelective THE_REQUEST “^Authorization\: Negotiate” chain
SecFilter “YIIQegYGKwYBBQUCoIIQbjCCEGqhghBmI4IQYgOCBAEAQUFBQUFBQUFBQUFBQUFB”

#catch smuggling attacks
SecFilter “^(GET|POST).*Host:.*^(GET|POST)”

#Drupal remote command execution vulnerability exploit signature
#This is already covered in another generic signature, but just in case you leave it out, here it is
#again with a slightly tigher regexp
SecFilter “\<.*php .*\(.*\)\;system\(.*\).*php*\>”
#Slightly stronger version of the above
SecFilter “\<.*php .*\(.*\)\;(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\).*php*\>”

#Generic PHP attack sig
SecFilterSelective THE_REQUEST “system\(getenv\(HTTP_PHP\)\)”

#Generic Nessus request filter
SecFilterSelective THE_REQUEST “NessusTest*\.html”

#Generic PHP payload command injection and upload vulnerabilities
SecFilterSelective POST_PAYLOAD “<\?php” chain
SecFilter “((fputs|fread)\(.*\,.*\)\;|fsockopen\(gethostbyname|chr\(.*\)\.chr\(.*\)\.chr\(|(fclose|fgets)\(.*\)\;|(system|exec)\(.*\)\;)” chain
SecFilter “\<\?php”

#Generic XML RPC attack sig
SecFilterSelective POST_PAYLOAD “\’(______BEGIN______|_____FIM_____)\’\;”

#HTTP header PHP code injection attacks
SecFilterSelective HTTP_CLIENT_IP|HTTP_USER_AGENT|HTTP_Referer “(<\?php|<[[:space:]]?\?[[:space:]]?php|<\? php)”
#wormsign
SecFilter “XXXXXXXXXXXXXXX\: \+\+\+\+\+\+\+\+\+\+\+\+\+”
SecFilterSelective THE_REQUEST “THMC\.\$dbhost\.THMC\.\$dbname\.THMC\.\$dbuser\.THMC\.\$dbpasswd\.THMC”

#phpbb wormsign
SecFilterSelective THE_REQUEST “echo _GHC/RST_”

#Generic PHP avatar upload exploits
SecFilterSelective REQUEST_URI “\.php” chain
SecFilterSelective POST_PAYLOAD “Content-Disposition\: form-data\; name=\”avatar\”\;” chain
SecFilter “\<\?php” chain
SecFilter “\?>”

#Fake image file shell attacvk
SecFilterSelective HTTP_Content-Type “image/.*”
SecFilterSelective POST_PAYLOAD “chr\(”

#bogus graphics file
SecFilterSelective HTTP_Content-Disposition “\.php” chain
SecFilterSelective HTTP_Content-Type “(image/gif|image/jpg|image/png|image/bmp)”

#wormsign
SecFilterSelective REQUEST_URI “Hacked.*by.*member.*of.*SCC”

#Special account protection
SecFilterSelective THE_REQUEST “/~(root|ftp|bin|nobody|named|guest|logs|sshd)(/\S*)? HTTP/(0\.9|1\.[01])$”
SecFilterSelective REQUEST_URI “/~(root|ftp|bin|nobody|named|guest|logs|sshd)/”

#Generic PHP fopen sig
SecFilterSelective THE_REQUEST “fp=fopen\(”

