----- Original Message ----- From: "Michael A. Peters" <mpeters@xxxxxxx> To: <fedora-list@xxxxxxxxxx> Sent: Tuesday, November 08, 2005 1:12 AM Subject: Re: Linux worm crawls the web, what to do to protect our systems > On Tue, 2005-11-08 at 11:30 +0800, List wrote: > > > > > Will it help if i firewalled off port 7111 and 7222? > > > > regards > > > > Maybe. > Depends upon how sophisticated it is. > I run FC3 and PHPNuke and I have been probed as well. The best solution I have found is to install something called mod_security for apache. Here's a link: http://www.modsecurity.org/ The directions are really simple to follow and it works like a charm once you install a decent configuration file. I searched the web and pieced together something that seems to work well. I've included it below: ----------------- <IfModule mod_security.c> # Turn the filtering engine On or Off SecFilterEngine On # Make sure that URL encoding is valid SecFilterCheckURLEncoding On # Unicode encoding check SecFilterCheckUnicodeEncoding On # Only allow bytes from this range SecFilterForceByteRange 0 255 # Only log suspicious requests SecAuditEngine RelevantOnly # The name of the audit log file SecAuditLog logs/audit_log # Debug level set to a minimum SecFilterDebugLog logs/modsec_debug_log SecFilterDebugLevel 0 # Should mod_security inspect POST payloads SecFilterScanPOST On # By default log and deny suspicious requests # with HTTP status 500 SecFilterDefaultAction "deny,log,status:500" # Specific filters SecFilter /bin/sh SecFilter /bin/bash SecFilter /bin/tcsh SecFilter /bin/csh SecFilter /var/spool SecFilter /dev/shm SecFilter /var/tmp SecFilter /bin/ps SecFilter /usr/local/flash SecFilter udp.pl SecFilter r0nin SecFilter pbsync SecFilter bindz SecFilter inetd SecFilter psybnc SecFilter PhiLaR.pl SecFilter php-shell.php SecFilter phpshell.php SecFilter dc.pl SecFilter elflbl SecFilter zregbot SecFilter irclordz SecFilter dalnet # Detect attempts to execute binaries residing in /bin SecFilterSelective ARGS "/bin/" SecFilterSelective ARGS "/usr/bin/" ## PHPBB Vulnerability SecFilter "viewtopic\.php\?" chain SecFilter "chr\(([0-9]{1,3})\)" "deny,log" SecFilter "admin_styles.php\?" chain SecFilter "\$_GET" # WEB-PHP Mail Exploit SecFilterSelective THE_REQUEST "data/album\.php" deny,log SecFilter "b77ybvFuiTAy" deny,log # CPANEL Guestbook #SecFilter "admin\.php\?action.*uid=1([^0-9]|$)" # Require HTTP_USER_AGENT and HTTP_HOST in all requests #SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$" # WEB-ATTACKS /usr/bin/gcc command attempt SecFilterSelective THE_REQUEST "/usr/bin/gcc" # Very crude filters to prevent SQL injection attacks SecFilter "delete[[:space:]]+from" SecFilter "insert[[:space:]]+into" # Require Content-Length to be provided with # every POST request SecFilterSelective REQUEST_METHOD "^POST$" chain #SecFilterSelective HTTP_Content-Length "^$" # Don't accept transfer encodings we know we don't handle # (and you don't need it anyway) SecFilterSelective HTTP_Transfer-Encoding "!^$" # Protecting from XSS attacks through the PHP session cookie SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$" SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$" # Block various methods of downloading files to a server SecFilterSelective THE_REQUEST "wget" SecFilterSelective THE_REQUEST "lynx" SecFilterSelective THE_REQUEST "scp" SecFilterSelective THE_REQUEST "cvs" SecFilterSelective THE_REQUEST "rcp " SecFilterSelective THE_REQUEST "telnet" SecFilterSelective THE_REQUEST "echo" SecFilterSelective THE_REQUEST "links -dump" SecFilterSelective THE_REQUEST "links -dump-charset" SecFilterSelective THE_REQUEST "links -dump-width" SecFilterSelective THE_REQUEST "links http://"; SecFilterSelective THE_REQUEST "links ftp://"; SecFilterSelective THE_REQUEST "links -source" SecFilterSelective THE_REQUEST "mkdir" SecFilterSelective THE_REQUEST "cd /tmp" SecFilterSelective THE_REQUEST "cd /var/tmp" SecFilterSelective THE_REQUEST "cd /var/netenberg" SecFilterSelective THE_REQUEST "uname -a" SecFilterSelective THE_REQUEST "\.htgroup" SecFilterSelective THE_REQUEST "\.htaccess" # WEB-CLIENT Javascript URL host spoofing attempt SecFilter "javascript\://" # WEB-MISC cross site scripting \(img src=javascript\) attempt SecFilter "img src=javascript" # WEB-MISC cd.. SecFilterSelective THE_REQUEST "cd\.\." # WEB-MISC ///cgi-bin access SecFilterSelective THE_REQUEST "///cgi-bin" # WEB-MISC /cgi-bin/// access SecFilterSelective THE_REQUEST "/cgi-bin///" # WEB-MISC /~root access SecFilterSelective THE_REQUEST "/~root" # WEB-MISC /~ftp access SecFilterSelective THE_REQUEST "/~ftp" # WEB-MISC htgrep attempt SecFilterSelective THE_REQUEST "/htgrep" chain SecFilter "hdr=/" # WEB-MISC htgrep access SecFilterSelective THE_REQUEST "/htgrep" log,pass # WEB-MISC .history access SecFilterSelective THE_REQUEST "/\.history" # WEB-MISC .bash_history access SecFilterSelective THE_REQUEST "/\.bash_history" # WEB-PHP PHP-Wiki cross site scripting attempt SecFilterSelective THE_REQUEST "<script" # WEB-PHP strings overflow SecFilterSelective THE_REQUEST "\?STRENGUR" # WEB-PHP PHPLIB remote command attempt SecFilter "_PHPLIB\[libdir\]" </IfModule> ----------------- Put this in a file called modsecurity.conf in /etc/httpd/conf.d and a stock FC3 apache installation will load it automatically. To install the package, all you need to do is download the source and untar/gunzip the files, change to the apache2 directory and execute this as root: apxs -cia mod_security.c This will not only build the DSO but also add the appropriate line to your existing httpd.conf file without disturbing any other custom settings. Even so, a httpd.conf.bak is created just in case. Restart httpd and you're ready to go! The new log file audit_log in /var/log/httpd will show you what is being blocked. Another aspect of this attack is that it tries to use the /tmp directory to launch programs. You can go the extra step to mount that directory without execute permissions if you want to be even more secure. That will stop anyone from executing anything even if they get by mod_security. I hope this helps. Tom
