Take that!
Well, I’ve securing my webserver with mod-security now, due to referer flood, but I’ve used a set of rules that I find really useful, also for those referers now I’m redirecting those requests to goatse… take that!.
I’ll post the rules I’ve used just in case someone wants to check them:
# Turn the filtering engine On or Off
SecFilterEngine On
# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On
# Unicode encoding check
SecFilterCheckUnicodeEncoding Off
# Only allow bytes from this range
SecFilterForceByteRange 0 255
# Only log suspicious requests
SecAuditEngine RelevantOnly
# The name of the audit log file
#SecAuditLog logs/audit_log
# Debug level set to a minimum
#SecFilterDebugLog logs/modsec_debug_log
#SecFilterDebugLevel 0
# Should mod_security inspect POST payloads
SecFilterScanPOST On
# By default log and deny suspicious requests
# with HTTP status 500
SecFilterDefaultAction “deny,log,status:500″
# Block request with suspicious referers
SecFilterSelective “HTTP_REFERER” “(holdem|poker|casino|porn|viagra|xanax|go-went-gone|techno
ofice|trading-dcgdty.yield-new)” nolog,redirect:http://goatse.ca/hello.jpg
# Block wget, those cunts…
SecFilterSelective OUTPUT “HTTP request sent, awaiting response”
# Command “id”
SecFilterSelective OUTPUT “uid=[[:digit:]]+\([[:alnum:]]+\) gid=[[:digit:]]\([[:alnum:]]+\)”
# Command “ls -l”
SecFilterSelective OUTPUT “total [[:digit:]]+”
SecFilterSelective ARGS_VALUES “^(uname|id|ls|cat|rm|kill|mail)”
SecFilterSelective ARGS_VALUES “^(ls|id|pwd|wget)”
SecFilterSelective ARGS_VALUES “;[[:space:]]*(ls|id|pwd|wget)”
