My custom rules for mod_security

This article will be place holder for the custom rules I keep adding for my blog based on my access logs. I'll try to keep it upto date as possible. Since I run a drupal 7 install, they should be viewed from that perspective.


Setting up the Core Rule Sets for Apache mod_security

After just about a year of hosting, I can tell you, this is one module that you should not host any website without. But configuring the module itself is not enough, without the OWASP ModSecurity Core Rule Set (CRS), the module is pretty much useless.

Again, I'm using Debian, so both these modules are availiable from the debian repositories. You can install them as below:

Intrusion detection Setup with AIDE (Advanced Intrusion Detection Environment)

So after my server was compromised by the shell shock vulnerability, I had no way of knowing what was compromised. What follows next is way to find what has changed on your system/server when you are compromised.

Ban if you haven't already with Fail2Ban

If your server is public facing, than its going to be attacked in every possible way. Doing something on my server, I noticed I have rotated "auth.log" files over 33MB large unzipped. Ok thats a little too much. I tailed the current file and what do I see :

Post Shell Shock - Tightening up Apache Security with mod_security and mod_evasive

Without a shadow of a doubt the Shockwell vulnerablity compromised my system. The say correctly, security should never be an after thought, although in my case, I had put it off for a bit. Maybe a correctly secured Apache configuration might have saved me, but not so sure about that anyways. Anyways the below count of strange user agents appeared in my log for the month of October. I surrounded the dots with square brackets to avoid any of you accidently clicking the below link. Out of curiosity, even I tried a wget on the url but go nothing.

Subscribe to RSS - security