BlueHacker | 02-21-2009 02:25 AM | اقوي و احدث رولز لـ mode security السلام عليكم ورحمة الله وبركاتة
الان موعدنا مع رولز قويه و ممتازه من وجهه نظري المتواضعه ...
يمكنك استخدامها اي كانت مواصفات سيرفرك ...
تحميك من الشل و الكثير من الاشياء اكتشفها بنفسك ...
طريقة التركيب :
انصح بتركيب المود سيكيورتي المدمج مع الاباتشي من علي سيرفرك .
افتح الشل و قم بكتابه الامر التالي : كود:
nano /usr/local/apache/conf/modsec2.user.conf اذا كان بداخله اي محتويات قم بحذفها و انسخ التالي : كود:
#fake server banner - NOYB used - no one needs to know what we are using SecServerSignature "Modevps.com Security Apache" # Check *******-Length and reject all non numeric ones SecRule REQUEST_HEADERS:*******-Length "!^\d+$" "deny,log,auditlog,msg:'*******-Length HTTP header is not numeric', severity:'2',id:'960016'" # Do not accept GET or HEAD requests with bodies SecRule REQUEST_METHOD "^(GET|HEAD)$" "chain,deny,log,auditlog,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011'" SecRule REQUEST_HEADERS:*******-Length "!^0?$" # Require *******-Length to be provided with every POST request. SecRule REQUEST_METHOD "^POST$" "chain,deny,log,auditlog,msg:'POST request must have a *******-Length header',id:'960012',severity:'4'" SecRule &REQUEST_HEADERS:*******-Length "@eq 0" # Don't accept transfer encodings we know we don't know how to handle SecRule HTTP_Transfer-Encoding "!^$" "deny,log,auditlog,msg:'ModSecurity does not support transfer encodings',id:'960013',severity:'5'" # Check decodings SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateUrlEncoding"
"chain, deny,log,auditlog,msg:'URL Encoding Abuse Attack Attempt',id:'950107',severity:'4'" SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" # allow request methods SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$"
"phase:1,log,auditlog,msg:'Method is not allowed by policy', severity:'2',id:'960032'" # Restricted HTTP headers SecRule REQUEST_HEADERS_NAMES "\.(?:Lock-Token|Translate|If)$"
"deny,log,auditlog,msg:'HTTP header is restricted by policy',id:'960038',severity:'4'" # Session fixation SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "(?:\.معهد الحمايه العربىمعهد الحمايه العربىمعهد الحمايه العربىمعهد الحمايه العربىمعهد الحمايه العربىe\b.*?;\W*?(?:expires|domain)\W*?=|\b***********\W+set-معهد الحمايه العربىمعهد الحمايه العربىمعهد الحمايه العربىمعهد الحمايه العربىمعهد الحمايه العربىe\b)"
"capture,ctl:auditLogParts=+E,log,auditlog,msg:'Session Fixation. Matched signature <%{TX.0}>',id:'950009',severity:'2'" # Basic rules with arbitrary command detection SecRule REQUEST_URI "\.htgroup" SecRule REQUEST_URI "\.htaccess" SecRule REQUEST_URI "cd\.\." SecRule REQUEST_URI "///cgi-bin" SecRule REQUEST_URI "/cgi-bin///" SecRule REQUEST_URI "/~root" SecRule REQUEST_URI "/~ftp" SecRule REQUEST_URI "/htgrep" chain
SecRule REQUEST_URI "/\.history" SecRule REQUEST_URI "/\.bash_history" SecRule REQUEST_URI "/~nobody" SecRule REQUEST_URI "<script" SecRule REQUEST_URI "psybnc" SecRule REQUEST_URI "cmd=cd\x20/var" SecRule REQUEST_URI "dir=http" SecRule REQUEST_URI "\?STRENGUR" SecRule REQUEST_URI "/etc/motd" SecRule REQUEST_URI "/etc/passwd" SecRule REQUEST_URI "conf/httpd\.conf" SecRule REQUEST_URI "/bin/ps" SecRule REQUEST_URI "bin/tclsh" SecRule REQUEST_URI "tclsh8\x20" SecRule REQUEST_URI "udp\.pl" SecRule REQUEST_URI "linuxdaybot\.txt" SecRule REQUEST_URI "wget\x20" SecRule REQUEST_URI "bin/nasm" SecRule REQUEST_URI "nasm\x20" SecRule REQUEST_URI "/usr/bin/perl" SecRule REQUEST_URI "links -dump " SecRule REQUEST_URI "links -dump-(charset|width) " SecRule REQUEST_URI "links (http|https|ftp)\:/" SecRule REQUEST_URI "links -source " SecRule REQUEST_URI "cd\x20/(tmp|var/tmp|etc/httpd/proxy|dev/shm)" SecRule REQUEST_URI "cd\.