AppNote: Securing a Novell Nterprise Linux Services Server: Step-by-Step (SUSE 8, NNLS 1.0)

# Log severity level info and above to get more detailed
# logging. This line logs all Info messages EXCEPT those
# going to authpriv, auth mail etc... Those will go to
# their own facility below.
*.info;authpriv,auth,mail,cron,kern,lpr,lo7cal7.none /var/log/messages

# all email-messages in one file
#
mail.*		/var/log/maillog

# Messages about logins and authorizations should be sent
# to one log file
authpriv,auth.*	/var/log/secure

# Put cron and at messages in a specific file
cron.*		/var/log/cron

# Kernel messages in a separate file. Includes IPTABLES
# messages because it is built into the kernel.
kern.*		/var/log/kernel

# Specify boot messages to go into their own file
local7.*		/var/log/boot.log

# Send printing log files to their own file as well
lpr.*		/var/log/spooler

# rotate log files monthly
monthly

# keep 12 months worth of backlogs
rotate 12

# create new (empty) log files after rotating old ones
create

# uncomment this if you want your log files compressed
compress

/var/log/warn /var/log/messages /var/log/secure /var/log/localmessages
/var/log/cron /var/log/kernel /var/log/boot.log /var/log/spooler {
compress
dateext
maxage 365
rotate 99
missingok
notifempty
size +4096k
create 644 root root
sharedscripts
postrotate
/etc/init.d/syslog reload
endscript
}

Application Hardening

1. Apache Security -- Since Apache is one of the main components of the services provided by the server it is certainly important to secure it as well as we can. Many documents have been written with regard to Apache security. The full discussion of this is beyond the scope of this paper. However, we will discuss the specific configuration changes that should be made to help secure this particular server and refer to some excellent sources for reference in making those changes. Any of the changes that will be suggested might be overwritten by upgrading or patching the applications so they should be rechecked carefully after every patch or upgrade is applied. Many of these changes will be made in /etc/opt/novell/httpd/conf/httpd.conf. Note that there is also a directory /etc/opt/novell/httpd/conf.d/ which contains links to other conf files that are automatically processed and used by Apache as it starts up. These represent many of the extra modules that are required for functioning of NNLS. These should be left as is in order for the application to be supportable by Novell.
   1.1. Patch code -- Probably the most important step is to make sure that the code is patched and up to date. Since this is part of a packaged product, it is not suggested that the Apache version be updated apart from code that has been tested and certified by Novell to work with the rest of the components. We will ensure that Apache is up to date, tested, and patched using the Red Carpet client functionality that is installed by default with the product. This is covered further in the Ongoing Maintenance section later in the paper.
   1.2. Remove Unnecessary Modules -- (Caution: might not be supported by Novell) The following modules should probably be removed since they are not needed by the products we installed. Extra modules slow the server down and offer more avenues for attack so we should take out all that we can. Comment out the "LoadModule" and "AddModule" lines for each. Test the functioning of your server after remarking out these modules to be sure all applications still work in your environment.

   1.2.1. mmap_static_module

   
   

   1.2.2. vhost_alias_module

   
   

   1.2.3. env_module

   
   

   1.2.4. agent_log_module

   
   

   1.2.5. referer_log_module

   
   

   1.2.6. mime_magic_module

   
   

   1.2.7. negotiation_module

   
   

   1.2.8. status_module

   
   

   1.2.9. info_module

   
   

   1.2.10. autoindex_module

   
   

   1.2.11. cgi_module

   
   

   1.2.12. asis_module

   
   

   1.2.13. imap_module

   
   

   1.2.14. action_module

   
   

   1.2.15. speling_module

   
   

   1.2.16. alias_module

   
   

   1.2.17. auth_module

   
   

   1.2.18. anon_auth_module

   
   

   1.2.19. dbm_auth_module

   
   

   1.2.20. db_auth_module

   
   

   1.2.21. digest_module

   
   

   1.2.22. proxy_module

   
   

   1.2.23. cern_meta_module

   
   

   1.2.24. expires_module

   
   

   1.2.25. headers_module

   
   

   1.2.26. usertrack_module

   
   

   1.2.27. unique_id_module

   1.3. Server Information -- (Caution: might not be supported by Novell) We don't want to give away server version information so there are a few other parameters to change:

   1.3.1. ServerSignature -- This directive should be changed to "Off" to keep the server name, version, and modules from being displayed by default.

   1.3.2. ServerTokens -- This directive should be set to "Prod" which sends the least amount of information in the HTTP header that is always sent back to a requesting browser. The default sends back all information about the server version and loaded modules that it can.

   1.3.3. ServerAdmin -- An aliased e-mail address (not a real user id) should be used here. If we put a real id in the field then it could potentially give the attacker an id to try against this or other systems in the environment. Something like Webmaster@domain.com for your domain would be better.

   1.4. Logging -- The log level should be set to "notice" to increase the level of logging so that we can see if we have a problem. Logs, again, should also be sent to a central syslog server in case of compromise of this host.
   1.5. Directory Permissions -- (Caution: might not be supported by Novell)We need to tighten the directory permissions that are set in the default configuration. However, these permissions might get reset if an upgrade or patch is applied. If this occurs, the changes must be made again to put it back into effect. There are two sections for this right after the "DocumentRoot" directive.
   
   1.5.1. Default directory -- Here we need to change it to the following:
   
   

   # First, we configure the default to be a very restrictive set of 
   # features. 
   #
   <Directory />
     Options SymLinksifOwnerMatch
     AllowOverride None
     Order allow,deny
     Deny from all
   </Directory>

   Changing the directive to SymLinksifOwnerMatch will restrict access to any other path on the server other than the DocumentRoot path. If this is not done, someone could place a symlink somewhere on the server and the server could follow it to any location in the filesystem.
   This will restrict access to any other path on the server other than the "DocumentRoot" path. If this is not done, someone could place a symlink somewhere on the server and the server could follow it to any location in the filesystem.
   
   1.5.2. DocumentRoot directory -- Here we need to change the defaults to what is shown below. This tightens the security by removing the defaults of "indexes" and "FollowSymLinks." SymLinks are allowed by this configuration but only if they are owned by root or the novlwww user which is the web server user preventing anyone else from creating SymLinks that would be followed by the server to lead elsewhere in the filesystem.
   
   

   # This should be changed to whatever you set DocumentRoot to.
   #
   <Directory "/var/opt/novell/httpd/htdocs">
     Options SymLinksifOwnerMatch
     AllowOverride None
     Order allow,deny
     Allow from all
   
   </Directory>

   1.5.3. Change SymLink ownership -- In order for all of the pages to function, any links not owned by the user novlwww must be changed. There are about 5 in the default install. To find them and change them, execute the following command.
   
   

   # find /var/opt/novell/ -user root -type l -exec chown novlwww:root {} \;

   1.5.4. Permissions to DocumentRoot -- Most guides suggest making sure that no documents are writable by the web server user (novlwww in this case). The default is to have all of the files in DocumentRoot owned by root so they should be protected. This should help prevent most defacement attempts from newfound bugs in the Apache code. The other resource directories all have files owned by novlwww user ostensibly to allow writing files to the file system for the application. These must be left as is for now, but I would suggest Novell look into the real security needs of these directories according to their functions. See further discussion in the Tomcat section below.
   
   
   
2. Tomcat Servlet Engine -- Next we will discuss the security of Tomcat in this configuration and how best to address the issues raised here. With the goal stated in the planning section above of keeping our configuration "supportable" by Novell we can't change too many parts of Tomcat. The built in security files or the tags, both discussed in the Tomcat documentation (http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ ), can't be implemented with this requirement in mind. If changes are made to specific configuration files, they will also probably be replaced when patches or upgrades are applied and the files get overwritten. Despite these warnings I outline a method below for increasing the security of the Tomcat server by changing some of the default file permissions.
   2.1. Patching -- As with Apache above, Red Carpet will be used to keep the patches up to date in order to protect against new vulnerabilities as they are found and patched. Keeping the package in synch with Novell's controlled and tested patches is very important for all parts of the applications to work together.
   2.2. File Permissions -- (Caution: might not be supported by Novell) The default file permissions that are set upon installation of the product give the novlwww user write access to almost every file that is part of one of the web applications that run under Tomcat. The default permissions assigned are 644 so that the files are world and group readable but only writeable by the owner. So, we will change the owner of the files to remedy this.
   2.2.1. Tomcat applications -- The applications that we are securing under Tomcat are: eGuide, iManager, iFolder, NetStorage, and the tomcat root. A good understanding of how these applications function is critical for troubleshooting if changing the permissions causes one of them to fail.
   2.2.2. Permissions Discussion -- If the user id that Tomcat uses to run has file system rights on the server, especially in the content directories, then it is much easier for an attacker to introduce compromised code to attack the server.
   A balance must be maintained here though because some files must be writable by the Tomcat user in order for the applications to function correctly. A specific example is iFolder. The Tomcat user must be able to write data to the iFolder directories on behalf of the users connecting to it. The data is encrypted by the module and written to the disk in an encrypted format. The module also requires both a valid password and a pass phrase in order to access or modify the data.
   2.2.3. My permissions changes -- The following command worked for me and still allowed all of the applications to function correctly. This should improve the security stance of the installed application, but again, use this with caution. You may want to tar up the original file structure before attempting this command so that you can go back to the original structure and permissions if necessary.
   
   

   # cd /var/opt/novell
   #
   # find eGuide/ iManager/ ifolder/ netstorage/ novlwww/ tomcat4/ xtier/
   ! \
   -type d ! -type l -user novlwww -perm +202 ! -iname *.log ! -iname
   *.txt \
   ! -iname *.gz ! iname *.out -exec chown root:novlwww {} \;

   Analyzing this command a little is probably helpful here. We are using the find command here to list all of the files that are owned by the Tomcat user and that this user has write access to. We are also excluding log files, directories, symlinks, and zipped log files. This list is then passed to chown in order to change the user ownership to root while keeping the group ownership the same. This allows configuration files and application files to remain readable to the Tomcat engine but takes away write access. The exceptions in the command (logs, symlinks, and directories) are important since the Tomcat user must be able to write log files and the symlinks must be owned by the Apache user in order to operate as discussed in the Apache section above.
   
   
3. Protecting the entire web services environment -- To add another layer of protection against typical web attacks I suggest adding an application firewall/IDS. The one I suggest currently is mod_security. This is an open source intrusion detection and prevention engine for Apache web servers. (http://www.modsecurity.org). Since it is part of the web server itself, it offers many advantages. It can operate effectively with SSL because the requests are decrypted before the module can take action on them. It can monitor GET, HEAD, and POST processes. It is part of the HTTP processing engine so it can fully understand the protocol and monitor it in a very finely grained manner. Mod_security also fits the requirement of keeping the system supportable by Novell because it can simply be disabled for testing purposes should it come into question during a support incident.
   3.1. Download and Install -- The installation files can be downloaded from http://www.modsecurity.org/download/index.html. The version I installed was the 1.7.6 version. Since the Novell provided Apache server is a stripped down version without the development tools and there are no precompiled binaries for SUSE, we will have to download, compile, and install Apache in a different path and then use that installation to compile the mod_security binary for use on our system.
   3.1.1. Download/Install Apache -- The current apache version included with NNLS is 2.0.48. To avoid problems, download this version from the archives section of the apache site. (http://archive.apache.org/dist/httpd/httpd-2.0.48.tar.gz) Check the md5sum against the posted value to be sure the file is intact and has not been tampered with. Then extract the archive and install the software according to the instructions in the INSTALL file. This will not overwrite the current Apache installation because the default path is /usr/local/apache2.
   Note: don't forget to remount the /usr filesystem as Read Write temporarily so that the install will work.
   3.1.2. Download mod_security -- The source files for mod_security must also be downloaded and extracted in order to compile the module for use. Download from the site given above and extract the files after again confirming the md5sums as we did with the Apache distribution.
   3.1.3. Compile mod_security -- To compile the code with the newly installed Apache version full paths should be used. The command is otherwise identical to the one given in the mod_security documentation from the distribution under the DSO heading. /usr/local/apache2/bin/apsx --cia /<path-to-extracted-mod_securitymod>/ apache2/mod_security.c Once compilation finishes, a mod_security.so file should be found in the path /usr/local/apache2/modules. This is the binary that we need for the Novell supplied Apache server to run mod_security.
   3.1.4. Install mod_security -- To install the module to the server we are running, copy the mod_security.so file noted above to the path /opt/novell/httpd/modules and add the following line to the httpd.conf file at the bottom of the modules section. The following is an excerpt of this file showing the line you should add. Restart the web server to be sure that the module loads without error.
   
