Linux worm crawls the web, what to do to protect our systems
Shockwave
shockwave at clan-tf20.com
Tue Nov 8 15:34:43 UTC 2005
----- Original Message -----
From: "Michael A. Peters" <mpeters at mac.com>
To: <fedora-list at redhat.com>
Sent: Tuesday, November 08, 2005 1:12 AM
Subject: Re: Linux worm crawls the web, what to do to protect our systems
> On Tue, 2005-11-08 at 11:30 +0800, List wrote:
>
> >
> > Will it help if i firewalled off port 7111 and 7222?
> >
> > regards
> >
>
> Maybe.
> Depends upon how sophisticated it is.
>
I run FC3 and PHPNuke and I have been probed as well. The best solution I
have found is to install something called mod_security for apache. Here's a
link:
http://www.modsecurity.org/
The directions are really simple to follow and it works like a charm once
you install a decent configuration file. I searched the web and pieced
together something that seems to work well. I've included it below:
-----------------
<IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On
# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On
# Unicode encoding check
SecFilterCheckUnicodeEncoding On
# Only allow bytes from this range
SecFilterForceByteRange 0 255
# Only log suspicious requests
SecAuditEngine RelevantOnly
# The name of the audit log file
SecAuditLog logs/audit_log
# Debug level set to a minimum
SecFilterDebugLog logs/modsec_debug_log
SecFilterDebugLevel 0
# Should mod_security inspect POST payloads
SecFilterScanPOST On
# By default log and deny suspicious requests
# with HTTP status 500
SecFilterDefaultAction "deny,log,status:500"
# Specific filters
SecFilter /bin/sh
SecFilter /bin/bash
SecFilter /bin/tcsh
SecFilter /bin/csh
SecFilter /var/spool
SecFilter /dev/shm
SecFilter /var/tmp
SecFilter /bin/ps
SecFilter /usr/local/flash
SecFilter udp.pl
SecFilter r0nin
SecFilter pbsync
SecFilter bindz
SecFilter inetd
SecFilter psybnc
SecFilter PhiLaR.pl
SecFilter php-shell.php
SecFilter phpshell.php
SecFilter dc.pl
SecFilter elflbl
SecFilter zregbot
SecFilter irclordz
SecFilter dalnet
# Detect attempts to execute binaries residing in /bin
SecFilterSelective ARGS "/bin/"
SecFilterSelective ARGS "/usr/bin/"
## PHPBB Vulnerability
SecFilter "viewtopic\.php\?" chain
SecFilter "chr\(([0-9]{1,3})\)" "deny,log"
SecFilter "admin_styles.php\?" chain
SecFilter "\$_GET"
# WEB-PHP Mail Exploit
SecFilterSelective THE_REQUEST "data/album\.php" deny,log
SecFilter "b77ybvFuiTAy" deny,log
# CPANEL Guestbook
#SecFilter "admin\.php\?action.*uid=1([^0-9]|$)"
# Require HTTP_USER_AGENT and HTTP_HOST in all requests
#SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
# WEB-ATTACKS /usr/bin/gcc command attempt
SecFilterSelective THE_REQUEST "/usr/bin/gcc"
# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
#SecFilterSelective HTTP_Content-Length "^$"
# Don't accept transfer encodings we know we don't handle
# (and you don't need it anyway)
SecFilterSelective HTTP_Transfer-Encoding "!^$"
# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
# Block various methods of downloading files to a server
SecFilterSelective THE_REQUEST "wget"
SecFilterSelective THE_REQUEST "lynx"
SecFilterSelective THE_REQUEST "scp"
SecFilterSelective THE_REQUEST "cvs"
SecFilterSelective THE_REQUEST "rcp "
SecFilterSelective THE_REQUEST "telnet"
SecFilterSelective THE_REQUEST "echo"
SecFilterSelective THE_REQUEST "links -dump"
SecFilterSelective THE_REQUEST "links -dump-charset"
SecFilterSelective THE_REQUEST "links -dump-width"
SecFilterSelective THE_REQUEST "links http://"
SecFilterSelective THE_REQUEST "links ftp://"
SecFilterSelective THE_REQUEST "links -source"
SecFilterSelective THE_REQUEST "mkdir"
SecFilterSelective THE_REQUEST "cd /tmp"
SecFilterSelective THE_REQUEST "cd /var/tmp"
SecFilterSelective THE_REQUEST "cd /var/netenberg"
SecFilterSelective THE_REQUEST "uname -a"
SecFilterSelective THE_REQUEST "\.htgroup"
SecFilterSelective THE_REQUEST "\.htaccess"
# WEB-CLIENT Javascript URL host spoofing attempt
SecFilter "javascript\://"
# WEB-MISC cross site scripting \(img src=javascript\) attempt
SecFilter "img src=javascript"
# WEB-MISC cd..
SecFilterSelective THE_REQUEST "cd\.\."
# WEB-MISC ///cgi-bin access
SecFilterSelective THE_REQUEST "///cgi-bin"
# WEB-MISC /cgi-bin/// access
SecFilterSelective THE_REQUEST "/cgi-bin///"
# WEB-MISC /~root access
SecFilterSelective THE_REQUEST "/~root"
# WEB-MISC /~ftp access
SecFilterSelective THE_REQUEST "/~ftp"
# WEB-MISC htgrep attempt
SecFilterSelective THE_REQUEST "/htgrep" chain
SecFilter "hdr=/"
# WEB-MISC htgrep access
SecFilterSelective THE_REQUEST "/htgrep" log,pass
# WEB-MISC .history access
SecFilterSelective THE_REQUEST "/\.history"
# WEB-MISC .bash_history access
SecFilterSelective THE_REQUEST "/\.bash_history"
# WEB-PHP PHP-Wiki cross site scripting attempt
SecFilterSelective THE_REQUEST "<script"
# WEB-PHP strings overflow
SecFilterSelective THE_REQUEST "\?STRENGUR"
# WEB-PHP PHPLIB remote command attempt
SecFilter "_PHPLIB\[libdir\]"
</IfModule>
-----------------
Put this in a file called modsecurity.conf in /etc/httpd/conf.d and a stock
FC3 apache installation will load it automatically. To install the package,
all you need to do is download the source and untar/gunzip the files, change
to the apache2 directory and execute this as root:
apxs -cia mod_security.c
This will not only build the DSO but also add the appropriate line to your
existing httpd.conf file without disturbing any other custom settings. Even
so, a httpd.conf.bak is created just in case. Restart httpd and you're
ready to go! The new log file audit_log in /var/log/httpd will show you
what is being blocked.
Another aspect of this attack is that it tries to use the /tmp directory to
launch programs. You can go the extra step to mount that directory without
execute permissions if you want to be even more secure. That will stop
anyone from executing anything even if they get by mod_security.
I hope this helps.
Tom
More information about the users
mailing list