Security
Advice: cPanel, Plesk, DirectAdmin, Confixx
Did you get one of our VPS or dedicated servers from our SPECIALS section? Please note that we will also install basic security patches and a firewall such as APF or CSF for you on these servers. If we have not yet, just ask us. It is a free service.
We
highly suggest to audit your system for
any installations of phpBB, PHPNuke, osTicket,
My_eGallery, mambo, ModernBill, awstats, phpAd,
and any other popular PHP applications you might
be running and ensure they are at their most
current versions. This is something we can not
do for you.
We
strongly suggest to install either the "CSF"
or the "APF" firewall on your VPS or dedicated server. Do NOT install both firewalls! Please note that there are SPECIAL settings required for installation on VPS servers! Please do consult us BEFORE installing either script on a VPS you have with us (we can also install it for you, free of charge). We also advice to install "Mod_Security"
on your server.
CSF — download and install
info: http://www.configserver.com/cp/csf.html
CSF comes with a nice web interface for cPanel or DirectAdmin.
APF — download and install
info: http://www.rfxn.com/projects/advanced-policy-firewall/
APF does not have a Web interface. But if you run a cPanel server, try this free script which does provide exactly that: http://scriptmantra.info/apf_interface.html
We do suggest to also install BFD (Brute Force Detection) when installing APF. BFD works together with APF. You can download it here: http://www.rfxn.com/projects/brute-force-detection/
Mod_Security — download
and install info: http://eth0.us/mod_security
However, if you have a cPanel VPS or
dedicated server, just compile "mod_security" into PHP using /scripts/easyapache.
(A) If your dedicated server or VPS runs Apache 2.x, use this install method to get the latest rule set:
1. Run /scripts/easyapache and follow the on screen menu to enable the mod_security module within
Apache 2.x. (This installs mod_security 2.5.5 which is required for this ruleset)
2. As root, run "wget -O /root/install_modsec_rules http://403security.org/modsec/install_modsec_rules"
3. As root, run "sh /root/install_modsec_rules" and follow the on screen instructions.
(B) However, if you still run Apache 1.9, use the older rule set below. Go to "Add-ons"
in main menu -> "Mod Security"
-> click on "Edit Config" (near
top), then replace the entire content (the default
settings) with the content below — this
will guarantee the best possible protection
against root intruders using PHP scripts. Restart
Apache after such edit.
#These
rules work with mod_security 1.9.x and above
only
# This is a rule template, with limited
application specific matches
# To prevent functionality loss
# Updated 5/15/2009
# Tested to work with apache1 and apache2
#
# BEGIN RULES
#
# Basic rules with arbitrary command detection
SecFilterSelective THE_REQUEST "\.htgroup"
SecFilterSelective THE_REQUEST "\.htaccess"
SecFilterSelective THE_REQUEST "cd\.\."
SecFilterSelective THE_REQUEST "///cgi-bin"
SecFilterSelective THE_REQUEST "/cgi-bin///"
SecFilterSelective THE_REQUEST "/~root"
SecFilterSelective THE_REQUEST "/~ftp"
SecFilterSelective THE_REQUEST "/htgrep"
chain
SecFilterSelective THE_REQUEST "/htgrep"
log,pass
SecFilterSelective THE_REQUEST "/\.history"
SecFilterSelective THE_REQUEST "/\.bash_history"
SecFilterSelective THE_REQUEST "/~nobody"
SecFilterSelective THE_REQUEST "<script"
SecFilterSelective THE_REQUEST "psybnc"
SecFilterSelective THE_REQUEST "cmd=cd\x20/var"
SecFilterSelective THE_REQUEST "\?STRENGUR"
SecFilterSelective THE_REQUEST "/etc/motd"
SecFilterSelective THE_REQUEST "/etc/passwd"
SecFilterSelective THE_REQUEST "conf/httpd\.conf"
SecFilterSelective THE_REQUEST "/bin/ps"
SecFilterSelective THE_REQUEST "bin/tclsh"
SecFilterSelective THE_REQUEST "tclsh8\x20"
SecFilterSelective THE_REQUEST "chsh"
SecFilterSelective THE_REQUEST "udp\.pl"
SecFilterSelective THE_REQUEST "wget\x20"
SecFilterSelective THE_REQUEST "bin/nasm"
SecFilterSelective THE_REQUEST "nasm\x20"
SecFilterSelective THE_REQUEST "/usr/bin/perl"
SecFilterSelective THE_REQUEST "links
-dump "
SecFilterSelective THE_REQUEST "links
-dump-(charset|width) "
SecFilterSelective THE_REQUEST "links
(http|https|ftp)\:/"
SecFilterSelective THE_REQUEST "links
-source "
SecFilterSelective THE_REQUEST "cd\x20/(tmp|var/tmp|etc/httpd/proxy|dev/shm)"
SecFilterSelective THE_REQUEST "cd\.\."
