Drupal and mod_security : Part 2
Hi all,
I've gotten quite a few emails regarding my last post about Drupal and mod_security, and what those rules I'm removing actually do. Well, I'll explain.
First Rule: 960010
SecRule REQUEST_METHOD "!^(?:get|head|propfind|options)$" \
"chain, t:lowercase, deny,log,auditlog,status:401,msg:'Request content type
is not allowed by policy',,id:'960010',severity:'4'"
SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application\/x-www-form-urlencoded
(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$|multipart/form-data;)|text/xml)"
This rule basically only allows certain content-type headers to be passed with the request methods listed in REQUEST_METHOD. Apparently, Drupal doesn't respect this rule in posts.
Next, 960015
SecRule &REQUEST_HEADERS:Accept "@eq 0" \
"chain,skip:1,log,auditlog,msg:'Request Missing an Accept Header', severity:'2',,id:'960015',"
SecRule REQUEST_METHOD "!^OPTIONS$" "t:none"
SecRule REQUEST_HEADERS:Accept "^$" \
"chain,log,auditlog,msg:'Request Missing an Accept Header', severity:'2',,id:'960015',"
SecRule REQUEST_METHOD "!^OPTIONS$" "t:none"
This basically says, any request other than an OPTIONS request, *must* have an Accept header sent with it.
Next, 960032:
SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
"phase:2,log,auditlog,status:401,msg:'Method is not allowed by policy', severity:'2',,id:'960032',"
This says any methods other than POST, GET, OPTIONS or HEAD aren't allowed. While generally this is true, and I don't know why Drupal will occasionally hit this rule, I just remove it out of completeness.
And Lastly,
Rule 950107:
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@validateUrlEncoding" \
"chain, deny,log,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',,id:'950107',severity:'4'"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\%(?!$|\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})"
This rule merely checks the URL encoding on a URL. I say merely, but this rule is also matched almost _all of the time_.
I haven't actually run through the Drupal code and figured out why these are completely necessary, however I do know that they've fixed quite a few peoples problems.
Anyway, hope that clarifies some things for people.
Lynis security scanner = Neat.
Just checked out lynis from rootkit.nl. Lynis is:
Lynis is an auditing tool for Unix (specialists). It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes.
This software aims in assisting automated auditing, software patch management, vulnerability and malware scanning of Unix based systems. It can be run without prior installation, so inclusion on read only storage is no problem (USB stick, cd/dvd).
Lynis assists auditors in performing Basel II, GLBA, HIPAA, PCI DSS and SOX (Sarbanes-Oxley) compliance audits.
It's pretty cool, actually. I wont include all of the scanning output here, but I will show the results of a scan from a (somewhat) default CentOS 5 install. Take a look if all of this magic security stuff interests you.
================================================================================
-[ Lynis 1.2.6 Results ]-
Tests performed: 134
Warnings:
----------------------------
- [20:46:34] Warning: No password set on GRUB bootloader [test:BOOT-5121] [impact:M]
- [20:46:50] Warning: Couldn't find 2 responsive nameservers [test:NETW-2705] [impact:L]
- [20:46:55] Warning: No MySQL root password set [test:DBS-1816] [impact:H]
- [20:46:55] Warning: PHP option expose_php is possibly turned on, which can reveal useful information for attackers. [test:PHP-2372] [impact:M]
- [20:47:00] Warning: No running NTP daemon or available client found [test:TIME-3104] [impact:M]
Suggestions:
----------------------------
- [20:46:34] Suggestion: Run grub-md5-crypt and create a hashed password. After that, add a line below the line saying timeout=
- [20:46:49] Suggestion: Install package 'yum-utils' for better consistency checking of the package database [test:PKGS-7384]
- [20:46:50] Suggestion: Check your resolv.conf file and connectivity to your nameservers [test:NETW-2705]
- [20:46:55] Suggestion: Use mysqladmin to set a MySQL root password (mysqladmin -u root -p password MYPASSWORD) [test:DBS-1816]
