[Owasp-modsecurity-core-rule-set] proxy

Aniyan Rajan aniyan.rajan6 at gmail.com
Fri Jul 11 06:37:55 UTC 2014


On 07/11/2014 11:38 AM, Mr XYZ 123 wrote:
> If you have small website / static website of few web pages,, then you 
> can secure that without mod_security also.
> In small websites attacker aims at admin panel.. or database.
>
> So you can restrict its admin panel login with htaccess to your office 
> IP only..
> , redirect 403 to 404 error, etc
>
> because mod_security is using thousands of rules..

Yes, I have a small website in a VPS. I am not using an admin panel like 
cPanel. I use ssh with sshkeys from my office.

> but if still you want to use mod_security
>
> you can try sample of rules which i've used for small purpose drupal 
> based website
>
> /[root at xyz.abc ]# cat /etc/httpd/modsecurity.d/security.conf/
>
> ##Custom Rules
> <IfModule mod_security2.c>
> SecRuleEngine On
> SecTmpDir /tmp
> SecDataDir /tmp
> SecAuditLog /var/log/httpd/modsec_audit_log
>
> #Showing Custom Server Name
> SecServerSignature "Microsoft-IIS/5.0"
>
> #Allowing following objects
> SecRule REQUEST_BASENAME "\.(jpg|gif|png|js|otf|woff|ttf|ico|css)$" 
> id:1,phase:1,nolog,allow,ctl:ruleEngine=off
>
> #Blocking Basic XSS attempt in url
> SecRule REQUEST_URI|ARGS|REQUEST_BODY "script%3E" 
> "id:3,phase:1,log,deny,msg:'Script Tag XSS',status:404"
> SecRule REQUEST_URI|ARGS|REQUEST_BODY "%73%63%72%69%70%74%3e" 
> "id:5,phase:1,log,deny,msg:'Script Tag XSS',status:404"
>
> #Blocking Basic SQL Injection Attempt
> SecRule REQUEST_URI "'" "id:6,phase:1,log,deny,msg:'Sql injection 
> attempt',status:404"
> SecRule REQUEST_URI "%27" "id:7,phase:1,log,deny,msg:'Sql injection 
> attempt',status:404"
> SecRule REQUEST_URI "sleep" "id:8,phase:1,log,deny,msg:'Sql injection 
> attempt',status:404"
>
> </IfModule>
>
>
> And also mod_security will restrict user with 403/404.. as same in 
> your logs.. script kiddie is already facing error with 404.. so i 
> think mod_security implementation is not neccessary for thi slittle issue.

I had a domain which was spammed long ago. I was using fail2ban and 
modsecurity together to catch the attacker. Like if the modsecurity 
gives a 403 three times, then I will ban that IP using fail2ban.

Now, this is my new domain and a new VPS. So as per your opinion, do you 
want me to ignore these http requests as using modsecurity will also 
give a 403/404 ?

THanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20140711/3c08df6f/attachment.html>


More information about the Owasp-modsecurity-core-rule-set mailing list