Re: questions about chrooting

posorio7 wrote:
> Thanks for your help, I managed to get apache running in jail. Now my
> problem is with my account files for the websites. It's looking for
> them in /chroot/apache/home/[username]/public_html. I tried doing a
> symlink from /chroot/apache/home to the real /home and when I loaded
> up my sites it game me a 403 forbidden error. It finds the files but
> does not have access to them. What can I do to correct this?

  I don't think it finds the files because it is not possible
  to create symbolic links that would go outside the jail. Perhaps
  the message is because of incorrect permissions of /home, or
  something like that.

  You'll have to put the account files into the jail in order for
  Apache to be able to reach them.

--

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]

-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click

Re: Generate Nessus rules for mod_security

> 
>   Thanks Javier, I will test the script and the generated rules
>   next week. I will be happy to include your script into the
>   distribution if you are happy with the GPL licence. Please let
>   me know.
> 

Sorry, I forgot to the add the appropiate license to the file. Of 
course, its GPLd. Feel free to add it to the distribution.

Regards

Javier

-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click

[ANNOUNCE] mod_security 1.8.6 released

Mod_security 1.8.6 has been released. It is available for immediate
download from:

   http://www.modsecurity.org/download/

This maintenance release relaxes several minor problems discovered
in 1.8.5. A minor improvement was made to make detection-only
deployment of mod_security easier. Please see the changes below
for more details.

About mod_security
------------------
Mod_security is an Apache module whose purpose is to protect
vulnerable applications and reject human or automated attacks.
It is an open source intrusion detection and prevention system
for Apache. In addition to request filtering, it also creates Web
application audit logs. Requests are filtered using regular
expressions. Some of the things possible are:

 * Apply filters against any part of the request (URI,
   headers, either GET or POST)
 * Apply filters against individual parameters
 * Reject SQL injection attacks
 * Reject Cross site scripting attacks

With few general rules mod_security can protect from both
known and unknown vulnerabilities.

Changes (v1.8.6)

HTTPD Dos

Hello there,

One of our servers is being ddossed (httpd based), 100ths of clients are 
trying to download 1 certain file. My question, is it possible
to filter on the download and put the the ip in an iptables rule?

Regards,
Gerwin

-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click

Re: HTTPD Dos

Gerwin Krist -|- Digitalus Webhosting wrote:
> Hello there,
> 
> One of our servers is being ddossed (httpd based), 100ths of clients are
> trying to download 1 certain file. My question, is it possible
> to filter on the download and put the the ip in an iptables rule?

  Are the IP addresses constantly changing? I wrote some scripts for the
  book, available here http://www.apachesecurity.net/, that might be
  able to protect you automatically from that sort of attack.

  The blacklist script is a dynamic iptables firewall. You can tell it
  which IP address to block and for how long.

  The apache-protect script will watch mod_status output and count the
  number of identical requests coming from one IP address and invoke
  the blacklist script to ban the addresses that reach the threshold.

  Finally, blacklist-webclient can be invoked from mod_security via the
  exec action, if you so wish.

  Just be careful not to block legitimate users :)

--

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]

-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE

help with rule

Re: help with rule

modsecurity wrote:

> I'm trying to block clients from using web based scripts to send mail from *@paypal.com or with the
realname of paypal. This is what the post looks like:
> 
> -----------------------------7d43991d691196
> Content-Disposition: form-data; name="from"
> 
> billing <at> paypal.com
> -----------------------------7d43991d691196
> Content-Disposition: form-data; name="realname"
> 
> paypal
> 
> Since the name="from" and the billing <at> paypal.com are not on the same line I'm having a little trouble with
this. Can anyone give me a clue as to how this can be done?

  You don't need to concern yourself with how the data is laid out in a
  request, mod_security takes care of that for you (I am assuming you
  are running 1.8.x). Just tell it which parameters to look for:

  SecFilterSelective ARG_from @paypal\.com$
  SecFilterSelective ARG_realname paypal

--

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]

-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click

Help with rule

Re: HTTPD Dos

On Fri, 12 Nov 2004 20:23:12 -0800
mod-security-users-request <at> lists.sourceforge.net wrote:

> Subject: [mod-security-users] HTTPD Dos
> 
> Hello there,
> 
> One of our servers is being ddossed (httpd based), 100ths of clients are
> trying to download 1 certain file. My question, is it possible
> to filter on the download and put the the ip in an iptables rule?
> 
> Regards,
> Gerwin

Hi,

I have been getting attacks with over 1000 per second requests like this:

default.domain 141.150.49.213 - - [04/Nov/2004:09:30:52 +0000] "OPTIONS /
HTTP/1.1" 403 266 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600" (-)

They seem to have stopped before I did anything about them, but I was
looking at mod_dosevasive available here:

http://www.nuclearelephant.com/projects/dosevasive/

It doesn't look like its been developed in over a year (perhaps it doesn't
need it?) but it might be useful. I wonder if there is any case for
integrating it with mod_security?

Another approach in this case will be just to block OPTIONS requests, but
other DOS attacks might not use this request method.

David.

--

-- 
-------------------------------------------------
Email: David <at> megapico.co.uk
-------------------------------------------------

-------------------------------------------------------
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8

Re: Re: HTTPD Dos

David Fletcher wrote:
> 
> On Fri, 12 Nov 2004 20:23:12 -0800
> mod-security-users-request <at> lists.sourceforge.net wrote:
> 
> 
>>Subject: [mod-security-users] HTTPD Dos
>>
>>Hello there,
>>
>>One of our servers is being ddossed (httpd based), 100ths of clients are
>>trying to download 1 certain file. My question, is it possible
>>to filter on the download and put the the ip in an iptables rule?
>>
>>Regards,
>>Gerwin
> 
> 
> Hi,
> 
> I have been getting attacks with over 1000 per second requests like this:
> 
> default.domain 141.150.49.213 - - [04/Nov/2004:09:30:52 +0000] "OPTIONS /
> HTTP/1.1" 403 266 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600" (-)
> 
> They seem to have stopped before I did anything about them, but I was
> looking at mod_dosevasive available here:
> 
> http://www.nuclearelephant.com/projects/dosevasive/
> 
> It doesn't look like its been developed in over a year (perhaps it doesn't
> need it?) but it might be useful. I wonder if there is any case for
> integrating it with mod_security?
> 
> Another approach in this case will be just to block OPTIONS requests, but
> other DOS attacks might not use this request method.
> 
> David.
> 

That could prove to be a very useful addition to the mod_security 
codebase. I currently use it but, due to the incompatibility with 
frontpage I can't use it on all servers.

If possible, I would definately like to see it added.

Zach

-------------------------------------------------------
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8