Security :: Mod_security And PCI-DSS Compliance With Breach Security's Enhanced Rule Set
Jul 19, 2010
Currently I'm looking into implementing mod_security on all our apache servers. The installation on CentOS 5.5 comes directly with the "Core Rule Set" by the mod_security devs (curiously Debian and Ubuntu do not carry these) They also offer the Enhanced Rule Set for mod_security in a commercial package [URL] The main point there in their info link is the first point
Quote:
Tracking Credit Card Usage as required by the Payment Card Industry Data Security Standard However acc. to this wiki article ( http://en.wikipedia.org/wiki/Payment...urity_Standard ) that specific requirement isn't stated anywhere, as well as my colleague who's working on the PCI-DSS compliance for our code/servers/etc. mentioned that he hasn't heard of this specific requirement either. So my question would be if anyone has any experience with their ERS package and if it's needed for the PCI-DSS compliance compared to the requirements given in bullet points @ wiki article.
View 2 Replies
ADVERTISEMENT
Sep 29, 2010
I have just installed the latest version of mod_security from source on Ubuntu Server 10.04. And it seems like it went okay while I followed the official installation manual for UNIX.
Question 1: How do I know that mod_security is really on? Can I view any status anywhere?
Question 2: What's the difference between the base_rules and the optional_rules? When I load the optional_rules, I always get an error message and Apache2 won't run. The base_rules works fine.
View 6 Replies
View Related
Jul 16, 2010
Question (and Google results aren't making this clear): Ubuntu has both iptables & ip6tables installed. 1. If I set a rule in iptables, does that rule also apply to ipv6, or just ipv4?
2. If "no" to above, then it would be prudent to *also* set ip6tables rules as well if I want to maintain an active firewall, correct?
3. Does ip6tables rules have the same syntax and behavior (more or less) to iptables rules - i.e. can I just copy my iptables rules & change "iptables" to "ip6tables"?
4. Any gotchas or issues that I should be aware of?
View 9 Replies
View Related
Jan 21, 2011
My debian server has been attacked due to a security breach in exim4 4.69-9 (probably applies to loads of other versions too). The security breach allows the attacker to get root access by creating a buffer overflow in a header which then can be used to inject code.
[URL]
The securtiy breach is fixed with 4.69-9+lenny1 I want to share my actions with you on what I did to (hopefully) get rid of it. However at the time of writing this, the above website is down due to too much load (DDOS Attack?). How you can check if you've been attacked:
The attack creates a buffer overflow in exim4, which results in paniclog entries.
$ cat /var/log/exim4/paniclog
2010-12-17 07:34:11 string too large in xxxyyy()
2010-12-19 10:42:10 string too large in xxxyyy()
this would be an example of two attacks. One on 2010-12-17 and the other two days later 2010-12-19.with this information you can start find potentially infected files. There may be a better way, but I searched for them with this command:
$ find / -mtime 31 2>/dev/null # files,directories,links created 31 days ago (i.e. 2010-12-17)
My infected files:
/usr/bin/uptime
/usr/bin/pwdx
/usr/bin/slabtop
[code]....
View 4 Replies
View Related
Jan 21, 2010
If you use Tor, you're cautioned to update now due to a security breach. In a message:URL.. on the Tor mailing list dated Jan 20, 2010, Tor developer Roger Dingledine outlines the issue and why you should upgrade to Tor 0.2.1.22 or 0.2.2.7-alpha now: "In early January we discovered that two of the seven directory authorities were compromised (moria1 and gabelmoo), along with metrics.torproject.org, a new server we'd recently set up to serve metrics data and graphs. The three servers have since been reinstalled with service migrated to other servers." Tor users should visit the download page and update ASAP!URL...
View 1 Replies
View Related
Jun 30, 2010
I've had a password on my 10.04 installation since I installed it (when it was released) and since last week it has disappeared. My computer seems to log in automatically. When I check the login screen settings, it is set to "show the screen for choosing who will log in".
View 5 Replies
View Related
Sep 24, 2010
Basically, out of the box, is SUSE hardened to meet DISA STIG compliance? along with the question came a 500 page UNIX Security checklist I am not looking forward to reading through nor typing 5000 commands.
View 1 Replies
View Related
May 13, 2009
Once the mod_security module gets loaded to apache, autoindexing stops to work. In a folder without index.html the server says: 403 Forbidden You don't have permission to access /TheFolder/ on this server. I was trying to find something to comment out in the /etc/httpd/modsecurity.d and in the modsecurity.conf files .. but couldnt find anything relevant. how to have mod_security on with haveing autoindexing on aswell?