   

   # vi /etc/opt/novell/httpd/conf/httpd.conf
   
   #LoadModule userdir_module modules/mod_userdir.so
   LoadModule alias_module modules/mod_alias.so
   #LoadModule rewrite_module modules/mod_rewrite.so
   # The following module adds IDS functionality to Apache
   LoadModule security_module modules/mod_security.so
   #

   3.1.5. Configure mod_security -- After it is installed, a base configuration should be added per the documentation. I will not discuss all of the options here. Some good references for this are:
   the www.modsecurity.org website and
   http://www.onlamp.com/pub/a/apache/2003/11/26/mod_security.html,
   http://www.hackinthebox.org/ , and
   http://www.securityfocus.com/infocus/1739.
   My basic technique was to use much of the configuration from the security focus article and then add the full converted SNORT rule set from the mod_security distribution taking out the specific rules I knew didn't apply to this server (i.e. IIS rules, .cmd rules and .exe rules). After testing, I had to remove some more of the rules because they conflicted with the operation of the iFolder, iPrint, and Red Carpet. My full mod_security rule set can be found in the appendices.
   Mod_security also has built in chroot capabilities. This looks like an interesting addition to the configuration but I chose not to implement it because it has some known problems that the author has fixed in the upcoming 1.8 release
   (http://www.modsecurity.org/download/CHANGES).
   
   
   
4. Postfix -- By default SendMail is not installed. Postfix is our local mail handler. The default configuration for Postfix is quite secure as long as no external mail server is running on this server. Port 25 (smtp) is only listening on the loopback interface so it is not accessible from the network. Relaying is not enabled and no forwarding address is configured. As initially installed, mail to root is forwarded to the additional user created so that it is not necessary to log in as root or even "su" to root in order to get important system messages.
   
   
5. LDAP -- LDAP is provided on this server through eDirectory. Therefore control of LDAP is done through iManager and setting specific eDirectory settings. When the LDAP services come up they read their configuration out of the directory and behave accordingly. When we installed NNLS we specified 636 as the LDAP access port for all applications. This is the default TLS/SSL port for conducting encrypted LDAP sessions. A few changes should be made from the defaults in order to ensure that the communications are encrypted and that passwords are required to access the LDAP information.
   5.1. Open iManager and Find LDAP objects -- Since this will all be done in iManager, we need to open it up and log in. Use the following URL substituting your IP address as appropriate https://192.168.1.55/nps/iManager.html. Log in with the admin user you created/linked to during the install.
   
   
   
   Once logged in, expand the LDAP section on the left and select the "LDAP overview" link. On the right expand the LDAP configuration for your server.
   
   
   
   5.2. LDAP Group Object -- The group object and the server object are both going to be edited. First click on the group object link. We are not setting a proxy user for this configuration because we do not require any unauthenticated extended access to directory data. Default access is granted to the "Public" user in eDirectory. This access is sufficient. Ensure that the "Require TLS for simple bind with password" is checked. This setting requires SSL/TLS any time a password is sent for an LDAP request. If an unencrypted password is sent it will not be accepted. The first time it will be sent in the clear but enabling this option discourages plain text use because it will fail. We will prevent any unencrypted connections from being made in the "LDAP Server" section below.
   
   
   
   5.3. LDAP Server Object -- Next we will make the changes required on the server object. For this object we will make changes in the "connections" link on the main configuration page. The first thing to look at is the "Server Certificate" field. This is the SSL certificate used by the server to set up secure communications. The certificate is stored in the directory and read each time the server starts up. This certificate must be valid and accessible for TLS communications to take place. Note that we are checking the box "Require TLS for all operations" and unchecking the port 389 box below that. Now the server will only listen on the secure 636 port and require TLS for all communications.
   
   
   
   
6. NetWare Core Protocol (NCP)/eDirectory -- This is the protocol used by eDirectory clients and servers to talk to each other by default. In the NetWare OS there was an option to add packet signatures to prevent man-in-themiddle or packet insertion attacks. Unfortunately this is not available on the Unix/Linux platforms. This is an option I would like to see Novell offer in the future. Although not all shops will use it, there is certainly some value to this capability.
   The rights assigned to the eDirectory database files are set to 600 which are appropriately secure. The database files themselves are written in an encrypted format so they are not accessible to prying eyes even if someone was able to gain root access.
   Some of the eDirectory tools and utilities should have their default permissions changed to keep them from being world readable and executable. Although I would prefer to set the same rights on all of the library files found in /usr/lib/ and /usr/lib/nds* directories and subdirectories I cannot recommend this because of the need to keep the server "supportable" by Novell as stated above. The following command will change the permissions to more sane values on the main eDirectory utility files included on the system. As before, make sure your /usr file system is mounted RW in order for this command to work.
   

   # chmod 750 /usr/bin/nds*

7. DirXML (Identity Manager)-- Identity Manager uses XML files transferred between applications running on the source and destination servers in order to manage directory information between disparate systems. It is the core of Novell's "Meta Directory" solution and is very customizable and extensible. Because of the direct access into the respective directory stores, protection of these connections, applications, and data is very important. The solution is architected to use SSL certificates for data encryption and authentication. This is well documented and should be configured for every connection made with another directory as well as remote loader and control connections. In conjunction with these certificates, the iptables firewall solution discussed above will block most connections to these ports from unauthorized hosts. I suggest that more specific entries be made so that only servers that need to communicate with this server be allowed access. I also suggest that the script files be protected by modifying the default rights on them to prevent them from being accessed by all users. To do this execute the following command with the /usr file system mounted RW.
   

   # chmod 750 /usr/bin/dxml*

   With a tool of this power it should be emphasized that great care must be taken to prevent loss of data or functionality simply from misconfiguration or poor planning. Make sure you know exactly what you are doing or have contracted with a qualified consulting organization before putting this solution into production. Further discussion of installation and configuration is beyond the scope of this document. Please see the Novell documentation. (http://www.novell.com/documentation/dirxml20/index.html)
   
   
8. iPrint printing -- Printing over IPP was also installed on this server and there are a couple of security configurations to consider with this. IPP support is provided by an Apache module so much of the security has been taken care of by the Apache security configuration above. Printing from the Internet, if allowed, should be restricted to SSL printing which requires authentication and encrypts the job by default.
   General setup of an IPP printer is not covered here. Documentation is available (http://www.novell.com/documentation/nnls/pdfdoc/iprint/iprint.pdf)
   In addition to this basic documentation we are going to enable SSL based IPP printing by making the following change in iManager.
   8.1. IPP over SSL -- To make the change, open iManager as you did before browse to the "iPrint" section on the left, expand it, select "manage printer", and enter or browse to your previously created printer object and click OK.
   
   
   
   On the screen that appears, select the "client support" tab. Check the box next to "Enable Secure Printing" and click the "apply" button near the bottom.
   
   
   
   After applying the changes you will see a success message and your printer should now be set up for SSL printing. You should test it by running through the printer install process. You may also have to adjust the "access control" settings to ensure that the proper users are allowed to use the printer. Again the documentation cited above can help with this configuration if you require assistance.
   
   
9. iFolder security -- iFolder is another one of the services that is offered through Apache. It also has some significant security features that should be enabled/edited so I will cover those in this section. Further configuration questions can be addressed with the online documentation (http://www.novell.com/documentation/ifolder21/pdfdoc/admin/admin.pdf).
   9.1. iFolder Global Client Policies -- First we will discuss and set the global settings that relate to security. To access the iFolder administration page connect to the following URL substituting the correct IP/DNS name for your environment: https://192.168.1.55/iFolderServer/Admin. Once you click on any button (We want the global settings button in this case) you will be prompted to log in.
   
   
   
   After logging in, choose the "Global Policies" link on the left and then select the "client policies" button on the right. Edit the policies as shown in the picture below.
   
   
   
   For the highest security we want to enforce encryption and disable the saving of passwords. We also want to enable the ability to recover pass phrases.
   9.2. iFolder Encryption -- A quick discussion of the pass phrase and encryption in iFolder is in order. iFolder runs over port 80, HTTP which is typically a clear text port/protocol. However, the iFolder client and server use RSA encryption to pass the username and password. The file data is encrypted by the client and kept on the server with blowfish encryption based on the settings we added above. The data is never encrypted on the user's local hard drive. The user's pass phrase is the "shared key" for this encryption. When the user logs in the first time, they will be prompted to enter a pass phrase for this encryption. Both the user id with a current password and the pass phrase are necessary to access the data on the server.
   Being able to recover the pass phrase serves a couple of purposes. Of course it is important to end users who might forget their pass phrase and need access to their data. It is also important to the organization because we don't want the data to be inaccessible to the organization should an employee be terminated or leave for other reasons. Set the global recovery pass phrase by clicking on the "Update" button for the "Security Pass Phrase" and entering your chosen pass phrase for the system. It should be complex and not easily guessed.
   9.3. Admin Settings -- Now we will take a look at how to set authorized administrators. Click the "Admin Names" link in the left frame and then enter a list of users who should have admin rights over the iFolder system as described on the page. This would be a good opportunity to set up some privilege separation to protect the user data. If you have enough staff it is suggested that the administrators who can administer the iFolder server settings and recover pass phrases not also be able to reset the user's LDAP/eDirectory passwords. Separation of privileges can help make iFolder a very secure but manageable way to store company data
   9.4. Other things to consider -- iFolder can be very convenient for users and provide an elegant method for backing up data on remote laptops or employee's home PC's. It also encourages the flow of data out of the organization by making it more possible to keep this data safe. Any company data outside of the firewall puts that data at risk. A laptop can be stolen or lost. To help protect against this problem encrypting file systems can be used on laptops but this solution can result in a user created "Denial of Service" condition as many systems Administrators know all too well. Files can also be downloaded to uncontrolled computers with just a web browser. Non-savvy users can easily leave traces or full copies of this sensitive data on these uncontrolled computers. Even with these caveats in mind, I feel that iFolder is still a good security benefit to the Enterprise. Much of this data is already flowing in and out of the organization, usually via insecure methods such as e-mail or FTP servers. Putting a solution in place that is relatively secure and automatic certainly adds value.
   
   
10. Non-secure default access -- Some of the programs available on the server do not automatically redirect users to use HTTPS. This is unfortunate because by default user id's and passwords would then be in danger of being captured by an attacker since they are transmitted in the clear over the Internet. We definitely want to change this default behavior so we will make a few more configuration changes below.
    10.1. NetStorage SSL redirect -- NetStorage is the first application we will address here. In order to automatically redirect users to the SSL version of the application, we will edit the conf file that is used to add it to the main Apache configuration /etc/opt/novell/httpd/conf.d/netstorage.conf. The lines in bold below are what should be added. This configuration employs the Apache "rewrite" directive.
    

