mod_security Request Filters

[Michael.Terence]

Hey everyone - I'm working to secure my webserver with mod_security but have found very little info in the wiki, or the forums. Anyone interested in sharing their rules with everyone else?

I've been looking at the www.gotroot.com website (they have a great library of mod_security rules) but when I attempt to enable things things tend to break.

For example the following rule to block some spam words:

Code:

Action: log,deny,auditlog,phase:2,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace,msg:'No Spam Please'
Rules Definition: SecFilterSelective "POST_PAYLOAD" "(viagra|porn|poker|texasholdem|cialis|bllogspot|casino|gambling-|health-insurancedeals|homeequityloans|hotel-dealse-site|insurance-quotesdeals-4u|mortgage-4-u|mortgagequotes|online-gambling|shemale)"

The rule works for blocking the rules, but people who have subscribed to receive feedburner emails on new posts get an email with all the spaces removed. The action is set to trim whitespace, but I would think that's just for the inspection of the payload.

[Michael.Terence]

I got to looking at the default entries and modified my spam example to the following - the syntax for lsws is a bit different. I'm still unable to get it to actually deny the post though.

Code:

Action:  log,deny,auditlog,status:403,msg:'No Spam Please'
Rules Definition:  SecFilterSelective POST_PAYLOAD "viagra|porn|poker|texasholdem|cialis|bllogspot|casino|gambling-|health-insurancedeals|homeequityloans|hotel-dealse-site|insurance-quotesdeals-4u|mortgage-4-u|mortgagequotes|online-gambling|shemale"

[[QT]bender]

Agree, I have same problem. I was looking at gotroot by Prometheus too and was unable to get it working at Litespeed, and I found manual insufficient too(you can find manual on PHP CHROOT insufficient as well). It seems that there is a lot to do with this module or with manuals for LS tech. Possibly Litespeed tech enhance this module and we'll be able to use this excellent resource to enhance security. I'd even thought about inclusion of this features(gotroot mod_secuirty rule list) to Litespeed(somewhere in section 'Security'). Well, LSWSes has open-source back-end and we can hardcode this by ourselves if Litespeed include this feature in their future releases(our company developing e-Commerce products based on PHP and luckily Litespeed has back-end at PHP, so it's not a problem for us ).

Unfortunately I have no time for testings at the moment, so if you'll get it working and tell me how to do conversion of the rules, I'll be glad to hardcode and share a bash/perl script to convert new rules downloaded from gotroot and possibly automatic checker for rule list updates.

[Michael.Terence]

Thanks for posting bender - glad I'm not the only one having difficulties.

I've played around with some more settings but still no luck getting *any* rules to work. Even something as simple as:
log,deny,status:403,msg:'wget request denied'

Code:

SecFilterSelective THE_REQUEST "wget"

[Michael.Terence]

OK - I'M A MORON!

... seriously. I just never looked at the top of the page. I started testing the default rules and even they didn't work, so - I start looking for an option to turn ON the request filtering for the server... it was at the top of the page I've been working on for DAYS! hah

shoot me.

[[QT]bender]

Quote:

Originally Posted by Michael.Terence

OK - I'M A MORON!

... seriously. I just never looked at the top of the page. I started testing the default rules and even they didn't work, so - I start looking for an option to turn ON the request filtering for the server... it was at the top of the page I've been working on for DAYS! hah

shoot me.

Oh crap. Don't mind, never thought that it's at separate tab "Filter", I thought it should be at "Security"... =)