| BlueHacker | 02-21-2009 02:25 AM |
اقوي و احدث رولز لـ mode security
السلام عليكم ورحمة الله وبركاتة
الان موعدنا مع رولز قويه و ممتازه من وجهه نظري المتواضعه ...
يمكنك استخدامها اي كانت مواصفات سيرفرك ...
تحميك من الشل و الكثير من الاشياء اكتشفها بنفسك ...
طريقة التركيب :
انصح بتركيب المود سيكيورتي المدمج مع الاباتشي من علي سيرفرك .
افتح الشل و قم بكتابه الامر التالي :
كود:
nano /usr/local/apache/conf/modsec2.user.conf
اذا كان بداخله اي محتويات قم بحذفها و انسخ التالي :
كود:
#fake server banner - NOYB used - no one needs to know what we are using
SecServerSignature "Modevps.com Security Apache"
# Check *******-Length and reject all non numeric ones
SecRule REQUEST_HEADERS:*******-Length "!^\d+$" "deny,log,auditlog,msg:'*******-Length HTTP header is not numeric', severity:'2',id:'960016'"
# Do not accept GET or HEAD requests with bodies
SecRule REQUEST_METHOD "^(GET|HEAD)$" "chain,deny,log,auditlog,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011'"
SecRule REQUEST_HEADERS:*******-Length "!^0?$"
# Require *******-Length to be provided with every POST request.
SecRule REQUEST_METHOD "^POST$" "chain,deny,log,auditlog,msg:'POST request must have a *******-Length header',id:'960012',severity:'4'"
SecRule &REQUEST_HEADERS:*******-Length "@eq 0"
# Don't accept transfer encodings we know we don't know how to handle
SecRule HTTP_Transfer-Encoding "!^$" "deny,log,auditlog,msg:'ModSecurity does not support transfer encodings',id:'960013',severity:'5'"
# Check decodings
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateUrlEncoding"
"chain, deny,log,auditlog,msg:'URL Encoding Abuse Attack Attempt',id:'950107',severity:'4'"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})"
# allow request methods
SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$"
"phase:1,log,auditlog,msg:'Method is not allowed by policy', severity:'2',id:'960032'"
# Restricted HTTP headers
SecRule REQUEST_HEADERS_NAMES "\.(?:Lock-Token|Translate|If)$"
"deny,log,auditlog,msg:'HTTP header is restricted by policy',id:'960038',severity:'4'"
# Session fixation
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "(?:\.معهد الحمايه العربىمعهد الحمايه العربىمعهد الحمايه العربىمعهد الحمايه العربىمعهد الحمايه العربىe\b.*?;\W*?(?:expires|domain)\W*?=|\b***********\W+set-معهد الحمايه العربىمعهد الحمايه العربىمعهد الحمايه العربىمعهد الحمايه العربىمعهد الحمايه العربىe\b)"
"capture,ctl:auditLogParts=+E,log,auditlog,msg:'Session Fixation. Matched signature <%{TX.0}>',id:'950009',severity:'2'"
# Basic rules with arbitrary command detection
SecRule REQUEST_URI "\.htgroup"
SecRule REQUEST_URI "\.htaccess"
SecRule REQUEST_URI "cd\.\."
SecRule REQUEST_URI "///cgi-bin"
SecRule REQUEST_URI "/cgi-bin///"
SecRule REQUEST_URI "/~root"
SecRule REQUEST_URI "/~ftp"
SecRule REQUEST_URI "/htgrep" chain
SecRule REQUEST_URI "/\.history"
SecRule REQUEST_URI "/\.bash_history"
SecRule REQUEST_URI "/~nobody"
SecRule REQUEST_URI "<script"
SecRule REQUEST_URI "psybnc"
SecRule REQUEST_URI "cmd=cd\x20/var"
SecRule REQUEST_URI "dir=http"
SecRule REQUEST_URI "\?STRENGUR"
SecRule REQUEST_URI "/etc/motd"
SecRule REQUEST_URI "/etc/passwd"
SecRule REQUEST_URI "conf/httpd\.conf"
SecRule REQUEST_URI "/bin/ps"
SecRule REQUEST_URI "bin/tclsh"
SecRule REQUEST_URI "tclsh8\x20"
SecRule REQUEST_URI "udp\.pl"
SecRule REQUEST_URI "linuxdaybot\.txt"
SecRule REQUEST_URI "wget\x20"
SecRule REQUEST_URI "bin/nasm"
SecRule REQUEST_URI "nasm\x20"
SecRule REQUEST_URI "/usr/bin/perl"
SecRule REQUEST_URI "links -dump "
SecRule REQUEST_URI "links -dump-(charset|width) "
SecRule REQUEST_URI "links (http|https|ftp)\:/"
SecRule REQUEST_URI "links -source "
SecRule REQUEST_URI "cd\x20/(tmp|var/tmp|etc/httpd/proxy|dev/shm)"
SecRule REQUEST_URI "cd\.\."