    Alias /NetStorage "/opt/novell/netstorage/webapp"
    <Directory "/opt/novell/netstorage/webapp">
      Options +MultiViews
      AllowOverride None
        Order deny,allow
      Allow from all
    </Directory>
    # The following lines redirect NetStorage to using https if it is not 
    started that way
    <IfModule !mod_rewite.c>
       LoadModule rewrite_module modules/mod_rewrite.so
    </IfModule>
    <IfModule mod_rewrite.c>
       RewriteEngine on
       RewriteCond %{SERVER_PORT} !^443$
       RewriteRule ^/NetStorage(.*)$ https://%{HTTP_HOST}/NetStorage [L]
    </IfModule>

    10.2. eGuide SSL redirect -- eGuide is another application that must be adjusted to make this redirect happen. The same basic configuration is employed as shown below in the bold portion of this excerpt of the /etc/opt/novell/httpd/conf.d/eGuide-apache.conf file.

    Alias /eGuide "/var/opt/novell/tomcat4/webapps/eGuide"
    <Directory "/var/opt/novell/tomcat4/webapps/eGuide">
      Options FollowSymLinks
      Order allow,deny
      Allow from all
      AllowOverride All
    </Directory>
    # The following lines redirect eGuide to using https if it is not
     started that way
    <IfModule !mod_rewite.c>
       LoadModule rewrite_module modules/mod_rewrite.so
    </IfModule>
    <IfModule mod_rewrite.c>
       RewriteEngine on
       RewriteCond %{SERVER_PORT} !^443$
       RewriteRule ^/eGuide(.*)$ https://%{HTTP_HOST}/eGuide [L]
    </IfModule>

Ongoing Maintenance Procedures/Policies

1. Backups -- Backups of the data and the system are important for several reasons. Of course the user data saved within the applications is important, but an initial full system level backup is also quite important.
   1.1. Initial "Gold" backup -- It is important to get a "snapshot" of the system before it is put into production. This can help for a couple of situations. If the system is ever compromised you have a base image to work from to help identify the method of intrustion and exact damage done. It can also be useful if you need to "clone" the system and put several others like it into production. This can significantly cut down the work load. The "gold" image should be put on tape and then locked away in a secure place and the tape should not be used again. (Caution: tape media that isn't "exercised" on a periodic basis will lose it's data or become unreliable within 12 months or shortly thereafter.) The commands shown below are one way of doing this and show the preferred method of backing up to a directly attached device instead of relying on some sort of remote access method across the network. A remote access method would introduce another path/application that must be secured.

   # mt --f /dev/st0 rew
   # tar --cpMf /dev/st0n / --exclude=/proc

   The "mt" command line is used to rewind the tape device we will use. The tar command is creating (c) and archive, keeping permissions entact (p), and preparing to span multiple tape Media devices if necessary (M). We are also using the "no rewind" tape device "st0n" and excluding the proc file system since it does not contain real files anyway.
   1.2. Incremental "Gold" backups -- Whenever major changes or patches are applied to the system the full system backup should be done again to document the steps along the way and have a more realistic baseline to analyze with and step back to if necessary.
   1.3. Data backups -- The user data and the functionality of the server are some of the most important things we are protecting throughout this process so it would be foolish not to provide a method of backing up the user data. In the system we have built there are a few specific areas where user data is kept for each of the applications. These areas should be backed up using an incremental rotation method. The directories are listed below along with a resource for setting up automatic tar backups.

   1.3.1. iFolder - /var/opt/novell/ifolderdata

   1.3.2. NetStorage - /var/opt/novell/netstorage

   1.3.3. Virtual Office - /var/opt/novell/iManager/nps/WEBINF/ communityStore

   1.3.4. Backup Scheme -- A good resource for using tar to do incremental backups that includes a good example scheme is "Securing and Optimizing Linux: RedHat Edition -A Hands on Guide" (http://pierre.mit.edu/compfac/linux/Securing-Optimizing-Linux-RHEdition- v1.3/chap29sec305.html). This should be followed closely but in a manner integrated with your current enterprise backup strategy.

   1.4. What about the other data? -- Beside the user data on this server we also have other data that will change daily. I am specifically choosing not to back up this data because the data is replicated and backed up elsewhere. Logging data is sent to a central Syslog server and that server has it's own backup strategy that is implemented to protect it. The eDirectory database files do not need to be backed up on this server because that data is replicated with at least 2 other servers in the eDirectory tree. One of those servers is specifically responsible for backups of the eDirectory tree and is optimized for this task.
   
   
2. Logging -- Effectively monitoring and processing log files is very important if we are ever to know about an intrusion attempt that has taken place or been successful. We covered log rotation above and sending logs to a central syslog server, but how do we effectively monitor that mountain of data? Two of the best solutions out there are "Logsurfer" (http://www.cert.org/security-improvement/implementations/i042.02.html) or "LogWatch" (http://www2.logwatch.org:81/) Setting up this central syslog server is beyond the scope of this document, but essentially what these programs do is offer semi-IDS functionality for analyzing log files from different systems. Logsurfer is especially adept at this in more of a realtime manner. Other "pay" systems from Symantec, ISS, and others are also available which can do the same basic thing. Whichever product is used, it is very important that ongoing, effective log file monitoring is planned for and executed.
   
   
3. Tripwire and system Integrity-- Tripwire is a tool that can check the integrity of key files and directories on the system for evidence of tampering or changes. It is available in a free version as well as a more richly featured "pay for" version. We will set up and configure the free version for our purposes here. First we create the configuration file.
   3.1. tw.config -- I got most of this from a config file created by Jay Beale and posted at http://networking.earthweb.com/netsecur/article.php/10952_624581_2. I modified it to fit this environment and saved it to /etc/tw.config. Below is what I came up with for reference.

   # This file is a sample configuration file that you can use for a
   # stock system, using Tripwire 1.3.1.
   # REFERENCE CHART follows - each letter/number corresponds to a
   # different quality of the file to watch.
   #
   # p - Permission and file type (mode)
   # i - inode number (inode=entry in the filesystem)
   # n - link count (number of hard links to the file)
   # u - UID (owner of the file)
   # g - GID (group owner of the file)
   # s - size of file
   # a - access timestamp (last time the file was accessed (RARELY USED!)
   # m - modification timestamp (last time the file was modified)
   # c - inode Change timestamp (last time the inode was modified)
   # 0-9 - "signature" algorithm to use: 1=md5, 2=snefru, 7=SHA-1
   # E - Ignore everything
   
   #
   # First, define a number of monitoring levels.
   #
   
   # Essential system binaries should be monitored on all attributes,
   # with a high level of certainty. We keep only md5 and SHA-1 for now.
   
   @@define BIN E+pinugsmc17
   
   # System logs should be allowed to change, and even to switch inode numbers.
   # The inode modification is because of automatic log cycling.
   
   @@define LOG E+pnug
   
   # Device files should simply maintain ownership, permissions and such.
   # It doesn't make sense to monitor contents. We also ignore inode
   # mod (c) because this changes every reboot.
   
   @@define DEV E+pnug
   
   # Essential system config files (/etc/fstab, /etc/hosts.allow) should
   # be watched very closely.
   
   @@define CONF E+pinugsmc17
   
   # Most directories need to allow for new files to be added, so we
   # won't watch size, mod time, changes to the inode, or compute sigs.
   
   @@define DIR E+pinug
   
   #
   # Main configuration starts here...
   #
   
   # Monitor the root directory itself, but don't recurse into it.
   
   =/ @@DIR
   
   # Monitor essential system binaries: libraries and programs.
   
   /bin @@BIN
   /lib @@BIN
   /sbin @@BIN
   /usr @@BIN
   /opt @@BIN
   # Monitor the /boot directory, where the kernel et al. is stored.
   # System.map changes inode and mod time on every reboot, so ignore
   # these.
   /boot @@BIN
   /boot/System.map* @@BIN-mc
   # Monitor /dev, the devices directory.
   /dev @@DEV
   #
   # Granularly, watch the system's config files...
   /etc @@CONF
   
   # mtab holds current mounted volume information. Usually, we should
   # treat this as a log, since it must change.
   /etc/mtab @@LOG
   
   # passwd and shadow will change on any system with many users, since
   # you'll be adding users regularly, changing your passwords... If
   # you're on a system with few users, watch /etc/passwd more closely.
   # We are watching these closely because there are very few local users.
   /etc/passwd @@CONF
   /etc/shadow @@CONF
   
   # /home should change often. We can simply watch the directory itself,
   # but we have to allow for new directories to be created within.
   =/home @@DIR
   
   # lost+found can be watched as a directory with no monitoring of contents
   =/lost+found @@DIR
   
   # mnt and media contain the system mount points for CD-ROM, floppy,... Barely
   # watch these...
   =/mnt @@DIR
   =/media @@DIR
   
   # The proc filesystem is special and changes a great deal.
   =/proc @@DIR
   
   # /root is root's home directory. We don't generally watch the
   # contents, but you can choose to do this if you're careful enough
   # when logging in as root.
   =/root @@DIR
   
   # /tmp should change often and greatly.
   =/tmp @@DIR
   
   # /var is difficult, as it contains logs, mail queues, and mailboxes,
   # to name a few type of files.
   =/var @@DIR
   /var/log @@LOG
   =/var/spool @@LOG
   /var/spool/cron @@LOG
   /var/spool/clientmqueue @@LOG
   /var/spool/mail @@LOG
   !/var/lock

   3.2. Create the Tripwire database -- The first time you run tripwire, you should use the --initialize switch to create the database and establish your baseline file signatures. Once it is finished it leaves you with a message to copy the database file and the configuration file to safe media (i.e. writable CDROM) to protect them from tampering. This way you know you have clean copies when you need them.
   3.3. Run a Tripwire check -- After the database has been created and copied to "safe" media, the way that you would use the tool to check the system would be by specifying the path to the configuration and database files off of the CD with a command similar to the following

   # tripwire --d /media/cdrom/tw.db_<hostname> -c /media/cdrom/tw.config

   3.4. Run Tripwire automatically -- It is good practice to run tripwire on a daily or weekly basis. This is harder to accomplish with the free version but still can be done. The basic technique would be to redirect the output from the command above to a file in root's home directory with a cron job and then have another cron job pick up that file and e-mail it to you. Logsurfer might also be used to monitor the output and notify you only if something changes.
   
   
4. Patching -- Keeping the system patched is a very important part of ongoing maintenance and keeping the system secure. For this system we have two main avenues for patching the system. This could be reduced to one method (Ximian Red Carpet Enterprise, http://www.novell.com/linux/ximian.html) which might be a good idea especially if you have many NNLS and/or Linux servers to patch.
   4.1. YOU (Yast Online Update) -- This is the automatic update method included with SLES8. It identifies and patches only the components of the OS and supporting files included with SLES8. It does not address patching of the NNLS components. However if you don't want to pay for a Red Carpet license this is still a very useful way of maintaining your patch level on your server. This process was covered as part of the OS installation above and will not be addressed again here.
   4.2. Red Carpet Patch Management -- Patch management for NNLS is built into the NNLS install and points automatically to a Red Carpet server located at Novell for patches to the NNLS code. This patch management does not cover the OS files so you would have to set up or subscribe to a service with full Red Carpet patch management for both if you want to cover everything in one solution. Red Carpet updating can be performed from the command line, but iManager includes the ability to group and manage multiple servers from one management interface. This functionality is fully documented on Novell's web site (http://www.novell.com/documentation/nnls/index.html?page=/documentation/ nnls/install/data/bnougfv.html#bnougfv) but I am including a few specific configuration options that are especially important/significant.
   Once you have the RCD Group(s) defined you can manage the whole group of servers simultaneously. Below is a screen print showing the membership of an RCD group.
   
