Apache Webserver

$ su -
apt-get install apache2

$ su -
dpkg-reconfigure -plow apache2

Quellen:

• http://shiflett.org/archive/123
• http://blog.kloppmagic.ca/archives/2005/06/12/osevents-php-west-php-open-source-security-conference/

Quellen:

• http://www.securityfocus.com/infocus/1786
• http://httpd.apache.org/docs/2.0/misc/security_tips.html

Quellen:

• http://www.gotroot.com/downloads/ftp/mod_security/
• http://www.eth0.us/?q=mod_security
• http://www.modsecurity.org/documentation/snortmodsec-rules.txt
• http://www.modsecurity.org/documentation/quick-examples.html

# -----------------------------------------------------------------------------
#  Start Rules (Generic)
# -----------------------------------------------------------------------------
 
# Enforce proper HTTP requests
SecFilterSelective THE_REQUEST "!HTTP\/(0\.9|1\.0|1\.1)$"
 
# check for bad meta characters in User-Agent field
SecFilterSelective HTTP_USER_AGENT ".*\'"
 
# Require Content-Length to be provided with every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
 
# Don't accept transfer encodings we know we don't handle (and you don't need it anyway)
SecFilterSelective HTTP_Transfer-Encoding "!^$"
 
# Don't accept chunked encodings
SecFilterSelective HTTP_Transfer-Encoding "chunked"
 
# must have a useragent string
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
 
# Again, this is better protected by removing these functions in php.ini
SecFilterSelective ARGS "(system|exec|passthru|popen|shell_exec|proc_open|fopen|fwrite)\s*\("
 
# Prevent path traversal (..) attacks
SecFilter "\.\./"
 
# generic recursion signature
SecFilterSelective THE_REQUEST "\.\./\.\./"
 
# generic attack sig
SecFilterSelective THE_REQUEST "cd\x20*\;(cd|\;|echo|perl|python|rpm|yum|apt-get|emerge|lynx|links|mkdir|elinks|cmd|pwd|wget|id|uname|cvs|svn|(s|r)(cp|sh)|rexec|smbclient|t?ftp|ncftp|curl|telnet|gcc|cc|g\+\+|\./)"
 
# generic filter to prevent SQL injection attacks
SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"
 
# generic PHP remote file inclusion attack
SecFilter "\.php\?" chain
SecFilter "(http|https|ftp)\:/" chain
SecFilter "cmd=(cd|\;|perl|python|rpm|yum|apt-get|emerge|lynx|links|mkdir|elinks|cmd|pwd|wget|id|uname|cvs|svn|(s|r)(cp|sh)|rexec|smbclient|t?ftp|ncftp|curl|telnet|gcc|cc|g\+\+|\./)"
 
# generic sig for more bad PHP functions
SecFilterSelective THE_REQUEST "chr\(([0-9]{1,3})\)"
SecFilterSelective THE_REQUEST "chr\([0-9a-fA-Fx]+\)"
 
# SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
 
# SQL injection in cookies
SecFilterSelective COOKIE_sessionid ".*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*||\,]+[[:space:]]+(from|into|table|database|index|view)"
 
# -----------------------------------------------------------------------------
#  Start Rules (experimental)
# -----------------------------------------------------------------------------
 
# experimental generic remote download sig foo IP or FQDN or foo http/https/ftp://whatever
SecFilterSelective THE_REQUEST "(perl|t?ftp|links|elinks|lynx|ncftp|(s|r)(cp|sh)|wget|curl|cvs|svn).*\x20((http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/)"
SecFilterSelective THE_REQUEST "( |\;|/|\'|,|\&|\=|\.)((s|r)(sh|cp)) *(.*\@.*|(http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/)"
 
# XSS atacks (HTML/Javascript injection)
# SecFilter "<(.|\n)+>"
# deactivated since it causes problems with Serendipity when creating new entries
# this is the error message: mod_security-message: Access denied with code 406. Pattern match "<(.|\n)+>" at POST_PAYLOAD.
# ff@nodomain.cc, 02.08.2005

# Only inspect dynamic requests
# (YOU MUST TEST TO MAKE SURE IT WORKS AS EXPECTED)
# SecFilterEngine DynamicOnly
 
# Turn the filtering engine On or Off
SecFilterEngine On
 
# Reject requests with status 404
SecFilterDefaultAction "deny,log,status:404"
 
# Some sane defaults
SecServerResponseToken Off
SecFilterScanPOST Off
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat On
SecFilterCheckUnicodeEncoding Off
 
# If you want to scan the output, uncomment these
# SecFilterScanOutput On
# SecFilterOutputMimeTypes "(null) text/html text/plain"
 
# Accept almost all byte values
SecFilterForceByteRange 1 255
 
# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog /var/log/apache/audit_log
 
# You normally won't need debug logging
SecFilterDebugLevel 0
SecFilterDebugLog /var/log/apache/modsec_debug_log
 
# Include rules
Include /etc/apache/modsecurity/filter.conf

openssl s_client -connect localhost:443 -state -debug