Sicherheitshinweis:
cPanel, Plesk, DirectAdmin, Confixx
Wir
empfehlen auf Ihrem Server alle Installationen
von phpBB, PHPNuke, osTicket, My_eGallery, Mambo,
ModernBill, Awstats, phpAd und anderen populären
PHP Programmen zu überwachen und für
regelmäßige Updates zu sorgen. Denn
diese Skripte werden sehr häufig von Hackern
und Spammern missbraucht.
Wir
empfehlen den Install des "CSF" oder des "APF" Firewalls
auf jedem VPS und dediziertem Server—und
auch das Installieren des "Mod_Security"
Moduls. Installieren Sie aber NICHT beide Firewalls! Was die Installation auf einem VPS Server betrifft, da gibt es einige Besonderheiten. Wenn Sie mit uns eine VPS haben, bitte konsultieren Sie uns BEVOR Sie ein Install versuchen. Wir installieren den Firewall auch gern für Sie, kostenfrei.
CSF — Install und Info: http://www.configserver.com/cp/csf.html
APF — Install und Info: http://www.rfxn.com/projects/advanced-policy-firewall/
Falls Sie APF installieren, dann empfehlen wir ebenfalls BFD (Brute Force Detection) zu installieren. BFD arbeitet mit APF zusammen. Install und Info hier: http://www.rfxn.com/projects/brute-force-detection/
Mod_Security —
http://eth0.us/mod_security
Falls Sie allerdings einen cPanel VPS
oder dedizierten Server haben, dann ist es einfacher.
Kompilieren Sie einfach "Mod_Security" in PHP. Tun Sie dies mit dem Skript
/scripts/easyapache.
(A) Falls Sie einen dedizierten Server oder eine VPS mit Apache 2.x haben, dann benutzen Sie folgende Installationsmethode um die neuesten Schutzregeln zu installieren:
1. Kompilieren Sie PHP mit /scripts/easyapache und wählen Sie auch das Modul mod_security
Modul innerhalb von Apache 2.x. (Das installiert mod_security 2.5.5, welches hierfür notwendig ist.)
2. Als root: "wget -O /root/install_modsec_rules http://403security.org/modsec/install_modsec_rules"
3. Als root: "sh /root/install_modsec_rules" und folgen Sie den on-screen Anweisungen
(B) Falls Ihr cPanel Server allerdings noch Apache 1.9 installiert hat, dann benutzen Sie bitte untige Regeln. Nach dem Installieren von Mod_Security, klicken Sie unter
"Add-ons" im Hauptmenü auf ->
"Mod Security" -> "Edit Config",
und dann tauschen Sie den gesamten Text durch
den untigen aus (blaue Schrift). Dann stoppen
und starten Sie Apache.
#These
rules work with mod_security 1.9.x and above
only
# This is a rule template, with limited
application specific matches
# To prevent functionality loss
# Updated 5/15/2009
# Tested to work with apache1 and apache2
#
# BEGIN RULES
#
# Basic rules with arbitrary command detection
SecFilterSelective THE_REQUEST "\.htgroup"
SecFilterSelective THE_REQUEST "\.htaccess"
SecFilterSelective THE_REQUEST "cd\.\."
SecFilterSelective THE_REQUEST "///cgi-bin"
SecFilterSelective THE_REQUEST "/cgi-bin///"
SecFilterSelective THE_REQUEST "/~root"
SecFilterSelective THE_REQUEST "/~ftp"
SecFilterSelective THE_REQUEST "/htgrep"
chain
SecFilterSelective THE_REQUEST "/htgrep"
log,pass
SecFilterSelective THE_REQUEST "/\.history"
SecFilterSelective THE_REQUEST "/\.bash_history"
SecFilterSelective THE_REQUEST "/~nobody"
SecFilterSelective THE_REQUEST "<script"
SecFilterSelective THE_REQUEST "psybnc"
SecFilterSelective THE_REQUEST "cmd=cd\x20/var"
SecFilterSelective THE_REQUEST "\?STRENGUR"
SecFilterSelective THE_REQUEST "/etc/motd"
SecFilterSelective THE_REQUEST "/etc/passwd"
SecFilterSelective THE_REQUEST "conf/httpd\.conf"
SecFilterSelective THE_REQUEST "/bin/ps"
SecFilterSelective THE_REQUEST "bin/tclsh"
SecFilterSelective THE_REQUEST "tclsh8\x20"
SecFilterSelective THE_REQUEST "chsh"
SecFilterSelective THE_REQUEST "udp\.pl"
SecFilterSelective THE_REQUEST "wget\x20"
SecFilterSelective THE_REQUEST "bin/nasm"
SecFilterSelective THE_REQUEST "nasm\x20"
SecFilterSelective THE_REQUEST "/usr/bin/perl"
SecFilterSelective THE_REQUEST "links
-dump "
SecFilterSelective THE_REQUEST "links
-dump-(charset|width) "
SecFilterSelective THE_REQUEST "links
(http|https|ftp)\:/"
SecFilterSelective THE_REQUEST "links
-source "
SecFilterSelective THE_REQUEST "cd\x20/(tmp|var/tmp|etc/httpd/proxy|dev/shm)"
SecFilterSelective THE_REQUEST "cd\.\."