   
   
   As you can see in this example you can add multiple devices to any RCD group as well as add users who can administer this RCD group. Groups should be organized around similar installations so that the whole group can be subscribed to specific update channels. Below is a screen print showing the default channel subscribed to upon installation of NNLS. This is where you could add other channels if the Red Carpet Daemon was connected to a different Red Carpet Enterprise server with additional channels available.
   
   In the "Software" tab you can look at available software and also at the updates that are available for installed software. This is where you would select the updates (usually all of them) and actually perform the update. You should come back here on a scheduled basis (at least weekly) to look for and apply updates. Keep in mind that each update should be researched before applied in a production environment. For now we will select all updates and apply them.
   
   
   
   4.3. Automated Patch Management -- The "you" or "rug" commands could be added to cron jobs to automate installation of available patches but I do not recommend that method. Patches installed blindly can result in more security problems or availability problems than not patching at all in some cases. I feel that the approach of putting all of the patching into a management interface that can control multiple servers such as the iManager interface we have explored is the best method for managing patching because it allows a seasoned administrator to make appropriate decisions and do necessary research and testing before applying patches in a production environment.
   4.4. Patch Testing -- Before putting any patches into production it is critical that testing be done to be sure the patch performs as expected but also to be sure that it didn't change the permissions or configuration settings you have made that secure the server. Appropriate testing strategies are discussed in more detail in the "Testing" section of this paper below.
   
   
5. eDirectory Maintenance -- Since the directory is very much at the core of the functioning of the NNLS products we have installed, it is also important to put in place some ongoing maintenance procedures for eDirectory. We have already discussed doing regular backups of the database so I won't address that again now.
   5.1. iMonitor -- The main interface for doing all of the maintenance we will discuss is the web based iMonitor interface. Below is a screen print of the default page seen after connecting to https://192.168.1.55:8010/_LOGIN_SERVER_ and logging in. Notice the green status indicator on the upper left. This is a quick view that indicates whether any errors are currently being generated and whether or not other health parameters are being met.
   
   
   
   5.2. Repairing the database -- Now we will use iMonitor to run and schedule periodic database repairs. This will help the server and the whole eDirectory database to continue to perform up to expectations and needs. To access the repair screens, click the image of the wrench on the top navigation bar. Then click the "Advanced" button to see the screen shown below.
   
   
   
   The selections made in this screen should work well for most environments. We are scheduling the repair for once a week at 3:30 a.m., running in unattended mode, checking obituaries, and repairing network addresses. To schedule this repair click on the "Schedule Repair" button. Repair results will be found in the reports screen (second link from the right in the top navigation bar). This should be monitored weekly after the repair has been run for errors or problems found. Other automated tools are also available for eDirectory maintenance and monitoring from companies such as NetPro (www.netpro.com).
   
   
6. Auditing the network/server -- Another ongoing maintenance procedure that should be performed is conducting periodic security audits to confirm that new vulnerabilities or problems have not been introduced. This should typically be done by an external entity which wouldn't have a vested interest in showing that the system was secure. The methods used by an external entity are also less likely to be clouded by previous knowledge. Some of the typical steps for this audit are discussed below in the "Testing and Verifying" section.

Testing and Verifying

Before putting the system into production it is important to test it to see that it performs as expected from a security standpoint. As instructed above, we have been testing the functionality of the system after all configuration sections and probably fixed some things along the way. Now we need to test to be sure that the server is as secure as we expect it to be and if we find problems, we will have to analyze those and loop back to see how those problems can be fixed or whether or not we will have to live with the risks we have identified. To do this testing we will perform some manual checks and employ a vulnerability scanning tool. Here are the security testing steps I suggest based on the risks identified in the "Risk Mitigation Plan" section above. I do not show all of the procedures and output for every step but instead have included links to documentation to help you conduct those steps.

1. Section A -- Network Access Checks-- In this section we will verify that the network access is both limited and allowed in the manner that we specified.
   1.1. Login allowed with SSH, banners present -- We specified that login with SSH should be allowed from the internal network but not for root. To test this we will use PuTTY (http://www.chiark.greenend.org.uk/~sgtatham/putty/) to attempt login and verify banners are displayed.
   1.1.1. PuTTY config screen -- included here for reference is the main screen of the PuTTY configuration showing the connection attempt using SSH.
   
   
   
   
   
   
   1.1.2. Initial connection with PuTTY -- Here is the initial connection screen. No banners yet, but that is normal.
   
   
   
   
   
   1.1.3. After putting in a userid -- Now we see that the OS identification has been properly obfuscated and we see the simple warning displayed as it should be.
   
   
   
   
   1.2. Root Login denied even via SSH -- We indicated that root should not be able to log in to the terminal even through SSH directly. This improves audit trails and security of the system. Now we need to test it. Again we will connect with PuTTY.
   
   1.2.1. Putty connected "root" id entered -- The root id is allowed? What is the problem, I thought we disabled this? Actually the program must accept the id being entered to know who is logging in.
   
   
   
   
   
   1.2.2. Root denied -- Now that is better. Root indeed is denied access to the server even over SSH. The first entry is from the /var/log/secure log file which shows that root access is indeed denied. The print below shows the message on the screen.
   
   Jun 2 14:31:04 twogdirxml sshd[3319]: ROOT LOGIN REFUSED
   FROM ::ffff:192.168.1.100
   
   
   
   
   1.3. Login blocked from external networks -- We also specified that login should not be allowed over telnet or from external networks. I had a colleague check this with me from the outside using standard tools such as PuTTY again or just the command line telnet. The sessions just hung as expected and this is what I saw in the /var/log/kernel log file which is where the iptables firewall logs are being sent.

   Jun 2 14:43:14 twogdirxml kernel: IN=eth0 OUT=
   MAC=00:0f:1f:47:0f:ce:00:04:5a:fd:a1:f9:08:00 SRC=class.c.addr.200
   DST=192.168.1.55 LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=13817 DF
   PROTO=TCP SPT=40584 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0
   Jun 2 14:43:14 twogdirxml kernel: IN=eth0 OUT= MAC=00:0f:1f:47:0f:ce:00:04:5a:f
   d:a1:f9:08:00 SRC=class.c.addr.200 DST=192.168.1.55 LEN=60 TOS=0x00
   PREC=0x00 TTL=47 ID=13817 DF PROTO=TCP SPT=40584 DPT=23
   WINDOW=5840 RES=0x00 SYN URGP=0
   Jun 2 14:43:52 twogdirxml kernel: IN=eth0 OUT=
   MAC=00:0f:1f:47:0f:ce:00:04:5a:fd:a1:f9:08:00 SRC=class.c.addr.200
   DST=192.168.1.55 LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=35230 DF
   PROTO=TCP SPT=41362 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
   Jun 2 14:43:52 twogdirxml kernel: IN=eth0 OUT= MAC=00:0f:1f:47:0f:ce:00:04:5a:f
   d:a1:f9:08:00 SRC=class.c.addr.200 DST=192.168.1.55 LEN=60 TOS=0x00
   PREC=0x00 TTL
   =47 ID=35230 DF PROTO=TCP SPT=41362 DPT=22 WINDOW=5840 RES=0x00
   SYN URGP=0

2. File System checks -- We implemented several very specific file system protections. We now need to check these to verify that they are working properly.
   2.1. Mount options -- We changed fstab to indicate some specific mounting options. Now we need to check to see if they are being honored and working as we expect.
   2.1.1. First we execute the "mount" command -- This should show us the current state of the mounted file systems and show us if the options we specified are being honored. First I will mount a floppy disk and a CDROM so that those will show up as well.
   
   
   

   # mount
   /dev/hda1 on / type ext3 (rw)
   proc on /proc type proc (rw)
   devpts on /dev/pts type devpts (rw,mode=0620,gid=5)
   /dev/hda2 on /usr type ext3 (ro,nodev)
   /dev/hda6 on /var type ext3 (rw,nosuid,nodev)
   shmfs on /dev/shm type shm (rw)
   usbdevfs on /proc/bus/usb type usbdevfs (rw)
   /dev/fd0 on /media/floppy type vfat (rw,noexec,nosuid,nodev,sync)
   /dev/hdc on /media/cdrom type iso9660 (ro,nosuid,nodev)

   The options are shown in parenthesis at the end of each line and, yes, they do correspond to our configuration plan. Now we need to further test this.
   
   2.1.2. Test that floppy mount honors noexec flag -- In order to test this, we will copy an executeable script to the floppy drive and then try to execute it. Here are the commands and the results.

   # cp /etc/init.d/novell-httpd /media/floppy
   # ls -l /media/floppy
   total 45
   drwxr--r-- 2 root   root   7168	Jun 2 15:31 .
   drwxr-xr-x 4 root   root   4096	Oct 21 2002 ..
   -rwxr--r-- 1 root   root   13440	May 13 05:48 301849089.nfk
   -rwxr--r-- 1 root   root   14547	May 13 05:47 301849089.nlf
   -rwxr--r-- 1 root   root   3248	Jun 2 15:31 novell-httpd
   # /media/floppy/novell-httpd force-reload
   -bash: /media/floppy/novell-httpd: /bin/sh: bad interpreter:
    Permission denied

   2.1.3. Test deletion of a binary on /usr file system -- With the /usr file system mounted as read only (ro) even root should not be able to delete a file or copy a file to the system. To test this, I will attempt to delete a file. Here are the commands I used and the results. As expected, I could not delete it.

   # rm -f /usr/local/apache2/lib/libapr-0.so.0.9.5
   rm: cannot remove `/usr/local/apache2/lib/libapr-0.so.0.9.5': Read-
   only file system
   #
   #

   2.1.4. Test nodev functionality on /var -- To test this functionality, we will create a "null" device on the /var file system and then try to send data to it. We should be denied access when we try to copy data to this "device." Below are the commands and the results. This is indeed denied.

   # mknod -m 666 /var/opt/null c 1 3
   #
   # ls -l /var/opt
   total 12
   drwxr-xr-x  3 root root	4096 Jun 2 16:11 .
   drwxr-xr-x 18 root root	4096 May 17 11:56 ..
   drwxr-xr-x 14 root root	4096 May 30 01:01 novell
   crw-rw-rw-  1 root root	1, 3 Jun 2 16:11 null
   # cat 888888 > /var/opt/null
   -bash: /var/opt/null: Permission denied
   # cp /var/opt/novell /var/opt/null
   cp: omitting directory `novell'

   2.1.5. Test nosuid functionality -- To test this functionality we will copy a functioning suid executeable to /var/opt and then try to use it. The /bin/su binary is one of the few left on the system after hardening it so we will use that. Below are the commands I used and the results of those commands.

   # cp /bin/su /var/opt
   # ls -l /var/opt/su
   -rws------  1 root  root	28157 Jun 2 16:41 su
   
   Note that since we had set the default umask to 077 we have to
   chmod this to test it.
   
   # chmod 4755 /var/opt/su
   # ls -l su
   -rwsr-xr-x  1 root  root	28157 Jun 2 16:41 su
   
   Now have a non privileged user test it.
   :~> cd /var/opt
   :/var/opt> ./su -
   Password:
   ./su: incorrect password

   The message that you see isn't obviously an SUID problem, but I tested it several times and the password was indeed correct. If we look at the /etc/shadow file again, we can see why this would happen. The "su" binary must be SUID to root in order to read the /etc/shadow file. In this case both binaries have that bit set, but the one in /var/opt/ will not work because the file system is mounted "nosuid." For reference, here are the permissions set on the /etc/shadow file.