- [20:46:55] Suggestion: Change the expose_php line to: expose_php = Off [test:PHP-2372]
- [20:46:55] Suggestion: Change the enable_dl line to: enable_dl = Off, to disable downloads via PHP [test:PHP-2374]
- [20:46:55] Suggestion: Change the allow_url_fopen line to: allow_url_fopen = no, to disable downloads via PHP [test:PHP-2376]
- [20:46:57] Suggestion: Enable logging to an external logging host for archiving purposes and additional protection [test:LOGG-2154]
- [20:47:00] Suggestion: Check if any NTP daemon is running or a NTP client gets executed daily, to prevent big time differences and avoid problems with services like kerberos, authentication or logging differences. [test:TIME-3104]
- [20:47:02] Suggestion: Confirm that freshclam is properly configured and keeps updating the ClamAV database [test:MALW-3286]
- [20:47:02] Suggestion: Harden the system by installing one or malware scanners to perform periodic file system scans [test:HRDN-7230]
================================================================================
Files:
- Test and debug information : /var/log/lynis.log
- Report data : /var/log/lynis-report.dat
================================================================================
Hardening index : [49] [######### ]
================================================================================
Lynis 1.2.6
Copyright 2007-2009 - Michael Boelen, http://www.rootkit.nl/
================================================================================
Linux tip of the day: Super fast SCP file copies.
SCP is a great way to copy files from somewhere to somewhere else, but as we all know it can be slower than (insert slow metaphor here). Here's a way you can get way speedier(really a word?) transfers using scp.
scp -c arcfour -C sourcefile desthost:
Yay! I posted.
Charging your Blackberry Pearl in Linux
Recently, I was looking for a way to charge my Pearl under Linux, and stumbled across this project: Barry .. Well thats nice and all (as a matter of fact I may install it when I get home to sync my BB), but right now, I just want to charge it! Barry has a small app included called bcharge that sets your USB port to 500mA (the power level that the BB expects when you plug it in).
I've repackaged the bcharge app and the headers, and you can get it here: bcharge.tgz
To compile, make sure you've got at least g++ and libusb installed, and then do:
tar xvzf bcharge.tgz
g++ -o bcharge bcharge.cc -lusb
And then just run bcharge a la: ./bcharge and your Blackberry should be off and charging!
Wow, never would’ve guessed this.
Never would have guessed that on-disk temporary tables are that bad for performance. Peter over at the MySQL Performance Blog shows otherwise.
mod_security and Drupal 6.2 issues.
If you're going to be using Drupal with mod_security, making the following changes will probably save you some frustration later 
.
<LocationMatch "/">
SecRuleRemoveById 960010
SecRuleRemoveById 960015
SecRuleRemoveById 960032
SecRuleRemoveById 950107
</LocationMatch>
Also, set SecResponseBodyLimit and SecRequestBodyInMemoryLimit to something like 51200000 and 12288000 respectively. They may seem a bit high, but if you're managing a lot of Drupal users and permissions I've run into problems with them.
Happy Drupal-ing.
Firefox 3: The Next Generation
Don't get me wrong, I love the Firefox web browser. It's the greatest thing since tacos. But Firefox 2 has some of the worst performance problems I have ever seen! On Linux, if I leave one tab open with a flash movie playing, the Firefox process will eventually grow to enormous proportions. Yes, I know this seems like a Flash plugin problem, and it very well may be. But I do know that if I open the same page with Firefox 3b5, the memory usage stays constant the entire time.
Categories
- Gaming (3)
- General (18)
- Link Dump (3)
- Tech (13)
- Content Delivery (1)
- Linux (7)
- OSX (1)
- Virtualization (2)
- Uncategorized (5)
Z Photo a day
Archives
- March 2010
- February 2010
- August 2009
- June 2009
- April 2009
- January 2009
- December 2008
- October 2008
- September 2008
Recent Posts
- Wow.
- The world would be a much healthier place if…
- Reasons *I* love (and hate) gentoo (v2.0)
- The Curse
- Jakalope: Evolution
