[WEB SECURITY] Securing apache installation with PHP

Ryan Barnett rcbarnett at gmail.com
Thu May 19 10:46:25 EDT 2005


Speaking of Mod_Security, you could also levarage the converted PHP
attack rules from Snort -

[root at metacortex conf]# egrep -A1 '\.php\" chain' snortmod* |less
SecFilterSelective THE_REQUEST "/squirrelspell/modules/check_me\.mod\.php" chain
SecFilter "SQSPELL_APP\["
--
SecFilterSelective THE_REQUEST "/left_main\.php" chain
SecFilter "cmdd="
--
SecFilterSelective THE_REQUEST "/dnstools\.php" chain
SecFilter "user_dnstools_administrator=true"
--
SecFilterSelective THE_REQUEST "/dnstools\.php" chain
SecFilter "user_logged_in=true"
--
SecFilterSelective THE_REQUEST "/quick-reply\.php" chain
SecFilter "phpbb_root_path="

--CUT--

Just use the snort2modsec.pl script that comes with the distribution. 
This will give you some coverage against known attacks.  Ofcourse, you
should review these PHP vulnerabilities identified in the Snort
signatures and make any appropriate corrections.  This will provided
some detection if an attacker starts probing for these common
vulnerabilties.

Hope this helps.

-- 
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GCUX, GSEC


On 5/19/05, Martin Straka <straka at fido.cz> wrote:
> Hi,
> 
> On Thu, 19 May 2005, Cedric Foll wrote:
> 
> > I have to set up a new web server where many users would be able to put
> > PHP web pages.
> >
> > I would like to harden my setup.
> >
> > I've read these great articles http://www.securityfocus.com/infocus/1706
> 
> I think these simple mod_security settings from this article:
> 
>  SecFilterDefaultAction "deny,log,status:500"
>  SecFilter "<(.|\n)+>"
> 
> for XSS and:
> 
>  SecFilter "'"
>  SecFilter "\""
> 
> for SQL injection will not protect you (your user websites) againts XSS
> and SQL injection attacks, but only create headache for you, because it
> will break many valid applications.
> 
> Regards,
> Martin Straka
> 
> 
> 
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
> 
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/
> 
>

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list