mod_security: what exactly does it block?

mod_security is one of the important security tweak we perform on a server when try to secure our server. mod_security integrates with Apache to stop attackers from being able to issue commands to the server through vulnerable scripts and software packages which are installed on the server. By default, mod_security blocks from being called from within a URL.

  • wget
  • lynx
  • curl
  • tar
  • uname
  • g
  • gcc
  • nmap
  • .bash_history
  • /etc/passwd
  • /bin/ps
  • /usr/bin/id
  • /bin/kill
  • /usr/bin/gcc
  • /bin/mail
  • /bin/ping
  • /bin/ls
  • lsof
  • perl
  • “img xsrc=javascript”
  • /~nobody
  • /~root
  • /~ftp
  • formmail.cgi
  • formmail.php
  • /modules/My_eGallery
  • telnet.cgi
  • shell.cgi
  • shell.php

Again, this list does not mean you cannot use features like “tar” in your programs. You just can’t include “tar” in the URL bar.

To modify your mod_security configuration file, you would want to:

1. Login to your server as root.

2. Open the file /usr/local/apache/conf/mod_security.conf

pico -w /usr/local/apache/conf/mod_security.conf

3. Search for any directive you might want to remove (such as “tar”) and put a “#” at the start of the line. This will “comment” that directive out where the server will essentially ignore it. If you wish to add a directive, just scroll to the bottom of the file and use:

SecFilter “phrasetoblock”

4. Save your changes and restart Apache.

service httpd restart

Leave a Reply

Your email address will not be published. Required fields are marked *