   -rw-r-----   1 root	shadow	554 2004-05-18 13:43 shadow

3. Review Running processes-- We need to look carefully at all running processes to be sure that only the open ports we planned to have open are listening. This should be reviewed periodically to ensure that no new processes have been started maliciously or inadvertently. We will first use netstat and then lsof to look at these. The commands and results are below.
   3.1. TCP Ports - First we will look at all listening tcp ports. Then later we will look at any that have not been identified previously to see what processes have the ports open.

   # netstat -ntl
   Active Internet connections (only servers)
   Proto Recv-Q Send-Q Local Address      Foreign Address   State
   tcp   0      0      127.0.0.1:8008     0.0.0.0:*         LISTEN
   tcp   0      0      192.168.1.55:8008  0.0.0.0:*         LISTEN
   tcp   0      0      127.0.0.1:8010     0.0.0.0:*         LISTEN
   tcp   0      0      192.168.1.55:8010  0.0.0.0:*         LISTEN
   tcp   0      0      127.0.0.1:3019     0.0.0.0:*         LISTEN
   tcp   0      0      192.168.1.55:427   0.0.0.0:*         LISTEN
   tcp   0      0      127.0.0.1:427      0.0.0.0:*         LISTEN
   tcp   0      0      192.168.1.55:524   0.0.0.0:*         LISTEN
   tcp   0      0      127.0.0.1:524      0.0.0.0:*         LISTEN
   tcp   0      0      0.0.0.0:8018       0.0.0.0:*         LISTEN
   tcp   0      0      0.0.0.0:8020       0.0.0.0:*         LISTEN
   tcp   0      0      127.0.0.1:25       0.0.0.0:*         LISTEN
   tcp   0      0      0.0.0.0:505        0.0.0.0:*         LISTEN
   tcp   0      0      0.0.0.0:636        0.0.0.0:*         LISTEN
   tcp   0      0      127.0.0.1:8005     :::*              LISTEN
   tcp   0      0      :::8009            :::*              LISTEN
   tcp   0      0      :::80              :::*              LISTEN
   tcp   0      0      :::8080            :::*              LISTEN
   tcp   0      0      :::22              :::*              LISTEN
   tcp   0      0      :::631             :::*              LISTEN
   tcp   0      0      :::443             :::*              LISTEN

   Two ports immediately come into question, 3019 and 505.
   3.2. UDP Ports -- Now we will see what is open for UDP and then do further investigation.

   # netstat -nul
   Active Internet connections (only servers)
   Proto Recv-Q Send-Q Local Address       Foreign Address   State
   udp   0      0      127.0.0.1:32772     0.0.0.0:*
   udp   0      0      0.0.0.0:32773       0.0.0.0:*
   udp   0      0      0.0.0.0:32774       0.0.0.0:*
   udp   0      0      127.0.0.1:32775     0.0.0.0:*
   udp   0      0      192.168.1.55:524    0.0.0.0:*
   udp   0      0      255.255.255.255:427 0.0.0.0:*
   udp   0      0      192.168.1.55:427    0.0.0.0:*
   udp   0      0      239.255.255.253:427 0.0.0.0:*
   udp   0      0      192.168.1.55:123    0.0.0.0:*
   udp   0      0      127.0.0.1:123       0.0.0.0:*
   udp   0      0      0.0.0.0:123         0.0.0.0:*

   The high ports 32772 through 32775 are interesting but all the rest are already identified and should be listening. We will investigate those high ports further as well as the open TCP ports with lsof now.
   3.3. LSOF identification of open ports -- Now we will use lsof to find out what those unidentified process are. Below are the commands used and the results. Following the results, is a short discussion of the findings and any actions that might be necessary.

   # lsof -i TCP:3019
   COMMAND  PID  USER    FD  TYPE  DEVICE SIZE NODE  NAME
   idsd     1069 iprint  6u  IPv4  6131        TCP   localhost.localdomain:resource_mgr
   (LISTEN)
   
   # lsof -i TCP:505
   COMMAND  PID  USER    FD  TYPE  DEVICE SIZE NODE  NAME
   rcd      255  root    4u  IPv4  1085        TCP   *:mailbox-lm (LISTEN)
   
   # lsof -i UDP:32772
   COMMAND  PID  USER    FD  TYPE  DEVICE SIZE NODE  NAME
   ndsd     974  root    20u IPv4  5911        UDP   localhost.localdomain:32772
   ---- many processes, truncated here
   
   # lsof -i UDP:32773 | more
   COMMAND  PID  USER    FD  TYPE  DEVICE SIZE NODE  NAME
   httpd    1066 novlwww 24u IPv4  12329       UDP   *:32773
   ---- many processes, truncated here
   
   # lsof -i UDP:32774 | more
   COMMAND  PID  USER    FD  TYPE  DEVICE SIZE NODE  NAME
   httpd    1066 novlwww 22u IPv4  10471       UDP   *:32774
   ---- many processes, truncated here
   
   # lsof -i UDP:32775
   COMMAND  PID  USER    FD  TYPE  DEVICE SIZE NODE  NAME
   ndsd     974  root    60u IPv4  12385       UDP   localhost.localdomain:32775
   ---- many processes, truncated here

   The first tcp port is easily identified. It is a management port for the iPrint product and is used to manage printers set up on the server. It may have to be opened in the firewall configuration in order to effectively manage the printers but should only be opened to internal hosts.

   The second port of tcp 505 is from the Red Carpet Client. This is what allows the remote management of the client and client commands to be sent to the Red Carpet daemon running on the server. This will be needed for remote management and should be added to only the internal firewall configuration.

   The UDP ports 32772 seem most likely to be RPC like ports that eDirectory (ndsd) and Apache (httpd) listen on to offer services. These should definitely remain blocked, but probably can't be shut off.

4. Run a Vulnerability Scan-- The last test that we will conduct before putting this machine into production is a Nessus scan (www.nessus.org) This scan will be conducted from inside the network and will be a pretty aggressive scan in order to stress the system and find any vulnerabilities that might still exist. Nessus was installed on a separate host and the signatures updated before starting. Results of this scan will guide any last hardening steps that need to be taken. I will not include all of the steps or results found but simply summarize what was found and any actions necessary to fix the vulnerability found.
   4.1. Two High risk conditions found -- Two high risk conditions were found that should be corrected. These are listed below with a brief discussion.
   4.1.1. Old open-ssh version -- The Open SSH version installed is a vulnerable one and it should be upgraded to 3.7.1 or later to patch this hole.

   4.1.1.1. Firewall hole -- The firewall configuration allows UDP packets to traverse it as long as the source port is 53. This is a common firewall problem that can allow an attacker to communicate to otherwise blocked ports on the server. The enterprise network firewall should be blocking this traffic especially from the outside. The host based firewall we deployed probably can't be changed since it is really not stateful. If additional protection is needed a better commercial product should be used.

References

A Sample Firewall Configuration. In Linux Network Administrators Guide. Retrieved June 3, 2004, from http://www.faqs.org/docs/linux_network/x-087-2-firewall.example.html

Barnett, R. (n.d.). Securing Apache Step-by-Step. Retrieved June 3, 2004, from http://www.cgisecurity.com/lib/ryan_barnett_gcux_practical.html#references

Bates, M. (2004). Using Apache's RewriteEngine to redirect requests to other URLS and to https://. Retrieved June 3, 2004, from http://www.whoopis.com/howtos/apache-rewrite.html

Glossary. UMASK. Retrieved June 3, 2004, from http://www.linuxquestions.org/questions/glossary.php?s=&glossaryid=34&long=1

Jagjit. (2003) GNU Linux Security. Retrieved June 3, 2004, from http://www.freeos.com/articles/4628/

Koconis, D., Murray, J., Purvis, J., Wassom, D. (2003). Securing Linux: A Survival Guide for Linux Security (Version 1.0). Bethesda: SANS Press.

Lechnyr, D. (2002). Network Security with /proc/sys/net/ipv4. Retrieved June 3, 2004, from http://www.linuxgazette.com/issue77/lechnyr.html

Loza, B. (n.d.). Build your own IDS with Logsurfer. Retrieved June 3, 2004, from http://tegosystemonline.com/papers/Logsurfer.pdf

Novell Technical Support Knowledgebase. (2003). How to configure Dirxml 1.1a with Remote Loader to use SSL. Retrieved June 3, 2004, from http://support.novell.com/cgi-bin/search/searchtid.cgi?/10083691.htm

O'Neil, P. (2003). Build your own firewall using SUSE Linux: A mechanics guide (Version 2.5b). Retrieved June 3, 2004, from http://www.sans.org/rr/papers/index.php?id=1112

Pomeranz, H. (2003). Securing Unix. Bethesda: SANS Press. Project: OWASP Source Code Center: File List. Retrieved June 3, 2004, from http://sourceforge.net/project/showfiles.php?group_id=64424

Ristic, I. (2003). OnLamp.com, Introduction mod_security. Retrieved June 3, 2004, from http://www.onlamp.com/pub/a/apache/2003/11/26/mod_security.html

Sharma, K. (n.d.). Linux Security Tips. Linux Gazette. Retrieved June 3, 2004, from http://www.linuxgazette.com/issue58/sharma.html

Smith, E. (2001). Securely Implementing LDAP. Retrieved June 3, 2004, from http://www.blacksheepnetworks.com/security/resources/securely-implementing-ldap.html

Tomcat Security. Retrieved June 3, 2004, from http://www.jspolympus.com/JSPTOMCAT/TomcatSecurity.jsp

Unofficial SUSE FAQ. Understanding how SUSEconfig works. Retrieved June 3, 2004, from http://susefaq.sourceforge.net/faq/suseconfig.html

Walden, C. (2003). Windows-to-Linux roadmap: Part 8. Backup and recovery, A quick guide to Linux backup and recovery. Retrieved June 3, 2004, from http://www-106.ibm.com/developerworks/linux/library/l-roadmap8/#resources

Winston, K. (n.d.). Unofficial SUSE FAQ. SUSE 7.3 Bash Initialization. Retrieved June 3, 2004, from http://susefaq.sourceforge.net/articles/bash.html

Appendix A -- Novell Supplied packages and versions

NOVLpkia-2.7.0-6
NOVLpkit-2.7.0-6
NOVLpkis-2.7.0-6
NOVLsas-8.7.3-34
NOVLsnmp-8.7.3-34
NOVLxis-8.7.3-34
NOVLsubag-8.7.3-34
NOVLnmas-2.3.0-20031205
NOVLlmgnt-8.7.3-34
NOVLstlog-8.7.3-34
NOVLice-8.7.3-34
NOVLembox-8.7.3-16
NOVLjvml-2.0.1-4
novell-base-0.1.1-4
novell-db4-4.1.25.NC-2
novell-virtualoffice-imanager-plugin-1.0-20040129_1710
novell-libldap_c-1.0-6
novell-openssl-0.9.6k-4
novell-httpd-2.0.48-9
novell-httpd-manual-2.0.48-9
novell-j2sdk-1.4.2.01-14
novell-mod_jk-4.1.25-2
novell-mdb-1.0-4
novell-webadmin-4.0.0-30
novell-wa-rcd-1.0.0-30
novell-imanager-2.0.2-17
novell-iprint-management-5.0.20040123-1
novell-ifolder-imanager-plugin-1.0-20040129_1710
novell-netmail-imanager-plugin-1.0-20040129_1710
novell-DXMLplgs-1.1.10-5
novell-plugin-backup-restore-2.0.2-21
novell-plugin-ice-2.0.2-12
novell-plugin-indexmanager-2.0.2-14
novell-plugin-ldap-2.0.2-12
novell-plugin-merge-2.0.2-12
novell-plugin-nmas-2.0.2-14
novell-plugin-pki-2.0.2-13
novell-plugin-repair-2.0.2-12
novell-plugin-rwiz-2.0.2-12
novell-plugin-snmp-2.0.2-12
novell-plugin-service-manager-2.0.2-14
novell-plugin-wanman-2.0.2-14
novell-AUDTauditplugin-1.0.1-20
novell-imgr-rcd-1.0.0-19
novell-netstorage-imanager-plugin-3.0.0-21
novell-virtualofficeadmin-imanager-plugin-1.0-20040129_1710
novell-iprint-server-5.0.20040422-8
novell-usermanagement-imanager-plugin-1.0-20040129_1710
novell-webadmin-netmail-plugin-3.5-20040127.1546
novell-nrm-rcd-link-1.0.0-18
novell-xtier-3.0.1-2

