cPanel ModSecurity v2.9.3 results in apache service failures

The following update to the ea-apache24-mod_security2 RPM was included as part of the initial May 29 EasyApache 4 Release: EA-8081 – Update Mod_security2 to 2.9.3 Upon the publication of this update, we observed reports of Apache service failures stemming from ModSecurity segmentation faults. kernel: [123456.123456] httpd[12345]: segfault at 9 ip 0000000000000000 sp 0000000000000 error 4 … Read more

Whitelist rule with LocationMatch

Tutorial

Sometimes you need disable ModSecurity rules in specific url or program, because it causes false positives. This tutorial we show how you can whitelist rule or rules with apache LocationMatch directive. LocationMatch examples WordPress admin <locationmatch “/wp-(admin|login)/”> SecRuleRemoveById 150005 SecRuleRemoveById 150006 </locationmatch> phpmyadmin <locationmatch “/phpmyadmin/”> SecRuleRemoveById 150005 SecRuleRemoveById 150006 </locationmatch> Depend your server configuration, like … Read more

Custom ModSecurity Error message in apache

Tutorial

This tutorial we show that you can change the custom error message page to ModSecurity. Typically, you get 403 or 406 Response code when ModSecurity block access to website. Apache configuration In apache configuration files (Depend your OS & Configuration) includes / errordocument.conf ErrorDocument 403 /403.shtml Add extra row to 406 error page: ErrorDocument 406 … Read more

Install ModSecurity with Apache on Ubuntu 16.04 LTS

Tutorial

In this guide we will see how to install ModSecurity Web Application Firewall (WAF) to secure your apache web server. You need an Apache Web Server installed on your Ubuntu 16.04 LTS before you proceed with installation of ModSecurity WAF. Installing Apache To install Apache on your Ubuntu, issue following commands $ sudo apt-get update … Read more

Why choose Malware Expert Commercial ModSecurity Rules ?

ModSecurity

No matter how well a web server is configured, it is useless if it’s not properly secured. It’s a famous saying, ‘a chain is as strong as its weakest link’. As a system admin you have to address all vulnerabilities of your server. Since one single untreated vulnerability will be exploited by an attacker and … Read more

Processing phases of Modsecurity

Tutorial

ModSecurity works on a powerful language of rules and its API allows monitoring of HTTP(S) that is coming in and out of your web server, to keep your web applications up and running all the time. This article is written to show how ModSecurity protects web applications running on Apache Web Server. The below diagram … Read more

How SecRemoteRules working ?

Tutorial

ModSecurity SecRemoteRules directive allows the user to load rules from a remote server. Requirements Internet connection ModSecurity at least 2.9.x How SecRemoteRules Works 1. When HTTP daemon starts, it loads the configuration files. 2. Configuration files have the SecRemoteRules directive, which tries to connect the Remote Server load rules. 3. When the connection is created … Read more

Bot Network Scanners Activated

During analysis of our logs we noticed that an automated attack against PHP is going on, using a vulnerability in PHP. Attacker is trying to make use of CVE-2012-1823, this only applies if your PHP is used in CGI mode (mod_php is not vulnerable to this). POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E Decoding the URL gives: Using -d parameter … Read more

Bash Vulnerability

Bash Vulnerability is a family of security bugs in the widely used Unix Bash shell. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer … Read more