SecFilterSelective THE_REQUEST "///cgi-bin"
SecFilterSelective THE_REQUEST "/cgi-bin///"
SecFilterSelective THE_REQUEST "/~named(/|
HTTP\/(0\.9|1\.0|1\.1)$)"
SecFilterSelective THE_REQUEST "/~guest(/|
HTTP\/(0\.9|1\.0|1\.1)$)"
SecFilterSelective THE_REQUEST "/~logs(/|
HTTP\/(0\.9|1\.0|1\.1)$)"
SecFilterSelective THE_REQUEST "/~sshd(/|
HTTP\/(0\.9|1\.0|1\.1)$)"
SecFilterSelective THE_REQUEST "/~ftp(/|
HTTP\/(0\.9|1\.0|1\.1)$)"
SecFilterSelective THE_REQUEST "/~bin(/|
HTTP\/(0\.9|1\.0|1\.1)$)"
SecFilterSelective THE_REQUEST "/~nobody(/|
HTTP\/(0\.9|1\.0|1\.1)$)"
SecFilterSelective THE_REQUEST "/\.history
HTTP\/(0\.9|1\.0|1\.1)$"
SecFilterSelective THE_REQUEST "/\.bash_history
HTTP\/(0\.9|1\.0|1\.1)$"
SecFilter "(cmd|command)=(cd|\;|perl|python|lynx|links|mkdir|elinks|cmd|wget|uname|(s|r)(cp|sh)|net(stat|cat)|rexec|smbclient|curl)"
SecFilterSelective REQUEST_URI "/nessus_is_probing_you_"
SecFilterSelective REQUEST_URI "/NessusTest"
SecFilter "javascript\://"
SecFilter "img src=javascript"
SecFilter "_PHPLIB\[libdir\]"
SecFilter "hdr=/"
#Require Content-Length to be provided with
every POST request
SecFilterSelective REQUEST_METHOD "^POST$"
chain
SecFilterSelective HTTP_Content-Length "^$"
SecFilterSelective HTTP_Transfer-Encoding
"!^$"
#Specific XML-RPC attacks on xmlrpc.php
SecFilterSelective THE_REQUEST "(/xmlrpc|.*xmlrpc_services)\.php"
chain
SecFilter "(\<xml|\<.*xml)"
chain
SecFilter "(echo( |\(|\').*\;|chr|fwrite|fopen|system)\(.*\)\;"
#XML-RPC SQL injection generic signature
SecFilterSelective THE_REQUEST "(/xmlrpc|.*xmlrpc_services)\.php"
chain
SecFilter "<methodName>.*</methodName>.*<value><string>.*(delete|insert|drop|replace|update|create)[[:space:]]+[A-Z|a-z|0-9|\*|
|,]+[[:space:]](from|into|table).*methodName\>"
#Exploit phpBB Highlighting Code Execution/SQL
Injection - Santy.A Worm
SecFilter "&highlight=\'\.fwrite\(fopen\("
SecFilter "&highlight=\x2527\x252Esystem\("
SecFilter "&highlight=\'\.mysql_query\("
SecFilterSelective THE_REQUEST "/quick-reply\.php"
chain
SecFilterSelective THE_REQUEST "(\;|\&)highlight=\'\.system\("
SecFilterSelective THE_REQUEST "&highlight=\'\.mysql_query\("
SecFilterSelective THE_REQUEST "&highlight=\'\.fwrite\(fopen\("
SecFilterSelective THE_REQUEST "&highlight=%2527%252E"
SecFilterSelective THE_REQUEST "&highlight=\x2527\x252Esystem\("
SecFilterSelective THE_REQUEST "/viewtopic\.php\?.*(highlight.*(\'\.|\x2527|\x27)|include\(.*GET\[.*\]\)|=(http|https|ftp)\:/|(printf|system)\()"
#phpBB remote command execution exploit
SecFilterSelective REQUEST_URI "profile\.php\?GLOBALS\[signature_bbcode_uid\]=\(\.\x2B\)/e\x00"