# above filters added by kapil from http://www.gotroot.com/downloads/ftp/mod_security/rules.conf

# WEB-ATTACKS passwd command attempt - added by kapil
SecFilterSelective THE_REQUEST “/etc/passwd”

# WEB-ATTACKS passwd command attempt - added by kapil
SecFilterSelective THE_REQUEST “passwd”

# WEB-ATTACKS wget command attempt
SecFilterSelective THE_REQUEST “wget”

# WEB-ATTACKS wget command attempt
SecFilterSelective THE_REQUEST “wget ”

# WEB-ATTACKS uname -a command attempt
SecFilterSelective THE_REQUEST “uname -a”

# WEB-ATTACKS .htgroup access
SecFilterSelective THE_REQUEST “\.htgroup”

# WEB-ATTACKS .htaccess access
SecFilterSelective THE_REQUEST “\.htaccess”

# WEB-CLIENT Javascript URL host spoofing attempt
SecFilter “javascript\://”

# WEB-MISC cross site scripting \(img xsrc=javascript\) attempt
SecFilter “img xsrc=javascript”

# WEB-MISC cd..
SecFilterSelective THE_REQUEST “cd\.\.”

# WEB-MISC ///cgi-bin access
SecFilterSelective THE_REQUEST “///cgi-bin”

# WEB-MISC /cgi-bin/// access
SecFilterSelective THE_REQUEST “/cgi-bin///”

# WEB-MISC /~root access
SecFilterSelective THE_REQUEST “/~root”

# WEB-MISC /~ftp access
SecFilterSelective THE_REQUEST “/~ftp”

# WEB-MISC htgrep attempt
SecFilterSelective THE_REQUEST “/htgrep” chain
SecFilter “hdr=/”

# WEB-MISC htgrep access
SecFilterSelective THE_REQUEST “/htgrep” log,pass

# WEB-MISC .history access
SecFilterSelective THE_REQUEST “/\.history”

# WEB-MISC .bash_history access
SecFilterSelective THE_REQUEST “/\.bash_history”

# WEB-MISC /~nobody access
SecFilterSelective THE_REQUEST “/~nobody”

# WEB-PHP PHP-Wiki cross site scripting attempt
SecFilterSelective THE_REQUEST ”

# WEB-PHP strings overflow
SecFilterSelective THE_REQUEST “\?STRENGUR”

# WEB-PHP PHPLIB remote command attempt
SecFilter “_PHPLIB\[libdir\]”

This sounds strange, what? Ok, let me tell you for what you would need that…I have a user which works with my MySQL-database by Windows-ODBC. The usual communication between client and server runs unencrypted. So I decided to tunnel the communication through an ssh-tunnel.

• Problem 1: User has shell-access and the user has the opportunity to log into my system and do things I don’t like.
  Solution 1: Don’t give him shell-access, but a program which runs forever and the user gets some output on his terminal to get no timeout.
• Problem 2: User could port-forward not only mysql-protocol but also SMTP, POP3… whatever. But I don’t want that.
  Restrict him to forward only special ports.

Create a file ~user/.ssh/authorized_keys like this

#  -> command=”…”
#     this command simply prints something to prevent a timeout while
#     the ssh-session is running. quoting-character like double quotes
#     in this command must be quoted with backslash
#  -> permitopen=”127.0.0.1:3306″
#     restrict the person using this key to only portforwarding
#     3306 to localhost
#  -> from=…
#     only allow connections from this host (not needed but sometimes useful)
# the rest is the public key
command=”/usr/bin/perl -e ‘$|=1;while (1) { print scalar localtime() . ”n”;sleep 30}’”,
permitopen=”127.0.0.1:3308″,
from=”box1.freebsd.org.in”
ssh-dss AAAAB3NzaC1kc3MAAACBAJ4vXg== some@comment_for_key

You can use the wall command to send a message to every user on a system. General syntax of wall command is as follows:
wall
Message
Message
…
….
..
When the message is complete, press Control-D.1) To display message “Disk failure system will be down for 30 minute” to all users use wall as follows:
# wall
Disk failure system will be down for 30 minute
--UNIX Admin
--MyCorp.com


When the message is complete, press Control-D (CTRL+D) to send message to all user.

2) To display message “Web server under DOS attack, come to IDC # 3″ to all WHEEL group member use wall command with –g option as follows:
# wall –g wheel
Web server under DOS attack, come to IDC # 3 to investigate matter further.
-- IT HEAD

When the message is complete, press Control-D (CTRL+D) to send message to all user.