Security :: Mod_security With CRS Adjustments To Capture Php POST Sql Injection Attempts?
Jul 22, 2010
currently I'm fiddling around with mod_security for apache2 configurations on CentOS boxes, right now in a test environment first (i.e. separate non production box).CentOS includes the mod_security "Core Rule Set" by Breach Security Inc, the devs behind that module.So far all's running mostly, logs/auditlogs etc.For simple testing, I made a small php form as following:
Code:
<?php
$link = mysql_connect("localhost",$user,$pass); //un/pw obfuscated for forum post
[code]...
View 1 Replies
ADVERTISEMENT
Jul 19, 2010
Currently I'm looking into implementing mod_security on all our apache servers. The installation on CentOS 5.5 comes directly with the "Core Rule Set" by the mod_security devs (curiously Debian and Ubuntu do not carry these) They also offer the Enhanced Rule Set for mod_security in a commercial package [URL] The main point there in their info link is the first point
Quote:
Tracking Credit Card Usage as required by the Payment Card Industry Data Security Standard However acc. to this wiki article ( http://en.wikipedia.org/wiki/Payment...urity_Standard ) that specific requirement isn't stated anywhere, as well as my colleague who's working on the PCI-DSS compliance for our code/servers/etc. mentioned that he hasn't heard of this specific requirement either. So my question would be if anyone has any experience with their ERS package and if it's needed for the PCI-DSS compliance compared to the requirements given in bullet points @ wiki article.
View 2 Replies
View Related
Sep 29, 2010
I have just installed the latest version of mod_security from source on Ubuntu Server 10.04. And it seems like it went okay while I followed the official installation manual for UNIX.
Question 1: How do I know that mod_security is really on? Can I view any status anywhere?
Question 2: What's the difference between the base_rules and the optional_rules? When I load the optional_rules, I always get an error message and Apache2 won't run. The base_rules works fine.
View 6 Replies
View Related
May 13, 2009
Once the mod_security module gets loaded to apache, autoindexing stops to work. In a folder without index.html the server says: 403 Forbidden You don't have permission to access /TheFolder/ on this server. I was trying to find something to comment out in the /etc/httpd/modsecurity.d and in the modsecurity.conf files .. but couldnt find anything relevant. how to have mod_security on with haveing autoindexing on aswell?
View 3 Replies
View Related
May 20, 2010
I am facing problem on my Linux server, those runing php sites, most of the time hacker upload file in my website and take the control, and hack the sites, shoot the thousands of mail etc
View 7 Replies
View Related
Apr 12, 2010
I'm trying to implement this method to block php injection attack using fail2ban: here it is, however I'm not sure it applies to Ubuntu. You see, there's this filter that must be added to the fail2ban jail file:
HTML Code:
[php-url-fopen]
enabled = true
port = http,https
filter = php-url-fopen
[Code]....
View 7 Replies
View Related
Mar 19, 2010
Our client-accounts were recently injected with the following script and since there are too many files that were injected (only index.php and index.html) how this script can be traced with a search command and removed in all files found.
[Code].....
View 9 Replies
View Related
Mar 2, 2011
I want to do some pen-testing using aircrack-ng on my local network and currently the only wireless adapter I have is the WNA 1100 netgear adapter. I am using the ath9k_htc driver.
View 7 Replies
View Related
Apr 28, 2009
I know this is probably easy and if I only took a while to figure it out maybe I could but I have some stuff that needs to happen soon and I can't figure this out. I was wondering how I could have a log monitor that would email me whenever someone tries to login over ssh to my system. I'm open to everything daemons/scripts or cron itl works as I am not running a production server (but I might be starting that soon). Oh and just a side how do I get sent an email when I get port scanned
View 6 Replies
View Related
Nov 15, 2009
I have a server box behind my ISP router at home, and I need to allow ssh access to my server. My ISP router doesn't let me allow selectively ssh from some IP. It allows ssh to everyone.
I have fedora10 and openssh-server-5.1p1-3. How can I configure openssh to allow just from 1 IP?
Does it use xinetd at all and the hosts.allow and .deny mechanism?
View 14 Replies
View Related
Jun 29, 2010
How can I set up snort to only log and detect/capture logins using root or any of the "homeusers" login accounts or names?