SecFilterSelective THE_REQUEST "///cgi-bin"
SecFilterSelective THE_REQUEST "/cgi-bin///"
SecFilterSelective THE_REQUEST "/~named(/|
HTTP\/(0\.9|1\.0|1\.1)$)"
SecFilterSelective THE_REQUEST "/~guest(/|
HTTP\/(0\.9|1\.0|1\.1)$)"
SecFilterSelective THE_REQUEST "/~logs(/|
HTTP\/(0\.9|1\.0|1\.1)$)"
SecFilterSelective THE_REQUEST "/~sshd(/|
HTTP\/(0\.9|1\.0|1\.1)$)"
SecFilterSelective THE_REQUEST "/~ftp(/|
HTTP\/(0\.9|1\.0|1\.1)$)"
SecFilterSelective THE_REQUEST "/~bin(/|
HTTP\/(0\.9|1\.0|1\.1)$)"
SecFilterSelective THE_REQUEST "/~nobody(/|
HTTP\/(0\.9|1\.0|1\.1)$)"
SecFilterSelective THE_REQUEST "/\.history
HTTP\/(0\.9|1\.0|1\.1)$"
SecFilterSelective THE_REQUEST "/\.bash_history
HTTP\/(0\.9|1\.0|1\.1)$"
SecFilter "(cmd|command)=(cd|\;|perl|python|lynx|links|mkdir|elinks|cmd|wget|uname|(s|r)(cp|sh)|net(stat|cat)|rexec|smbclient|curl)"
SecFilterSelective REQUEST_URI "/nessus_is_probing_you_"
SecFilterSelective REQUEST_URI "/NessusTest"
SecFilter "javascript\://"
SecFilter "img src=javascript"
SecFilter "_PHPLIB\[libdir\]"
SecFilter "hdr=/"
#Require Content-Length to be provided with
every POST request
SecFilterSelective REQUEST_METHOD "^POST$"
chain
SecFilterSelective HTTP_Content-Length "^$"
SecFilterSelective HTTP_Transfer-Encoding
"!^$"
#Specific XML-RPC attacks on xmlrpc.php
SecFilterSelective THE_REQUEST "(/xmlrpc|.*xmlrpc_services)\.php"
chain
SecFilter "(\<xml|\<.*xml)"
chain
SecFilter "(echo( |\(|\').*\;|chr|fwrite|fopen|system)\(.*\)\;"
#XML-RPC SQL injection generic signature
SecFilterSelective THE_REQUEST "(/xmlrpc|.*xmlrpc_services)\.php"
chain
SecFilter "<methodName>.*</methodName>.*<value><string>.*(delete|insert|drop|replace|update|create)[[:space:]]+[A-Z|a-z|0-9|\*|
|,]+[[:space:]](from|into|table).*methodName\>"
#Exploit phpBB Highlighting Code Execution/SQL
Injection - Santy.A Worm
SecFilter "&highlight=\'\.fwrite\(fopen\("
SecFilter "&highlight=\x2527\x252Esystem\("
SecFilter "&highlight=\'\.mysql_query\("
SecFilterSelective THE_REQUEST "/quick-reply\.php"
chain
SecFilterSelective THE_REQUEST "(\;|\&)highlight=\'\.system\("
SecFilterSelective THE_REQUEST "&highlight=\'\.mysql_query\("
SecFilterSelective THE_REQUEST "&highlight=\'\.fwrite\(fopen\("
SecFilterSelective THE_REQUEST "&highlight=%2527%252E"
SecFilterSelective THE_REQUEST "&highlight=\x2527\x252Esystem\("
SecFilterSelective THE_REQUEST "/viewtopic\.php\?.*(highlight.*(\'\.|\x2527|\x27)|include\(.*GET\[.*\]\)|=(http|https|ftp)\:/|(printf|system)\()"
#phpBB remote command execution exploit
SecFilterSelective REQUEST_URI "profile\.php\?GLOBALS\[signature_bbcode_uid\]=\(\.\x2B\)/e\x00"