Appendix B -- /etc/sysconfig/sysctl.conf

# Do you want the "dynamic IP patch" to be enabled at bootup? (yes/no)
#
IP_DYNIP="yes"
#
# Enable syn flood protection (see
/usr/src/linux/Documentation/Configure.help)
# (yes/no)
#
IP_TCP_SYNCOOKIES="yes"
# Runtime-configurable parameter: forward IP packets.
# Is this host a router? (yes/no)
#
IP_FORWARD="no"
#
# Enable Magic SysRq Keys?
#
ENABLE_SYSRQ="no"
#
# DISABLE_ECN
#
DISABLE_ECN="yes"
# Load IPV6???
LOAD_IPV6="no"
# Runtime-configurable parameter: forward IPv6 packets.
#
IPV6_FORWARD="no"
IPV6_PRIVACY="no"
############################################
# The following were added by Al for additional protection.
# IPV4 Startup security options. Some are probably also in SUSE
firewall but
# I'm not running that so I put them in here with short explanations
and
# edited the boot.ipconfig script to read the options below in this
file.

# Accept source routing on ALL interfaces? "no" disables source
routing.
ACCEPT_SOURCE_ROUTE="yes"

# Syn flood protection enabled. Default number for backlog is set to
4096
# in boot.ipconfig.
SYN_FLOOD_BACKLOG="yes"

# IP Spoofing protection enabled? This setting may drop valid packets.
watch it
RP_FILTER="no"

# Disable ICMP redirects being sent by this machine. If needed change
to "no"
DISABLE_SEND_REDIRECTS="no"

# Disable receiving ICMP redirects on ALL currently defined interfaces
- yes disables
DISABLE_ACCEPT_REDIRECTS_ALL="no"

# Disable receiving ICMP redirects on newly defined interfaces - yes
disables
DISABLE_ACCEPT_REDIRECTS_DEFAULT="no"

Appendix C - /etc/init.d/boot.ipconfig

#! /bin/sh
#
# Copyright (c) 2001-2002 SUSE Linux AG, Nuernberg, Germany.
# All rights reserved.
#
# /etc/init.d/boot.ipconfig
#
### BEGIN INIT INFO
# Provides:	boot.ipconfig
# Required-Start:
# X-UnitedLinux-Should-Start: setserial boot.isapnp boot.sysctl
# Required-Stop:
# Default-Start:	B
# Default-Stop:
# Description:	run ip configuration hooks
### END INIT INFO

. /etc/rc.status
. /etc/sysconfig/sysctl

rc_reset

case "$1" in
  start)
   #
   # Enable "dynamic IP patch"
   #
   if test -n "$IP_DYNIP" -a "$IP_DYNIP" != no -a \
    -e /proc/sys/net/ipv4/ip_dynaddr ; then
    echo -n "Enabling dynamic IP patch"
    case "$IP_DYNIP" in
      yes)	echo 7		; ECHO_RETURN=$rc_done ;;
      [1-9])	echo $IP_DYNIP	; ECHO_RETURN=$rc_done ;;
      *)	ECHO_RETURN=" invalid IP_DYNIP=$IP_DYNIP $rc_skipped" ;;
    esac > /proc/sys/net/ipv4/ip_dynaddr || ECHO_RETURN=$rc_failed
    echo -e "$ECHO_RETURN"
   fi

   #
   # Enable syn flood protection
   #
   if test -n "$IP_TCP_SYNCOOKIES" -a "$IP_TCP_SYNCOOKIES" != no -a \
    -e /proc/sys/net/ipv4/tcp_syncookies ; then
    echo -n "Enabling syn flood protection"
    case "$IP_TCP_SYNCOOKIES" in
        yes)	echo 1	; ECHO_RETURN=$rc_done ;;
        *)	ECHO_RETURN=" invalid
IP_TCP_SYNCOOKIES=$IP_TCP_SYNCOOKIES $rc_skipped" ;;
    esac > /proc/sys/net/ipv4/tcp_syncookies || ECHO_RETURN=$rc_failed
    echo -e "$ECHO_RETURN"
   fi


   #
   # Accept source routing???
   #
   if test -n "$ACCEPT_SOURCE_ROUTE" -a "$ACCEPT_SOURCE_ROUTE" != yes -
a \
    -e /proc/sys/net/ipv4/conf/all/accept_source_route ; then
    echo -n "Disabling Source Routing"
    case "$ACCEPT_SOURCE_ROUTE" in
        no)	echo 0	; ECHO_RETURN=$rc_done ;;
        *)	ECHO_RETURN=" invalid
ACCEPT_SOURCE_ROUTE=$ACCEPT_SOURCE_ROUTE $rc_skipped" ;;
    esac > /proc/sys/net/ipv4/conf/all/accept_source_route ||
ECHO_RETURN=$rc_failed
    echo -e "$ECHO_RETURN"
   fi


   #
   # Enable syn flood backlog protection
   #
   if test -n "$SYN_FLOOD_BACKLOG" -a "$SYN_FLOOD_BACKLOG" != no -a \
   -e /proc/sys/net/ipv4/tcp_max_syn_backlog ; then
    echo -n "Enabling syn flood BACKLOG protection"
    case "$SYN_FLOOD_BACKLOG" in
        yes)	echo 4096	; ECHO_RETURN=$rc_done ;;
        *)	ECHO_RETURN=" invalid
SYN_FLOOD_BACKLOG=$SYN_FLOOD_BACKLOG $rc_skipped" ;;
    esac > /proc/sys/net/ipv4/tcp_max_syn_backlog ||
ECHO_RETURN=$rc_failed
    echo -e "$ECHO_RETURN"
   fi

   #
   # Enable IP spoofing protection
   #
   if test -n "$RP_FILTER" -a "$RP_FILTER" != no -a \
    -e /proc/sys/net/ipv4/conf/all/rp_filter ; then
    echo -n "Enabling IP spoofing protection"
    case "$RP_FILTER" in
        yes)	echo 1	; ECHO_RETURN=$rc_done ;;
        *)	ECHO_RETURN=" invalid RP_FILTER=$RP_FILTER $rc_skipped"
;;
    esac > /proc/sys/net/ipv4/conf/all/rp_filter ||
ECHO_RETURN=$rc_failed
    echo -e "$ECHO_RETURN"
   fi

   #
   # Disable ICMP Redirects from being sent
   #
   if test -n "$DISABLE_SEND_REDIRECTS" -a "$DISABLE_SEND_REDIRECTS" !=
no -a \
    -e /proc/sys/net/ipv4/conf/all/send_redirects ; then
    echo -n "Disabling sending of Redirects"
    case "$DISABLE_SEND_REDIRECTS" in
        yes)	echo 0	; ECHO_RETURN=$rc_done ;;
        *)	ECHO_RETURN=" invalid
DISABLE_SEND_REDIRECTS=$DISABLE_SEND_REDIRECTS $rc_skipped" ;;
    esac > /proc/sys/net/ipv4/conf/all/send_redirects ||
ECHO_RETURN=$rc_failed
    echo -e "$ECHO_RETURN"
   fi

   #
   # Disable ICMP Redirects from being accepted by all current
interfaces
   #
   if test -n "$DISABLE_ACCEPT_REDIRECTS_ALL" -a
"$DISABLE_ACCEPT_REDIRECTS_ALL" != no -a \
    -e /proc/sys/net/ipv4/conf/all/accept_redirects ; then
    echo -n "Disabling accepting of Redirects"
    case "$DISABLE_ACCEPT_REDIRECTS_ALL" in
        yes)	echo 0	; ECHO_RETURN=$rc_done ;;
        *)	ECHO_RETURN=" invalid
DISABLE_ACCEPT_REDIRECTS_ALL=$DISABLE_ACCEPT_REDIRECTS_ALL $rc_skipped"
;;
    esac > /proc/sys/net/ipv4/conf/all/accept_redirects ||
ECHO_RETURN=$rc_failed
    echo -e "$ECHO_RETURN"
   fi


   #
   # Disable ICMP Redirects from being accepted by newly activated
interfaces
   #
   if test -n "$DISABLE_ACCEPT_REDIRECTS_DEFAULT" -a
"$DISABLE_ACCEPT_REDIRECTS_DEFAULT" != no -a \
    -e /proc/sys/net/ipv4/conf/default/accept_redirects ; then
    echo -n "Disabling accepting of Redirects on newly activated
interfaces"
    case "$DISABLE_SEND_REDIRECTS" in
        yes)	echo 0	; ECHO_RETURN=$rc_done ;;
        *)	ECHO_RETURN=" invalid
DISABLE_ACCEPT_REDIRECTS_DEFAULT=$DISABLE_ACCEPT_REDIRECTS_DEFAULT
$rc_skipped" ;;
    esac > /proc/sys/net/ipv4/conf/default/accept_redirects ||
ECHO_RETURN=$rc_failed
    echo -e "$ECHO_RETURN"
   fi


   #
   # Enable IP forwarding ?
   #
   if test -e /proc/sys/net/ipv4/ip_forward -a -n "$IP_FORWARD" ; then
    case $IP_FORWARD in
      yes)
        echo -n "Enabling IP forwarding"
        echo "1" > /proc/sys/net/ipv4/ip_forward
      ;;
      *)
        echo -n "Disabling IP forwarding"
        echo "0" > /proc/sys/net/ipv4/ip_forward
      ;;
    esac
    rc_status -v -r
   fi

   #
   # Enable IPv6 forwarding ?
   #
   LOAD_IPV6="no"
   case $IPV6_FORWARD in
      yes) LOAD_IPV6="yes" ;;
   esac
   case $IPV6_PRIVACY in
      yes) LOAD_IPV6="yes" ;;
   esac
   test "$LOAD_IPV6" = "yes" && /sbin/modprobe ipv6 >/dev/null 2>&1
   #
   if test -e /proc/sys/net/ipv6/conf/all/forwarding -a -n
"$IPV6_FORWARD" ; then
    case $IPV6_FORWARD in
      yes)
      echo -n "Enabling IPv6 forwarding"
      echo "1" > /proc/sys/net/ipv6/conf/all/forwarding
      ;;
      *)
      echo -n "Disabling IPv6 forwarding"
      echo "0" > /proc/sys/net/ipv6/conf/all/forwarding
      ;;
    esac
    rc_status -v -r
   fi

   #
   # Enable IPv6 privacy?
   #
   if test -e /proc/sys/net/ipv6/conf/all/use_tempaddr -a -n
"$IPV6_PRIVACY"; then
    case $IPV6_PRIVACY in
      yes)
      echo -n "Enabling IPv6 privacy"
      echo "1" > /proc/sys/net/ipv6/conf/all/use_tempaddr
      ;;
      *)
      echo -n "Disabling IPv6 privacy"
      echo "0" > /proc/sys/net/ipv6/conf/all/use_tempaddr
      ;;
    esac
    rc_status -v -r
   fi
   ;;
  stop)
    rc_failed 3
    rc_status -v
    ;;
  status)
    rc_failed 4
    rc_status -v
    ;;
  *)
    echo "Usage: $0 {start|stop|status}"
    exit 1
    ;;
esac

rc_exit

Appendix D - fwup.sh script to start iptables firewall

#!/bin/bash
#######################################################################
###
# IPTABLES VERSION
# This sample configuration is for a single host firewall configuration
#
#######################################################################
###

