Jump to content

ConfigServer ModSecurity Control - How do I set up the rules ?


Dicko_md

Recommended Posts

Hi

 

Ive asked this a couple of places but nobody has answered.

 

I got the hack others did yesterday. I am now on 5.2.8 and have installed ConfigServer ModSecurity Control but I have copied the rules in from a previous thread but when I tested it it still didnt work.

 

What have I dont wrong ?

 

I added the rules to modsec2.user.conf

 

These are the rules I copied in

 

SecRule REQUEST_HEADERS:User-Agent "(?:\b(??:indy librar|snoop)y|microsoft url control|lynx)\b|d(?:ownload demon|isco)|w(?:3mirror|get)|l(?:ibwww|wp)|p(?:avuk|erl)|cu(?:sto|rl)|big brother|autohttp|netants|eCatch)" \
       "chain,log,auditlog,msg:'Request Indicates an automated program explored the site',id:'990011',severity:'5'"

# SQL injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm insert xp_enumdsn infile openrowset nvarchar autonomous_transaction print data_type or outfile inner shutdown tbcreator @@version xp_filelist sp_prepare sql_longvarchar xp_regenumkeys xp_loginconfig xp_dirtree ifnull sp_addextendedproc xp_regaddmultistring delete sp_sqlexec and sp_oacreate sp_execute cast xp_ntsec xp_regdeletekey drop varchar xp_execresultset having utl_file xp_regenumvalues xp_terminate xp_availablemedia xp_regdeletevalue dumpfile isnull sql_variant select 'sa' xp_regremovemultistring xp_makecab 'msdasql' xp_cmdshell openquery sp_executesql 'sqloledb' dbms_java 'dbo' utl_http sp_makewebtask benchmark xp_regread xp_regwrite"         "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1,id:1500007"
SecAction phase:2,pass,nolog,id:999501,skipAfter:959001
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\b(??(?:elect\b(?:.{1,100}?\b(??:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(??:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|e(?:xecresultset|numdsn)|(?:terminat|dirtre)e|availablemedia|loginconfig|cmdshell|filelist|makecab|ntsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|group\b.*\bby\b.{1,100}?\bhaving|d(?:elete\b\W*?\bfrom|bms_java)|load\b\W*?\bdata\b.*\binfile|(?:n?varcha|tbcreato)r)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|a(?:nd\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|utonomous_transaction\b)|o(?:r\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|pen(?:rowset|query)\b)|having\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|print\b\W*?\@\@|cast\b\W*?\()|(?:;\W*?\b(?:shutdown|drop)|\@\@version)\'(?(?:qloledb|a)|msdasql|dbo)')" \
       "phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'950001',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\b(??(?:elect\b(?:.{1,100}?\b(??:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(??:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|e(?:xecresultset|numdsn)|(?:terminat|dirtre)e|availablemedia|loginconfig|cmdshell|filelist|makecab|ntsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|group\b.*\bby\b.{1,100}?\bhaving|d(?:elete\b\W*?\bfrom|bms_java)|load\b\W*?\bdata\b.*\binfile|(?:n?varcha|tbcreato)r)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|a(?:nd\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|utonomous_transaction\b)|o(?:r\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|pen(?:rowset|query)\b)|having\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|print\b\W*?\@\@|cast\b\W*?\()|(?:;\W*?\b(?:shutdown|drop)|\@\@version)\'(?(?:qloledb|a)|msdasql|dbo)')" \
       "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'959001',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "\b(\d+) ?= ?\1\[\'\"](\w+)[\'\"] ?= ?[\'\"]\2\b" \
       "phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'950901',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
#
SecRule REQUEST_FILENAME|ARGS|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm user_objects object_type substr all_objects mb_users column_name rownum atttypid substring object_id user_group user_tables pg_attribute user_users column_id user_password attrelid object_name table_name pg_class"         "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1,id:1500008"

SecRule ARGS|ARGS_NAMES "@validateByteRange 1-255" \
"deny,log,auditlog,msg:'Invalid character in request',id:'960901',severity:'4',t:urlDecodeUni,phase:2"

SecRule REQUEST_URI|ARGS|REQUEST_BODY "AES_ENCRYPT" "id:31337,phase:4,log,deny,msg:'WHMCS Fail'"

 

 

I tested the rules by

 

http://www.yourdomain.co.uk/?p="AES_ENCRYPT=0"

 

but it didnt work and just took me through to the webpage.

Link to comment
Share on other sites

1. You asked in another thread. I'm not a mod here, but it's generally considered bad form in ANY forum to make duplicate requests/posts on the same subject.

 

2. If you're having trouble setting up the CSF rules, I'd suggest you ask in the ConfigServer's scripts forum (Google for the link). The page to download the free script I gave you is VERY well commented and documented. More so than most. Follow the directions.

 

3. If you've upgrade to v5.2.8 then you should be good. If you've never used ModSecurity (you realize you need to have it installed before CSF's ModSec Control will work, right?), then I'd suggest not adding it until you do some reading and understand more what you're doing. Unless you understand how it works you could do more harm than good.

Edited by Blueberry3.14
Link to comment
Share on other sites

Blueberry Sorry you think Im doing something wrong. All I asked was how to do it and no body answered. Sometimes things go missing in threads and this is quite an issue to some people like myself due to the exploit I thought I would start a thread off to make it easier for people to see.

 

I set up the modsec control or so I thought and done it right but was still getting through so asked for some clarification .

 

Thank you for your help. Ive been googling since I got this error and yours was the most helpfull so far. I just needed that extra bit of info.

 

Thank you alinford..... I will try removing all.

 

Did I do right just pasting in ?

 

Thanks

 

Martyn

 

- - - Updated - - -

 

tried removing all of the rules as alinford suggested but that didnt work.

 

Ill google more.

 

Thanks again.

 

Martyn

Link to comment
Share on other sites

Blueberry Sorry you think Im doing something wrong. All I asked was how to do it and no body answered.

 

This is technically a user-to-user forum, though some WHMCS employees do monitor on and off. Like any forum, there's very rarely instant replies. If you have an urgent request it's always best to submit a support ticket, that way you can get one-on-one, specific help for WHMCS issues. For CSF issues it's best to ask there in their foum.

 

Creating more than one post/thread for the same issue just adds to the confusion and "noise-to-signal ratio" in the forum, and works against you (and others looking for answers), because there's that many more posts to wade through.

Link to comment
Share on other sites

Hi thanks for that I will try that.

 

No I havent done that before. Will the Mod Security be an option that I just tick ?

 

Regards

 

Martyn

 

Surely to be taken the wrong way, my apologies in advance, but, this comment by you is just painful to read.

 

Adding mod_security to your server is server admin 101. You shouldn't be hosting any users, or running any scripts like WHMCS, up to date or not, until you've got a secured server. if you're not sure how to secure your server, you should look into a managed server setup, or at the very least, hire someone to secure your server for you, properly.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated