Re: [Owasp-modsecurity-core-rule-set] proxy

Thu, 10 Jul 2014 23:53:29 -0700 

On 07/11/2014 11:38 AM, Mr XYZ 123 wrote:
If you have small website / static website of few web pages,, then you can secure that without mod_security also. 
In small websites attacker aims at admin panel.. or database.
So you can restrict its admin panel login with htaccess to your office IP only.. 
, redirect 403 to 404 error, etc

because mod_security is using thousands of rules..
Yes, I have a small website in a VPS. I am not using an admin panel like cPanel. I use ssh with sshkeys from my office. 


but if still you want to use mod_security
you can try sample of rules which i've used for small purpose drupal based website 

/[r...@xyz.abc ]# cat /etc/httpd/modsecurity.d/security.conf/

##Custom Rules
<IfModule mod_security2.c>
SecRuleEngine On
SecTmpDir /tmp
SecDataDir /tmp
SecAuditLog /var/log/httpd/modsec_audit_log

#Showing Custom Server Name
SecServerSignature "Microsoft-IIS/5.0"

#Allowing following objects
SecRule REQUEST_BASENAME "\.(jpg|gif|png|js|otf|woff|ttf|ico|css)$" id:1,phase:1,nolog,allow,ctl:ruleEngine=off 

#Blocking Basic XSS attempt in url
SecRule REQUEST_URI|ARGS|REQUEST_BODY "script%3E" "id:3,phase:1,log,deny,msg:'Script Tag XSS',status:404" SecRule REQUEST_URI|ARGS|REQUEST_BODY "%73%63%72%69%70%74%3e" "id:5,phase:1,log,deny,msg:'Script Tag XSS',status:404" 

#Blocking Basic SQL Injection Attempt
SecRule REQUEST_URI "'" "id:6,phase:1,log,deny,msg:'Sql injection attempt',status:404" SecRule REQUEST_URI "%27" "id:7,phase:1,log,deny,msg:'Sql injection attempt',status:404" SecRule REQUEST_URI "sleep" "id:8,phase:1,log,deny,msg:'Sql injection attempt',status:404" 

</IfModule>
And also mod_security will restrict user with 403/404.. as same in your logs.. script kiddie is already facing error with 404.. so i think mod_security implementation is not neccessary for thi slittle issue.
I had a domain which was spammed long ago. I was using fail2ban and modsecurity together to catch the attacker. Like if the modsecurity gives a 403 three times, then I will ban that IP using fail2ban.
Now, this is my new domain and a new VPS. So as per your opinion, do you want me to ignore these http requests as using modsecurity will also give a 403/404 ? 

THanks.

_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to