# USER CONFIGURABLE SECTION

# The name and location of the ipchains utility.
IPTABLES=iptables

# The path to the ipchains executable. Don't need to add to path
variable
# PATH="/usr/sbin"

# Our internal network address space and its supporting network device.
OURNET="192.168.1.0/24"
OURBCAST="192.168.1.255"
OURDEV="eth0"

# The outside address and the network device that supports it.
ANYADDR="0/0"
ANYDEV="eth0"

# The TCP services we wish to allow to pass - "" empty means all ports
# note: comma separated up to 15 values for each
TCPINTERNAL="https,www,ssh,8008,8010,8018,8020,ldap,ldaps,ncp,505,3019"
TCPOUTINTERNAL="smtp,www,ftp,ftpdata,
https,ldap,ldaps,445,139,137,cifs,601"
TCPEXTERNAL="https,www,8010,8020"
TCPOUTEXTERNAL="www,ftp,ftp-data,ntp,https"

# The UDP services we wish to allow to pass - "" empty means all ports
# note: comma separated
UDPINTERNAL="domain,ssh,ldap,ncp,ldap,ldaps"
UDPOUT="domain,ntp,ldap,ldaps,445,139,137,cifs,syslog,601"
UDPEXTERNAL="ssh,ldaps"

# The ICMP services we wish to allow to pass - "" empty means all types
# ref: /usr/include/netinet/ip_icmp.h for type numbers
# note: comma separated
ICMPIN="0,3,11"
ICMPOUT="8,3,11"

# Logging; uncomment the following line to enable logging of datagrams
# that are blocked by the firewall.
LOGGING=1

# END USER CONFIGURABLE SECTION
#######################################################################
####

# Flush the ALL table rules
$IPTABLES -F

# We want to deny incoming access by default.
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
# Drop all datagrams destined for this host received from outside.
Can't
# do this since this host will have to have services running on it.
#$IPTABLES -A INPUT -i $ANYDEV -j DROP

# SPOOFING
# We should not accept any datagrams with a source address matching
ours
# from the outside, so we deny them.
#$IPTABLES -A INPUT -s $OURNET -i $ANYDEV -j DROP

# SMURF
# Disallow ICMP to our broadcast address to prevent "Smurf" style
attack.
$IPTABLES -A INPUT -p icmp -i $ANYDEV -d $OURBCAST -j DROP

# We should accept fragments, in iptables we must do this explicitly.
$IPTABLES -A INPUT -f -j ACCEPT

# We should accept any traffic originating from the loopback and going
to the loopback
# Since routing is not on only traffic from this machine can be
received on the loopback.
# Change this section if additional interfaces are added or routing is
enabled.
$IPTABLES -A INPUT -i lo -j ACCEPT

# TCP
# We will accept all TCP datagrams belonging to an existing connection
# for the TCP ports we're allowing through.
# This should catch more than 95 % of all valid TCP packets.
$IPTABLES -A INPUT -m multiport -m conntrack -p tcp -s $OURNET -d
$OURNET --dports $TCPINTERNAL --ctstate ESTABLISHED,NEW,RELATED -j
ACCEPT
$IPTABLES -A INPUT -m multiport -m conntrack -p tcp -s $OURNET -d
$OURNET --sports $TCPINTERNAL --ctstate ESTABLISHED,NEW,RELATED -j
ACCEPT
$IPTABLES -A INPUT -m multiport -m conntrack -p tcp -s $OURNET -d
$OURNET --dports $TCPOUTINTERNAL --ctstate ESTABLISHED,NEW,RELATED -j
ACCEPT
$IPTABLES -A INPUT -m multiport -m conntrack -p tcp -s $OURNET -d
$OURNET --sports $TCPOUTINTERNAL --ctstate ESTABLISHED,NEW,RELATED -j
ACCEPT

$IPTABLES -A INPUT -m multiport -m conntrack -p tcp -d $OURNET --dports
$TCPEXTERNAL --ctstate ESTABLISHED,NEW,RELATED -j ACCEPT
$IPTABLES -A INPUT -m multiport -m conntrack -p tcp -s $OURNET --sports
$TCPEXTERNAL --ctstate ESTABLISHED,NEW,RELATED -j ACCEPT

$IPTABLES -A INPUT -m multiport -m conntrack -p tcp -s $OURNET --dports
$TCPOUTEXTERNAL --ctstate ESTABLISHED,NEW,RELATED -j ACCEPT
$IPTABLES -A INPUT -m multiport -m conntrack -p tcp -d $OURNET --sports
$TCPOUTEXTERNAL --ctstate ESTABLISHED,NEW,RELATED -j ACCEPT

# TCP - INCOMING CONNECTIONS
# We will accept connection requests from the INside only on the
# allowed TCP ports.
$IPTABLES -A INPUT -m multiport -p tcp -i $ANYDEV -s $OURNET -d $OURNET
--dports $TCPINTERNAL --syn -j ACCEPT

# We will accept connection requests from the OUTside only on the
# allowed TCP ports.
$IPTABLES -A INPUT -m multiport -p tcp -i $ANYDEV -s $ANYADDR -d
$OURNET --dports $TCPEXTERNAL --syn -j ACCEPT
# TCP - OUTGOING CONNECTIONS Internal

# We will accept all outgoing tcp connection requests on the allowed
TCP ports for INTERNAL traffic
$IPTABLES -A INPUT -m multiport -p tcp -i $OURDEV -s $OURNET -d $OURNET
--dports $TCPOUTINTERNAL --syn -j ACCEPT

# TCP - OUTGOING CONNECTIONS External
# We will accept all outgoing tcp connection requests on the allowed
TCP ports for INTERNAL traffic

$IPTABLES -A INPUT -m multiport -p tcp -i $OURDEV -s $OURNET -d
$ANYADDR --dports $TCPOUTEXTERNAL --syn -j ACCEPT

# UDP - INCOMING
# We will allow UDP datagrams in on the allowed ports and back.
$IPTABLES -A INPUT -m multiport -p udp -i $ANYDEV -s $OURNET -d $OURNET
--dports $UDPINTERNAL -j ACCEPT
$IPTABLES -A INPUT -m multiport -p udp -i $ANYDEV -s $OURNET -d $OURNET
--sports $UDPINTERNAL -j ACCEPT

$IPTABLES -A INPUT -m multiport -p udp -i $ANYDEV -s $ANYADDR -d
$OURNET --dports $UDPEXTERNAL -j ACCEPT
$IPTABLES -A INPUT -m multiport -p udp -i $ANYDEV -s $OURNET -d
$ANYADDR --sports $UDPEXTERNAL -j ACCEPT

# UDP - OUTGOING
# We will allow UDP datagrams out to the allowed ports and back.
$IPTABLES -A INPUT -m multiport -p udp -i $OURDEV -s $OURNET -d
$ANYADDR --dports $UDPOUT -j ACCEPT

$IPTABLES -A INPUT -m multiport -p udp -i $OURDEV -s $ANYADDR -d
$OURNET --sports $UDPOUT -j ACCEPT

# ICMP - INCOMING
# We will allow ICMP datagrams in of the allowed types.
$IPTABLES -A INPUT -p icmp -i $ANYDEV -d $OURNET --icmp-type 0 -j
ACCEPT
$IPTABLES -A INPUT -p icmp -i $ANYDEV -d $OURNET --icmp-type 3 -j
ACCEPT
$IPTABLES -A INPUT -p icmp -i $ANYDEV -d $OURNET --icmp-type 11 -j
ACCEPT

# ICMP - OUTGOING
# We will allow ICMP datagrams out of the allowed types.
$IPTABLES -A INPUT -p icmp -i $OURDEV -d $ANYADDR --icmp-type 8 -j
ACCEPT
$IPTABLES -A INPUT -p icmp -i $OURDEV -d $ANYADDR --icmp-type 3 -j
ACCEPT
$IPTABLES -A INPUT -p icmp -i $OURDEV -d $ANYADDR --icmp-type 11 -j
ACCEPT


# DEFAULT and LOGGING
# All remaining datagrams fall through to the default
# rule and are dropped. They will be logged if you've
# configured the LOGGING variable above.
#
if [ "$LOGGING" ]
then
	# Log barred TCP
	$IPTABLES -A INPUT -m tcp -p tcp -j LOG
	# Log barred UDP
	$IPTABLES -A INPUT -m udp -p udp -j LOG
	# Log barred ICMP
	$IPTABLES -A INPUT -m icmp -p icmp -j LOG
fi
#
# end.

Appendix E - mod_security configuration

# mod_security Configuration Section. If Mod_security is not used
comment all
# of these lines out.

# Yes, we want to use mod_security
SecFilterEngine On

# Scan request body
SecFilterScanPOST On

# Scan response body
SecFilterScanOutput On

# Check URL encoding
SecFilterCheckURLEncoding On

# This setting should be set to On only if the Web site is
# using the Unicode encoding. Otherwise it may interfere with
# the normal Web site operation.
SecFilterCheckUnicodeEncoding Off

# Only allow certain byte values to be a part of the request.
# This is pretty relaxed, most applications where only English
# is used will happily work with a range 32 - 126.
SecFilterForceByteRange 1 255

# Audit log logs complete requests. Configured as below it
# will only log invalid requests for further analysis.
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log

# You may need this later but we don't log anything
# here for now. Excessive debug logging may slow down
# the server.
SecFilterDebugLevel 0
SecFilterDebugLog logs/modsec_debug_log

# By default, deny requests with status 500
SecFilterDefaultAction "deny,log,status:500"

# Below this section are the more restrictive additional configs.

# Command execution attacks
SecFilter /etc/password
SecFilter /bin/ls
# Directory traversal attacks
SecFilter "\.\./"
# XSS attacks ---Note: disabled first line because it breaks iFolder
access
# in NetStorage
#SecFilter "<(.|\n)+>"
SecFilter "<[[:space:]]*script"
# Detect responses that might indicate and intrusion
SecFilterSelective OUTPUT "Volume Serial Number"

SecFilterSelective OUTPUT "Command completed"

SecFilterSelective OUTPUT "Bad command or filename"

SecFilterSelective OUTPUT "file(s) copied"

SecFilterSelective OUTPUT "Index of /cgi-bin/"

SecFilterSelective OUTPUT ".*uid\=\("

# SNORT rules section. These are SNORT rules that have been converted
to
# mod_security syntax. Rules that don't apply have been removed.