View 3 Replies
View Related
Jul 22, 2010
currently I'm fiddling around with mod_security for apache2 configurations on CentOS boxes, right now in a test environment first (i.e. separate non production box).CentOS includes the mod_security "Core Rule Set" by Breach Security Inc, the devs behind that module.So far all's running mostly, logs/auditlogs etc.For simple testing, I made a small php form as following:
Code:
<?php
$link = mysql_connect("localhost",$user,$pass); //un/pw obfuscated for forum post
[code]...
View 1 Replies
View Related
Dec 20, 2010
I guess this is the right place to put questions about iptables, so forgive me if it is not.I have a MySQL database which I need to allow connections to: 1 - the internal network; 2 - the web server (Apache) connections;3 - A user who is out of this network in a range of dynamic IP.Let's suppose the range IP for this user is 179.4.247.0-179.4.247.254 and the server; where is MySQl and Apache is 60.22.30.232. This user will use the windows client MySQL tool to make connections into this database.
So I think these rule below allow connections to the internal network and apache:
iptables -A INPUT -i eth0 -m state state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth1 -m state state ESTABLISHED,RELATED -j ACCEPT
[code]....
View 8 Replies
View Related
Jul 23, 2011
For example, can I write something to the effect: block all outbound UDP connections over port 53 except those going to IP 123.456.789. Or stated another way: Block outbound to port 53/udp NOT going to ip address 123.454.678Is it possible to do this? How would I write the argument?
View 3 Replies
View Related
Sep 1, 2011
I need help creating an iptable rule. The iptables are installed on my router. My router also connects to a "hide my a**" vpn account
at 79.142.65.5:443 The goal is to somehow force the traffic to go through the vpn, because what sometimes happens is, the vpn connection drops (for what ever reason) and my real ip becomes exposed. Basically, I want to block "myself" from accessing the Internet when not connected to the vpn because of privacy concerns.
Below is my iptables. It has the 3 default chains and it also has many custom user chains. I need to know what kind of a rule to add, What interface to apply it to (lo,tun0,br-lan,eth1) and the correct chain to insert into.For example, you could tell me something like:
Quote:
FORWARD chain, change rule 1 to
iptables -R FORWARD 1 -j zone_wan_MSSFIX -p tcp --destination-port 443 -i eth1
Obviously, That was just a guess, I need someone that knows iptables to help me.
Code:
Chain INPUT (Policy: ACCEPT)
Rule # Traffic Target Prot In Out Source Destination Options
Rule 1 72.95 KB DROP all * * 0.0.0.0/0 0.0.0.0/0 state INVALID
Rule 2 1.11 GB ACCEPT all * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
[code].....
View 3 Replies
View Related
Apr 5, 2011
My firewall , wich is an Ubuntu server 10.10 , have 3 interfaces:
eth0(192.168.0.254):linked to the DMZ
eth1(192.168.1.254):linked to the LAN
eth3(212.217.0.1):linked to the Internet
-The DMZ have one web server with a static address (192.168.0.1).
-My LAN address range is (192.168.1.2-192.168.1.100) managed by a DHCP server in the same firwall machine.
There are some of the rules that I need to set up :
-Allow HTTP between the LAN and the internet
-Allow HTTP between the web server in the DMZ, and the internet.
Is there a way to tell the firewall , to redirect all incoming HTTP requests only to the web server in the DMZ ?
View 4 Replies
View Related
Nov 17, 2010
I'am using the explicit match 'quota' with iptables. I wonder how can I save quota between restart for every rule. All the quota resets at reboot.
View 1 Replies
View Related
Mar 4, 2011
I am using squid on my fedora box as a proxy server.By default the iptables (Firewall) service is on.To allow web pages to my client machines i stop the iptable service.
#service iptables stop
By doing it client computers start browsing.kindly how can I add a rule so that without stoping firewall client compter work fine.my perver IP address is 10.1.80.10
View 3 Replies
View Related
Feb 23, 2010
I'm not an iptables expert. Anybody know how to create a rule/chain that will log info similar to what tcpdump -s0 would do?
View 3 Replies
View Related
May 16, 2011
How do I redirect all the UDP traffic on port 27016 of my current dedicated server to a new IP port 27015 using IP tables?
View 1 Replies
View Related
Apr 21, 2010
Just wanted input for this script i have cobbeled together. Its not done yet. I am trying to think of ways to close up my outgoing while maintaining full functionality of my laptop ( irc, web stuff, a torrent or two, etc.) . Anyways, I have done some myself; as well as, pulling bits and pieces from other stuff out on the web. I am starting to wonder why i have to write a specific rule to check for spoofed packets if my default input is set top drop. wouldnt it be caught?
Code:
#!/bin/bash
### Laptop + Desktop: No Forwarding firewall ip4 / ip6
### Distro > Debian / Ubuntu.
### oliverteasley@gmail.com
[Code]....
View 12 Replies
View Related
Jan 3, 2011
how can i drop igmp port 0 packets with iptables rule? my log file is full of this router advertisement.