\." SecRule REQUEST_URI "///cgi-bin" SecRule REQUEST_URI "/cgi-bin///" SecRule REQUEST_URI "/~named(/| HTTP\/(0\.9|1\.0|1\.1)$)" SecRule REQUEST_URI "/~guest(/| HTTP\/(0\.9|1\.0|1\.1)$)" SecRule REQUEST_URI "/~logs(/| HTTP\/(0\.9|1\.0|1\.1)$)" SecRule REQUEST_URI "/~sshd(/| HTTP\/(0\.9|1\.0|1\.1)$)" SecRule REQUEST_URI "/~ftp(/| HTTP\/(0\.9|1\.0|1\.1)$)" SecRule REQUEST_URI "/~bin(/| HTTP\/(0\.9|1\.0|1\.1)$)" SecRule REQUEST_URI "/~nobody(/| HTTP\/(0\.9|1\.0|1\.1)$)" SecRule REQUEST_URI "/\.history HTTP\/(0\.9|1\.0|1\.1)$" SecRule REQUEST_URI "/\.bash_history HTTP\/(0\.9|1\.0|1\.1)$" SecRule REQUEST_URI "lynx " SecRule REQUEST_URI "Fhome" SecRule REQUEST_URI "cvs" SecRule REQUEST_URI "\.php\?phpinfo" SecRule REQUEST_URI "\.php\?phpini" SecRule REQUEST_URI "\.php\?mem" SecRule REQUEST_URI "\.php\?cpu" SecRule REQUEST_URI "\.php\?users" SecRule REQUEST_URI "\.php\?tmp" SecRule REQUEST_URI "\.php\?delete" SecRule REQUEST_URI "curl " SecRule REQUEST_URI "echo " SecRule REQUEST_URI "links -dump-width " SecRule REQUEST_URI "links http:// " SecRule REQUEST_URI "links ftp:// " SecRule REQUEST_URI "links -source " SecRule REQUEST_URI "cd /tmp " SecRule REQUEST_URI "cd /var/tmp " SecRule REQUEST_URI "cd /etc/httpd/proxy " SecRule REQUEST_URI "&highlight=%2527%252E " SecRule REQUEST_URI "changedir=%2Ftmp%2F.php " SecRule REQUEST_URI "arta\.zip " SecRule REQUEST_URI "cmd=cd\x20/var " SecRule REQUEST_URI "HCL_path=http " SecRule REQUEST_URI "clamav-partial " SecRule REQUEST_URI "vi\.recover " SecRule REQUEST_URI "netenberg " SecRule REQUEST_URI "psybnc " SecRule REQUEST_URI "fantastico_de_luxe " SecRule REQUEST_URI "2Fpublic_html&" SecRule REQUEST_URI ".htaccess" SecRule REQUEST_URI "c99sh_datapipe.pl" SecRule REQUEST_URI "listDBs" SecRule REQUEST_URI "%2home%2" SecRule REQUEST_URI "%2home%" SecRule REQUEST_URI "%home%" SecRule REQUEST_URI "%home" SecRule REQUEST_URI "home%" SecRule REQUEST_URI "%2Fhome%2" SecRule REQUEST_URI "%2Fhome%" SecRule REQUEST_URI "%Fhome%" SecRule REQUEST_URI "%Fhome" SecRule REQUEST_URI "Fhome%" SecRule REQUEST_URI "2Fpublic_html&" SecRule REQUEST_URI "/etc/" SecRule REQUEST_URI "sqlman" SecRule REQUEST_URI "act=security" SecRule REQUEST_URI "act=cmd" SecRule REQUEST_URI "act=chmod" SecRule REQUEST_URI "act=ls&d=" SecRule REQUEST_URI "act=f&f=" SecRule REQUEST_URI "act=sql" SecRule REQUEST_URI "Bcc:" SecRule REQUEST_URI "Bcc:\x20" SecRule REQUEST_URI "cc:" SecRule REQUEST_URI "cc:\x20" SecRule REQUEST_URI "bcc:" SecRule REQUEST_URI "bcc:\x20" SecRule REQUEST_URI "bcc: " SecRule REQUEST_URI "cd " #SecRule REQUEST_URI "id "
# Miscellaneous malicious requests
# These rules can be very effective, however "general" rules such as the following
# have issues with false positives in some environments. Comment out as needed.
#XSS attempts for STYLE, VBSCRIPT, JAVASCRIPT, EXPRESSION, and XML SecRule REQUEST_URI "\<IMG.*/\bonerror\b[\s]*=/Ri" SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/javascript/i" SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]application\/x-javascript/i" SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/jscript/i" SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/vbscript/i" SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]application\/x-vbscript/i" SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/ecmascript/i" SecRule REQUEST_URI "STYLE[\s]*=[\s]*[^>]expression[\s]*\(/i" SecRule REQUEST_URI "[\s]*expression[\s]*\([^}]}[\s]*<\/STYLE>/i" SecRule REQUEST_URI "<!\[CDATA\[<\]\]>SCRIPT" # For deny Shells opening SecRule REQUEST_FILENAME "/(r57shell|TrYaG|TrYg|m0rtix|r0nin|c99shell|phpshell|sa3ekashell|crackit|c777|void\.ru|phpremoteview|directmail|bash_history|\.ru/|brute|c991)\.php" SecRule REQUEST_FILENAME "\.pl" SecRule REQUEST_FILENAME "perl .*\.pl(\s|\t)*\;" SecRule REQUEST_FILENAME "\;(\s|\t)*perl .*\.pl" SecRule RESPONSE_BODY "TrYaG" SecRule RESPONSE_BODY "shell" SecRule RESPONSE_BODY "Sniper" SecRule RESPONSE_BODY "SnIpEr_SA" SecRule RESPONSE_BODY "c99" بعد الانتهاء اضغط ctrl +x ثم y ثم enter
بعدها قم بتنفيذ الامر التالي : |