Dealing With Mod_Security With LightSpeed Web Server

[TheBigK]

My personal opinion is as long as you use a good IP Tables ruleset, keep your server and software up-to-date and don't use applications with terrible coding standards, you'll be fine.

My site's all xenforo now. How should I check the IP Tables ruleset and what'd qualify as a 'good' rulesset?

 

[MattW]

iptables -L

that will print the current running rules set to stdout

 

[TPerry]

Apache. And yes, there's a mod_security module for nginx as well.

Yep... but looks like to use it you have to compile nginx yourself . The latest Debian Wheezy .deb install reports
root@centauri:/var/log# nginx -t
nginx: [emerg] unknown directive "ModSecurityEnabled" in /etc/nginx/sites-enabled/twowheel:67
nginx: configuration file /etc/nginx/nginx.conf test failed

 

[TPerry]

My site's all xenforo now. How should I check the IP Tables ruleset and what'd qualify as a 'good' rulesset?

This is what I use (from iptables-save). The code is in a text file named rules.set. To restore I just do a iptables-restore << rules.set
I also use fail2ban on my server (a dedicated Debian box).

# Generated by iptables-save v1.4.14 on Wed May 29 09:42:31 2013
*filter
:INPUT DROP [41:21590]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [77:11652]
-A INPUT -d 199.48.164.104/32
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j DROP
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 443 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 520 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i lo -j ACCEPT
-A FORWARD -o lo -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s 199.48.164.104/32
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Wed May 29 09:42:31 2013

 

[Slavik]

My site's all xenforo now. How should I check the IP Tables ruleset and what'd qualify as a 'good' rulesset?

A good ruleset basically drops all coming traffic, except for the ones you set.

As a simple example, something like:

*filter
 
# Frist drop all incoming connections for whatever your port range is (used tracy's above)
:INPUT DROP [41:21590]
# Drop all forwarding connections
:FORWARD DROP [0:0]
# Allow outgoing connections (for wget, system updates etc)
:OUTPUT ACCEPT [77:11652]
 
 
# Allow established connections for your server (so when you run yum for example, you can actually get the repo replies)
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 
 
# Let through what you need
# SSH
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# HTTP
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
# HTTPS
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
# FTP
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
# MySQL
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
 
# Make it go
COMMIT

 

[TPerry]

A good ruleset basically drops all coming traffic, except for the ones you set.
As a simple example, something like:

Yep... as you noticed a do a "few" more things. I have a Munin plugin that monitors some stats that I needed, did some DDOS prevention and I forget what else (too lazy to pull my notes out right now ). If someone is not familiar with iptables, shorewall is a fairly simple setup to use. I just like having a little more control over it and I'm used to command line stuff (in fact, normally prefer it as I learn more).

 

[MattW]

CSF is also good at helping set up iptables, either via command line or via the WHM plugin.

 

[TheBigK]

Update:

My web host has asked me that they can disable mod_security for my site provided I'm confident that the software sanitises all post calls using php & MySQL.

What do you all suggest?

 

[p4guru]

if you are unsure, rather than totally disable mod_security put mod_security into detection only mode https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecRuleEngine then run a while and look at logs to review what rule sets you need to modify

 

[Digital Doctor]

if you are unsure, rather than totally disable mod_security put mod_security into detection only mode https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecRuleEngine then run a while and look at logs to review what rule sets you need to modify

Great tip !

 

[Digital Doctor]

Why do people use the sledgehammer approach when it comes to mod_security? I'd truly like to know as I personally feel that to rip a security tool off your server because one rule isn't working properly isn't a proper mindset to be in when it comes to protecting your server.

If you have an issue with a rule, fix the rule or disable the rule. But to turn off mod_security because you can't be bothered to fine tune it is plain silly IMO. That includes disabling it in .htaccess because you can't be bothered to find what rule is triggering issues in the forum.

if you are unsure, rather than totally disable mod_security put mod_security into detection only mode https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecRuleEngine then run a while and look at logs to review what rule sets you need to modify

Does anyone have a list of things they modified for Xenforo to be compatible with mod_security ?
A forum I hang on ... has trouble ... especially with certain words like: tftp

 

[Biker]

I don't modify Xen Foro to be compatible with mod_security. I find the offending rule via the logs and either fix the rule or disable it.

I've kicked the Atomic Corp rules to the curb as there were issues with their new installer and the VPS I migrated to. I've gone back to the OWASP rules which are working rather well.