SecFilterSelective REQUEST_URI|POST_PAYLOAD
"r57phpBB2017xpl"
SecFilterSelective POST_PAYLOAD "_bill_gates@microsoft\.com"
SecFilterSelective THE_REQUEST "/admin/admin_forums\.php\?sid=.*"
chain
SecFilter "(forumname|forumdesc)=*\<[[:space:]]*(script|about|applet|activex|chrome)"
SecFilterSelective REQUEST_URI "/posting\.php\?mode=reply\&t=.*userid.*phpbb2mysql_t=(<[[:space:]]*script|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/posting\.php\\?.*(<[[:space:]]*script|(http|https|ftp)\:/)"
SecFilterSelective THE_REQUEST "changedir=%2Ftmp%2F.php"
SecFilter "^/viewtopic\.php\?"
chain
SecFilter "chr\(([0-9]{1,3})\)"
SecFilterSelective THE_REQUEST "viewtopic\.php"
chain
SecFilterSelective "THE_REQUEST|ARG_VALUES"
"(passthru|cmd|fopen|exit|fwrite)"
SecFilter "phpbb_root_path="
SecFilterSelective THE_REQUEST "/calendar_scheduler\.php\?start=(<[[:space:]]*script|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/groupcp\.php\?g=.*sid=\'"
SecFilterSelective REQUEST_URI "/index\.php\?(c|mark)=*\'"
SecFilterSelective REQUEST_URI "/portal\.php\?article=*\'"
SecFilterSelective REQUEST_URI "/viewforum.php?f=.*sid=\'"
SecFilterSelective REQUEST_URI "/viewtopic.php?p=.*sid=\'"
SecFilterSelective REQUEST_URI "/album_search\.php\?mode=\'"
SecFilterSelective REQUEST_URI "/album_cat\.php\?cat_id=.*sid=\'"
SecFilterSelective REQUEST_URI "/album_comment\.php\?pic_id=.*sid=\'"
SecFilterSelective REQUEST_URI "calendar_scheduler\.php\?d=.*&mode=&start=\'\">"
SecFilterSelective REQUEST_URI "/profile\.php\?mode=viewprofile&u=.*((script|script|about|applet|activex|chrome)\>|html|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/viewtopic\.php\?p=.*&highlight=.*((script|script|about|applet|activex|chrome)\>|html|(http|https|ftp)\:/)"
#awstats XSS vulnerabilities
SecFilterSelective THE_REQUEST "awstats"
chain
SecFilterSelective ARGS "(pluginmode|loadplugin|debug|configdir|perl|cgi|chmod|exec|print)"
SecFilterSelective REQUEST_URI "/awstats\.pl\?(configdir|update|pluginmode|cgi)=(\||echo|\:system\()"
SecFilterSelective REQUEST_URI "/awstats\.pl\?(debug=1|pluginmode=rawlog\&loadplugin=rawlog|update=1\&logfile=\|)"
SecFilterSelective REQUEST_URI "/awstats\.pl\?[^\r\n]*logfile=\|"
SecFilterSelective REQUEST_URI "/awstats\.pl\?configdir="
SecFilterSelective REQUEST_URI "awstats\.pl\?"
chain
SecFilterSelective ARGS "(debug|configdir|perl|chmod|exec|print|cgi)"
|
Another useful set of small and easy to install
security and admin scripts—for cPanel
servers only, can be found at: http://cplicensing.net/scripts.php
|