View 9 Replies
View Related
Sep 30, 2010
I'm running the firestarter firewall and its been showing the odd ssh attempt quite often. e.g. I've had 4 attempts today, 3 in the last 40mins. I realize that this may be nothing to serious but it's got me curious, aside from having a secure password (which I have) is there anything that else that I can do to ensure that my system is as secure as possible from ssh? I do use ssh within my home network so I don't want to disable it completely.
View 9 Replies
View Related
Oct 23, 2010
I have an SSH server on my laptop, and I'm using the default configuration file, but I added "AllowUsers <myUserName>". I get lots of login attempts like the ones below in my /var/log/auth.log.From Google, I find that pam_winbind allows some kind of Windows authentication. This leaves me with 2 questions. What does winbind do when I have not configured any Windows/Samba accounts? How can I turn it off?
Code:
Oct 23 20:01:49 muon sshd[24329]: User root from 201.116.17.163 not allowed because not listed in AllowUsers
[code]...
View 9 Replies
View Related
Nov 18, 2010
I run SSH on a publicly open server and see following attempts in /var/log/auth.log which I was told by some one could be port scanning attempts.(Not sure though)
Code:
Nov 18 23:50:19 server sshd[21716]: Did not receive identification string from 186.0.80.197
Nov 19 00:05:57 server sshd[24056]: Did not receive identification string from 85.108.110.66
How can I block above such attempts?
View 11 Replies
View Related
May 20, 2010
How does one unlock an account when it is locked by too many failed attempts for login?
View 1 Replies
View Related
Mar 22, 2011
I am running a ubuntu server 10.10 with SSH, and OpenVPN. I use it mainly for the VPN, but I have seen log in attempts such as:
Mar 22 14:52:53 UbuntuSvr sshd[2397]: Invalid user support from 85.217.190.69
Mar 22 14:52:55 UbuntuSvr sshd[2399]: Invalid user student from 85.217.190.69
Mar 22 14:52:57 UbuntuSvr sshd[2401]: Invalid user transfer from 85.217.190.69
Mar 22 14:52:59 UbuntuSvr sshd[2403]: Invalid user user from 85.217.190.69
[Code]...
Is it possible to make it so when some one has tried logging in 5 times with an invalid user/pass that the ip is banned for 10 minutes? I have password auth set to no and am using keys.
View 7 Replies
View Related
May 25, 2010
I'm trying to lock an account after a number of failed login attempts in a RHEL5.
This is the relevant configuration in /etc/pam.d/system-auth
In the logs I can see how the count of failed logins increase and exceeds my deny option but the account isn't locked
Do I need any other option in the PAM file? Is there any other way to lock an account?
View 5 Replies
View Related
Aug 9, 2010
My server (CentOS 5.4) is being bombarded 24x7 with IP addresses from China trying to exploit phpMyAdmin. For every one I block on the firewall, half a dozen come to the funeral! It's a pity these morons don't have something better to occupy their time. I'm getting page after page of this (see below) every day and it's been going on for weeks. I don't even have phpMyAdmin on the server. I don't use it and I deleted it.
I've read that you can use .htaccess and / or mod_rewrite to redirect / block them based on any query for phpMyAdmin (they try all letters in upper and lower case, leading to page after page). Unfortunately, I have no idea of how to do this. I already have an .htaccess file. Maybe someone can suggest what to add to stop these pests from wasting my bandwidth and suggest somewhere I could redirect them to to cause them maximum problems. I don't want to block the entire country, seems a bit like overkill, not all Chinese are morons. we aren't even in the USA, so why they are doing this is beyond me.
A TINY sample!
[Sun Aug 08 13:29:08 2010] [error] [client 61.191.41.53] File does not exist: /var/www/corp/phpMyAdmin-2.7.2
[code]...
View 6 Replies
View Related
Apr 1, 2011
I want to count the failure root login attempts so that do an action when the user faild to login as root for three consecutive times (like log a line in syslog).
View 4 Replies
View Related
Jan 15, 2011
I'd like to limit login attempts for specific user. I've found information in manpages: [URL]but I'm not sure if this '@' is purposly there, so would be that correct?