View 2 Replies
View Related
Nov 26, 2010
The iptables has every rule set correctly, the users in the subnet works great, but I have the following issue.every user connect to a mysql running on the internet through the port 3306, the forward and masquerade do the job. Now I have a user in the outside, and he wants to connect to a mysql in a certain machine (Not the gateway), prerouting rules solve my problems, but all the packages from the inside users goes now to that certain machine. I would like something like if the package passed trough masquerade don't pass trough the prerouting rule, and if it come from the outside (Not a package that come from a petition from the inside) pass trough the prerouting rule.
View 6 Replies
View Related
May 21, 2011
I am setting up a virtual server. Ubuntu 11.04, "minimal provider image".UFW was disabled by default. I set it to default deny. Allowed HTTP, SSH and other standard stuff, and enabled it. All seems to be OK. Adding one rule to block some annoying security scanners causes ping not to work. I'm not an Iptables expert, but it looks OK to me. I got it from some website, rather than invented it myself, but modified to to fit the ufw config file syntax. What in that rule prevents pings?!? It seems completely unrelated.
View 1 Replies
View Related
May 22, 2011
love security/pentest tools. This script adds ALL the tools from the Security Spin, plus Metasploit. Feel free to modify it if need be.
View 12 Replies
View Related
Jan 19, 2010
ubuntu 9.10 login panel is worse with respect to ubuntu 8 since now all the users with names are shown without a way to hide them!Why don't keep the old way at least as an option?
View 5 Replies
View Related
Oct 15, 2010
To avoid having to input a password for the keyring each time I connect to the net via wireless, I enabled the 'Available to all users' option in Network Manager. Now, my question is this. Are the 'users' it refers to just those created on this machine? Would a drive-by be able to use my network without entering the password?
View 3 Replies
View Related
Jan 17, 2011
1. I understand you can protect your files or directories in your website by setting file/directory permissions. The meaning of r w x is clear to me, but I'm not sure how to proceed... Starting with the index.html file, if I wanted to make it so that anyone in the world can read it but can't modify it, do I set its permissions to rwxr-xr-x? If I set it to rwxr--r--, would that mean the file couldn't be served? I mean, what does the x setting do on a .html file, how can a .html file be executable?
2. If file permissions work on the lines of owner-group-others, in the context of a website, who is 'group'? As far as I can tell, there's only the owner, which is me, and others, which is the world accessing the site. Am I correct in thinking that by default, say when creating a website on a shared hosting server, there is no group unless I specifically set one up?
3. My ISP allows the DynDNS.org service, meaning that I could serve a website from my home. It's too early to go that route just yet, but for future reference, I would like to ask about the server software called Hiawatha. It is said to be secure, but having read some evaluations of it, it doesn't seem to offer anything that couldn't be accomplished with Apache or Cherokee, it's just that its security settings are simpler and easier to configure. Am I right about this? Or does Hiawatha truly offer something that the other major server packages don't?
View 9 Replies
View Related
Apr 13, 2011
this is the allert i got:Code:Summary:Your system may be seriously compromised! /usr/sbin/NetworkManager tried to loada kernel module.Detailed Description:SELinux has prevented NetworkManager from loading a kernel module. All confinedprograms that need to load kernel modules should have already had policy writtenfor them. If a compromised application tries to modify the kernel this AVC willbe generated. This is a serious issue.Your system may very well be compromised.Allowing Access:Contact your security administrator and report this issue.Additional Information:
Source Context system_u:system_r:NetworkManager_t:s0
Target Context system_u:system_r:NetworkManager_t:s0
Target Objects None [ capability ]
[code]....
View 5 Replies
View Related
Mar 3, 2011
i updated both browsers i have and lost my secure log-in pages (no padlocks showing ) concerning different Web mail accounts.Just before i did these updates i checked an unrelated thing on-line regarding my sound card of which i kept a copy of and got this message below :
!!ALSA/HDA dmesg
!!------------------
[ 12.762633] cfg80211: Calling CRDA for country: AM
[code]....
View 2 Replies
View Related
Apr 7, 2009
I'm just curious as to what security measure's I should be taking to make my box a little less vulnerable? I'm still experimenting/playing with Linux, use the net, IM, download this and that and was wondering how secure fedora 10 was out of the box?
View 12 Replies
View Related
Apr 8, 2009
During a recent install I made the leap to encryption,but /boot must remain unencrypted.Is there really any legitimate security risk to having an unencrypted /boot partition? I mean basically someone can just see what kernel you're running which they could see during boot anyways right? Oh I and keep all my financial documents in /boot/finances/ (haha ok not really, but I am serious about the first part).
View 5 Replies
View Related
May 30, 2010
Is it possible to install security lab menu on a normal Fedora 13 installation? I don't want to use security spin.
View 14 Replies
View Related