SecFilterSelective REQUEST_URI|POST_PAYLOAD
"r57phpBB2017xpl"
SecFilterSelective POST_PAYLOAD "_bill_gates@microsoft\.com"
SecFilterSelective THE_REQUEST "/admin/admin_forums\.php\?sid=.*"
chain
SecFilter "(forumname|forumdesc)=*\<[[:space:]]*(script|about|applet|activex|chrome)"
SecFilterSelective REQUEST_URI "/posting\.php\?mode=reply\&t=.*userid.*phpbb2mysql_t=(<[[:space:]]*script|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/posting\.php\\?.*(<[[:space:]]*script|(http|https|ftp)\:/)"
SecFilterSelective THE_REQUEST "changedir=%2Ftmp%2F.php"
SecFilter "^/viewtopic\.php\?"
chain
SecFilter "chr\(([0-9]{1,3})\)"
SecFilterSelective THE_REQUEST "viewtopic\.php"
chain
SecFilterSelective "THE_REQUEST|ARG_VALUES"
"(passthru|cmd|fopen|exit|fwrite)"
SecFilter "phpbb_root_path="
SecFilterSelective THE_REQUEST "/calendar_scheduler\.php\?start=(<[[:space:]]*script|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/groupcp\.php\?g=.*sid=\'"
SecFilterSelective REQUEST_URI "/index\.php\?(c|mark)=*\'"
SecFilterSelective REQUEST_URI "/portal\.php\?article=*\'"
SecFilterSelective REQUEST_URI "/viewforum.php?f=.*sid=\'"
SecFilterSelective REQUEST_URI "/viewtopic.php?p=.*sid=\'"
SecFilterSelective REQUEST_URI "/album_search\.php\?mode=\'"
SecFilterSelective REQUEST_URI "/album_cat\.php\?cat_id=.*sid=\'"
SecFilterSelective REQUEST_URI "/album_comment\.php\?pic_id=.*sid=\'"
SecFilterSelective REQUEST_URI "calendar_scheduler\.php\?d=.*&mode=&start=\'\">"
SecFilterSelective REQUEST_URI "/profile\.php\?mode=viewprofile&u=.*((script|script|about|applet|activex|chrome)\>|html|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/viewtopic\.php\?p=.*&highlight=.*((script|script|about|applet|activex|chrome)\>|html|(http|https|ftp)\:/)"
#awstats XSS vulnerabilities
SecFilterSelective THE_REQUEST "awstats"
chain
SecFilterSelective ARGS "(pluginmode|loadplugin|debug|configdir|perl|cgi|chmod|exec|print)"
SecFilterSelective REQUEST_URI "/awstats\.pl\?(configdir|update|pluginmode|cgi)=(\||echo|\:system\()"
SecFilterSelective REQUEST_URI "/awstats\.pl\?(debug=1|pluginmode=rawlog\&loadplugin=rawlog|update=1\&logfile=\|)"
SecFilterSelective REQUEST_URI "/awstats\.pl\?[^\r\n]*logfile=\|"
SecFilterSelective REQUEST_URI "/awstats\.pl\?configdir="
SecFilterSelective REQUEST_URI "awstats\.pl\?"
chain
SecFilterSelective ARGS "(debug|configdir|perl|chmod|exec|print|cgi)"
|
Hier noch ein Link zu einigen nützlichen
und einfach zu installierenden Sicherheits-
und Adminskripten (nur für cPanel
Server): http://cplicensing.net/scripts.php
|