SecRule REQUEST_URI "///cgi-bin"
SecRule REQUEST_URI "/cgi-bin///"
SecRule REQUEST_URI "/~named(/| HTTP\/(0\.9|1\.0|1\.1)$)"
SecRule REQUEST_URI "/~guest(/| HTTP\/(0\.9|1\.0|1\.1)$)"
SecRule REQUEST_URI "/~logs(/| HTTP\/(0\.9|1\.0|1\.1)$)"
SecRule REQUEST_URI "/~sshd(/| HTTP\/(0\.9|1\.0|1\.1)$)"
SecRule REQUEST_URI "/~ftp(/| HTTP\/(0\.9|1\.0|1\.1)$)"
SecRule REQUEST_URI "/~bin(/| HTTP\/(0\.9|1\.0|1\.1)$)"
SecRule REQUEST_URI "/~nobody(/| HTTP\/(0\.9|1\.0|1\.1)$)"
SecRule REQUEST_URI "/\.history HTTP\/(0\.9|1\.0|1\.1)$"
SecRule REQUEST_URI "/\.bash_history HTTP\/(0\.9|1\.0|1\.1)$"
SecRule REQUEST_URI "lynx "
SecRule REQUEST_URI "Fhome"
SecRule REQUEST_URI "cvs"
SecRule REQUEST_URI "\.php\?phpinfo"
SecRule REQUEST_URI "\.php\?phpini"
SecRule REQUEST_URI "\.php\?mem"
SecRule REQUEST_URI "\.php\?cpu"
SecRule REQUEST_URI "\.php\?users"
SecRule REQUEST_URI "\.php\?tmp"
SecRule REQUEST_URI "\.php\?delete"
SecRule REQUEST_URI "curl "
SecRule REQUEST_URI "echo "
SecRule REQUEST_URI "links -dump-width "
SecRule REQUEST_URI "links http:// "
SecRule REQUEST_URI "links ftp:// "
SecRule REQUEST_URI "links -source "
SecRule REQUEST_URI "cd /tmp "
SecRule REQUEST_URI "cd /var/tmp "
SecRule REQUEST_URI "cd /etc/httpd/proxy "
SecRule REQUEST_URI "&highlight=%2527%252E "
SecRule REQUEST_URI "changedir=%2Ftmp%2F.php "
SecRule REQUEST_URI "arta\.zip "
SecRule REQUEST_URI "cmd=cd\x20/var "
SecRule REQUEST_URI "HCL_path=http "
SecRule REQUEST_URI "clamav-partial "
SecRule REQUEST_URI "vi\.recover "
SecRule REQUEST_URI "netenberg "
SecRule REQUEST_URI "psybnc "
SecRule REQUEST_URI "fantastico_de_luxe "
SecRule REQUEST_URI "2Fpublic_html&"
SecRule REQUEST_URI ".htaccess"
SecRule REQUEST_URI "c99sh_datapipe.pl"
SecRule REQUEST_URI "listDBs"
SecRule REQUEST_URI "%2home%2"
SecRule REQUEST_URI "%2home%"
SecRule REQUEST_URI "%home%"
SecRule REQUEST_URI "%home"
SecRule REQUEST_URI "home%"
SecRule REQUEST_URI "%2Fhome%2"
SecRule REQUEST_URI "%2Fhome%"
SecRule REQUEST_URI "%Fhome%"
SecRule REQUEST_URI "%Fhome"
SecRule REQUEST_URI "Fhome%"
SecRule REQUEST_URI "2Fpublic_html&"
SecRule REQUEST_URI "/etc/"
SecRule REQUEST_URI "sqlman"
SecRule REQUEST_URI "act=security"
SecRule REQUEST_URI "act=cmd"
SecRule REQUEST_URI "act=chmod"
SecRule REQUEST_URI "act=ls&d="
SecRule REQUEST_URI "act=f&f="
SecRule REQUEST_URI "act=sql"
SecRule REQUEST_URI "Bcc:"
SecRule REQUEST_URI "Bcc:\x20"
SecRule REQUEST_URI "cc:"
SecRule REQUEST_URI "cc:\x20"
SecRule REQUEST_URI "bcc:"
SecRule REQUEST_URI "bcc:\x20"
SecRule REQUEST_URI "bcc: "
SecRule REQUEST_URI "cd "
#SecRule REQUEST_URI "id "
# Miscellaneous malicious requests
# These rules can be very effective, however "general" rules such as the following
# have issues with false positives in some environments. Comment out as needed.
#XSS attempts for STYLE, VBSCRIPT, JAVASCRIPT, EXPRESSION, and XML
SecRule REQUEST_URI "\<IMG.*/\bonerror\b[\s]*=/Ri"
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/javascript/i"
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]application\/x-javascript/i"
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/jscript/i"
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/vbscript/i"
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]application\/x-vbscript/i"
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/ecmascript/i"
SecRule REQUEST_URI "STYLE[\s]*=[\s]*[^>]expression[\s]*\(/i"
SecRule REQUEST_URI "[\s]*expression[\s]*\([^}]}[\s]*<\/STYLE>/i"
SecRule REQUEST_URI "<!\[CDATA\[<\]\]>SCRIPT"
# For deny Shells opening
SecRule REQUEST_FILENAME "/(r57shell|TrYaG|TrYg|m0rtix|r0nin|c99shell|phpshell|sa3ekashell|crackit|c777|void\.ru|phpremoteview|directmail|bash_history|\.ru/|brute|c991)\.php"
SecRule REQUEST_FILENAME "\.pl"
SecRule REQUEST_FILENAME "perl .*\.pl(\s|\t)*\;"
SecRule REQUEST_FILENAME "\;(\s|\t)*perl .*\.pl"
SecRule RESPONSE_BODY "TrYaG"
SecRule RESPONSE_BODY "shell"
SecRule RESPONSE_BODY "Sniper"
SecRule RESPONSE_BODY "SnIpEr_SA"
SecRule RESPONSE_BODY "c99"
بعد الانتهاء اضغط ctrl +x ثم y ثم enter
بعدها قم بتنفيذ الامر التالي :
|