Code:
aparaho - maxlogins 4
or
Code:
@aparaho - maxlogins 4
Maybe '@' is a group syntax? I'm confused.
What happens after 4 failed loggins? Is it enough to restart system to get another login attempts?
Are there any other values that it is reasonable to limit for safety reasons?
View 4 Replies
View Related
Feb 16, 2011
I am trying to get OpenLDAP to authenticate user logins, but running around in circles. Are there any logs produced by either client and/or server that would indicate possible reasons why it was unable to login as a user?Below is an explanation, any ideas would be appreciated, as I think everything is setup as per the various articles on using LDAP.
I have a CentOS 5.5 OpenLDAP server, and several others, some host services, some are file shares (samba).So far I have been able to successfully configure OpenLDAP to carry out all the ldap* commands from both the local server and from any of the remote servers, either via non-ssl or ssl connections. However, as soon as I try connecting any services up to it, it doesn't play ball.Back to basics, having cleared off all previous attempts at this from all machines, I have gone through the following:
Installed OpenLDAP server/client on host (plus nss_ldap).
Configured /etc/openldap/slapd.conf (see below)
Configured /etc/openldap/ldap.conf (see below)
[code]...
View 2 Replies
View Related
Oct 22, 2010
On my server I some times login from my home where I have an internet connection which does not have a static IP each time I switch on my modem a dynamic IP isgenerated.I see in auth.log logs of following lines Quote:reverse mapping checking getaddrinfo forkkts-kk-dynamic-01.1.168.192.some_broadband.in [192.168.1.2] failed - POSSIBLE BREAK-IN ATTEMPT Accepted publickey for root from 192.168.1.2 port 22852 ssh2when ever I login to my server from home.In this case I do know that it was me who logged in but still why do I see such a log.What is this complaining about?
View 11 Replies
View Related
Apr 28, 2011
Is there an ssh or sshd parameter that can be set to block out a user after a set number of attempts tp login ?
View 1 Replies
View Related
Oct 28, 2010
I am using denyhosts on a server so in a config file/etc/denyhosts.confthe following value is setQuote:DENY_THRESHOLD_INVALID = 3which as per their configuration file saysQuote:
DENY_THRESHOLD_INVALID: block each host after the number of failed login
# attempts has exceeded this value. This value applies to invalid
# user login attempts (eg. non-existent user accounts)
[code]...
View 1 Replies
View Related
Apr 23, 2011
I've done some searching on googlubuntu for and answer to this but haven't found anything.
As a Linux newbie I was wondering if there are certain types of output from the terminal I should beware of posting for everyone to see? Also are there any codes; that, if I were to be asked to run and report the output on, should raise a red flag?
View 9 Replies
View Related
Jun 19, 2010
When connecting to an unknown unsecured wireless network, is it possible for someone to capture a header and resend it even if it's over https? For example I login on an ipod or on a computer and connect to a server through https and password auth. Although anyone monitoring the transmission could not get hold of my password since it's encrypted, could they just capture the header and resend it 5mins later to logon again without even knowing the password?
View 13 Replies
View Related
Feb 22, 2010
When I restart my computer the following messages come up:
__________________________________________________ _
init: usplash post-start process (2221) terminated with status 1
* Stopping ClamAV virus database updater freshclan
[code]....
View 6 Replies
View Related
Apr 4, 2011
Second off, I'm trying to capture a user password on login (through gdm) such that I can re-use it for a service like Kerberos or AFS. The idea is that the user has to log in only once, and then I renew the tickets and tokens until they log out again. If there's a better way to do this
View 4 Replies
View Related
Jul 1, 2010
I was wondering how to activate encryption on my home folder, like sugested when creating the first user? in 10.04Also, is it any good to use?It's a work computer with sometimes private documents (cv, docs, etc) and i would like to be sure no one can access it, even as root.
View 3 Replies
View Related
Jun 5, 2010
I am looking for an screen capture application which auto runs when ubuntu starts up and work without any instructions or clicking capture or anything,
= "Some1" ** Turns on the System --> UBUNTU Loads --> the Screen capture Runs--> it takes screen shots with out "Some1"s knowledge// turns off system....
I get home -->> turn on system -->> screen shots r saved.. n um checking em...!!!
View 9 Replies
View Related