# WEB-ATTACKS ps command attempt
SecFilterSelective THE_REQUEST "/bin/ps"

# WEB-ATTACKS /bin/ps command attempt
#SecFilterSelective THE_REQUEST "ps\x20"

# WEB-ATTACKS wget command attempt
SecFilter "wget\x20"

# WEB-ATTACKS uname -a command attempt
SecFilter "uname\x20-a"

# WEB-ATTACKS /usr/bin/id command attempt
SecFilter "/usr/bin/id"

# WEB-ATTACKS id command attempt
SecFilter "\;id"

# WEB-ATTACKS echo command attempt
SecFilter "/bin/echo"

# WEB-ATTACKS kill command attempt
SecFilter "/bin/kill"

# WEB-ATTACKS chmod command attempt
SecFilter "/bin/chmod"

# WEB-ATTACKS chgrp command attempt
SecFilter "/chgrp"

# WEB-ATTACKS chown command attempt
SecFilter "/chown"

# WEB-ATTACKS chsh command attempt
SecFilter "/usr/bin/chsh"

# WEB-ATTACKS tftp command attempt
SecFilter "tftp\x20"

# WEB-ATTACKS /usr/bin/gcc command attempt
SecFilter "/usr/bin/gcc"

# WEB-ATTACKS gcc command attempt
SecFilter "gcc\x20-o"

# WEB-ATTACKS /usr/bin/cc command attempt
SecFilter "/usr/bin/cc"

# WEB-ATTACKS cc command attempt
SecFilter "cc\x20"

# WEB-ATTACKS /usr/bin/cpp command attempt
SecFilter "/usr/bin/cpp"

# WEB-ATTACKS cpp command attempt
SecFilter "cpp\x20"

# WEB-ATTACKS /usr/bin/g++ command attempt
SecFilter "/usr/bin/g\+\+"

# WEB-ATTACKS g++ command attempt
SecFilter "g\+\+\x20"

# WEB-ATTACKS bin/python access attempt
SecFilter "bin/python"

# WEB-ATTACKS python access attempt
SecFilter "python\x20"

# WEB-ATTACKS bin/tclsh execution attempt
SecFilter "bin/tclsh"

# WEB-ATTACKS tclsh execution attempt
SecFilter "tclsh8\x20"

# WEB-ATTACKS bin/nasm command attempt
SecFilter "bin/nasm"

# WEB-ATTACKS nasm command attempt
SecFilter "nasm\x20"

# WEB-ATTACKS /usr/bin/perl execution attempt
SecFilter "/usr/bin/perl"

# WEB-ATTACKS perl execution attempt
SecFilter "perl\x20"

# WEB-ATTACKS traceroute command attempt
SecFilter "traceroute\x20"

# WEB-ATTACKS ping command attempt
SecFilter "/bin/ping"

# WEB-ATTACKS netcat command attempt
SecFilter "nc\x20"

# WEB-ATTACKS nmap command attempt
SecFilter "nmap\x20"

# WEB-ATTACKS xterm command attempt
SecFilter "/usr/X11R6/bin/xterm"

# WEB-ATTACKS X application to remote host attempt
SecFilter "\x20-display\x20"

# WEB-ATTACKS lsof command attempt
SecFilter "lsof\x20"

# WEB-ATTACKS rm command attempt
SecFilter "rm\x20"

# WEB-ATTACKS mail command attempt
SecFilter "/bin/mail"

# WEB-ATTACKS mail command attempt
SecFilter "mail\x20"

# WEB-ATTACKS /bin/ls command attempt
SecFilterSelective THE_REQUEST "/bin/ls"

# WEB-ATTACKS /etc/inetd.conf access
SecFilter "/etc/inetd\.conf" log,pass

# WEB-ATTACKS /etc/motd access
SecFilter "/etc/motd" log,pass

# WEB-ATTACKS /etc/shadow access
SecFilter "/etc/shadow" log,pass

# WEB-ATTACKS conf/httpd.conf attempt
SecFilter "conf/httpd\.conf" log,pass

# WEB-ATTACKS .htgroup access
SecFilterSelective THE_REQUEST "\.htgroup" log,pass

# WEB-CGI HyperSeek hsx.cgi directory traversal attempt
SecFilterSelective THE_REQUEST "/hsx\.cgi" chain
SecFilter "\x00"

# WEB-CGI HyperSeek hsx.cgi access
SecFilterSelective THE_REQUEST "/hsx\.cgi" log,pass

# WEB-CGI SWSoft ASPSeek Overflow attempt
SecFilterSelective THE_REQUEST "/s\.cgi" chain
SecFilter "tmpl="

# WEB-CGI webspeed access
SecFilterSelective THE_REQUEST "/wsisa\.dll/WService=" chain
SecFilter "WSMadmin"

# WEB-CGI yabb.cgi directory traversal attempt
SecFilterSelective THE_REQUEST "/YaBB\.pl" chain
SecFilter "\.\./"

# WEB-CGI yabb.cgi access
SecFilterSelective THE_REQUEST "/YaBB\.pl"

# WEB-CGI whois_raw.cgi access
SecFilterSelective THE_REQUEST "/whois_raw\.cgi"

# WEB-CGI glimpse access
SecFilterSelective THE_REQUEST "/glimpse"

# WEB-CGI htmlscript attempt
SecFilterSelective THE_REQUEST "/htmlscript\?\.\./\.\."

# WEB-CGI htmlscript access
SecFilterSelective THE_REQUEST "/htmlscript"

# WEB-CGI info2www access
SecFilterSelective THE_REQUEST "/info2www"

# WEB-CGI maillist.pl access
SecFilterSelective THE_REQUEST "/maillist\.pl"

# WEB-CGI nph-test-cgi access
SecFilterSelective THE_REQUEST "/nph-test-cgi"

# WEB-CGI NPH-publish access
SecFilterSelective THE_REQUEST "/nph-maillist\.pl"

# WEB-CGI NPH-publish access
SecFilterSelective THE_REQUEST "/nph-publish"

# WEB-CGI rguest.exe access
SecFilterSelective THE_REQUEST "/rguest\.exe"

# WEB-CGI rwwwshell.pl access
SecFilterSelective THE_REQUEST "/rwwwshell\.pl"

# WEB-CGI test-cgi attempt
SecFilterSelective THE_REQUEST "/test-cgi/*\?*"

# WEB-CGI test-cgi access
SecFilterSelective THE_REQUEST "/test-cgi"

# WEB-CGI testcgi access
SecFilterSelective THE_REQUEST "/testcgi" log,pass

# WEB-CGI test.cgi access
SecFilterSelective THE_REQUEST "/test\.cgi" log,pass

# WEB-CGI textcounter.pl access
SecFilterSelective THE_REQUEST "/textcounter\.pl"

# WEB-CGI uploader.exe access
SecFilterSelective THE_REQUEST "/uploader\.exe"

# WEB-CGI webgais access
SecFilterSelective THE_REQUEST "/webgais"

# WEB-CGI finger access
SecFilterSelective THE_REQUEST "/finger"

# WEB-CGI perlshop.cgi access
SecFilterSelective THE_REQUEST "/perlshop\.cgi"

# WEB-CGI pfdisplay.cgi access
SecFilterSelective THE_REQUEST "/pfdisplay\.cgi"

# WEB-CGI aglimpse access
SecFilterSelective THE_REQUEST "/aglimpse"

# WEB-CGI anform2 access
SecFilterSelective THE_REQUEST "/AnForm2"

# WEB-CGI AT-admin.cgi access
SecFilterSelective THE_REQUEST "/AT-admin\.cgi"

# WEB-CGI AT-generated.cgi access
SecFilterSelective THE_REQUEST "/AT-generated\.cgi"

# WEB-CGI bnbform.cgi access
SecFilterSelective THE_REQUEST "/bnbform\.cgi"

# WEB-CGI campas access
SecFilterSelective THE_REQUEST "/campas"

# WEB-CGI view-source directory traversal
SecFilterSelective THE_REQUEST "/view-source" chain
SecFilter "\.\./"

# WEB-CGI view-source access
SecFilterSelective THE_REQUEST "/view-source"

# WEB-CGI wais.pl access
SecFilterSelective THE_REQUEST "/wais\.pl"

# WEB-CGI wwwwais access
SecFilterSelective THE_REQUEST "/wwwwais"

# WEB-CGI files.pl access
SecFilterSelective THE_REQUEST "/files\.pl"

# WEB-CGI wrap access
SecFilterSelective THE_REQUEST "/wrap"

# WEB-CGI classifieds.cgi access
SecFilterSelective THE_REQUEST "/classifieds\.cgi"

# WEB-CGI environ.cgi access
SecFilterSelective THE_REQUEST "/environ\.cgi"

# WEB-CGI faxsurvey attempt (full path)
SecFilterSelective THE_REQUEST "/faxsurvey\?/"

# WEB-CGI faxsurvey arbitrary file read attempt
SecFilterSelective THE_REQUEST "/faxsurvey\?cat\x20"

# WEB-CGI faxsurvey access
SecFilterSelective THE_REQUEST "/faxsurvey" log,pass

# WEB-CGI filemail access
SecFilterSelective THE_REQUEST "/filemail\.pl"

# WEB-CGI man.sh access
SecFilterSelective THE_REQUEST "/man\.sh"

# WEB-CGI day5datacopier.cgi access
SecFilterSelective THE_REQUEST "/day5datacopier\.cgi"

# WEB-CGI day5datanotifier.cgi access
SecFilterSelective THE_REQUEST "/day5datanotifier\.cgi"

# WEB-CGI post-query access
SecFilterSelective THE_REQUEST "/post-query"

# WEB-CGI dumpenv.pl access
SecFilterSelective THE_REQUEST "/dumpenv\.pl"

# WEB-CGI calendar_admin.pl access
SecFilterSelective THE_REQUEST "/calendar_admin\.pl" log,pass

# WEB-CGI calendar-admin.pl access
SecFilterSelective THE_REQUEST "/calendar-admin\.pl" log,pass

# WEB-CGI calender.pl access
SecFilterSelective THE_REQUEST "/calender\.pl"

# WEB-CGI calendar access
SecFilterSelective THE_REQUEST "/calendar"

# WEB-CGI user_update_admin.pl access
SecFilterSelective THE_REQUEST "/user_update_admin\.pl"

# WEB-CGI user_update_passwd.pl access
SecFilterSelective THE_REQUEST "/user_update_passwd\.pl"

# WEB-CGI survey.cgi access
SecFilterSelective THE_REQUEST "/survey\.cgi"

# WEB-CGI scriptalias access
SecFilterSelective THE_REQUEST "///"

# WEB-CGI win-c-sample.exe access
SecFilterSelective THE_REQUEST "/win-c-sample\.exe"

# WEB-CGI w3tvars.pm access
SecFilterSelective THE_REQUEST "/w3tvars\.pm"

# WEB-CGI admin.pl access
SecFilterSelective THE_REQUEST "/admin\.pl"

# WEB-CGI LWGate access
SecFilterSelective THE_REQUEST "/LWGate"

# WEB-CGI archie access
SecFilterSelective THE_REQUEST "/archie"

# WEB-CGI flexform access
SecFilterSelective THE_REQUEST "/flexform"

# WEB-CGI phf arbitrary command execution attempt
SecFilterSelective THE_REQUEST "/phf" chain
SecFilter "\x0a/"

# WEB-CGI phf access
SecFilterSelective THE_REQUEST "/phf" log,pass

# WEB-CGI www-sql access
SecFilterSelective THE_REQUEST "/www-sql"

# WEB-CGI wwwadmin.pl access
SecFilterSelective THE_REQUEST "/wwwadmin\.pl"

# WEB-CGI sendform.cgi access
SecFilterSelective THE_REQUEST "/sendform\.cgi"

# WEB-CGI upload.pl access
SecFilterSelective THE_REQUEST "/upload\.pl"

# WEB-CGI AnyForm2 access
SecFilterSelective THE_REQUEST "/AnyForm2"

# WEB-CGI MachineInfo access
SecFilterSelective THE_REQUEST "/MachineInfo"

# WEB-CGI bb-hist.sh attempt
SecFilterSelective THE_REQUEST "/bb-hist\.sh\?HISTFILE=\.\./\.\."

# WEB-CGI bb-hist.sh access
SecFilterSelective THE_REQUEST "/bb-hist\.sh"

# WEB-CGI bb-histlog.sh access
SecFilterSelective THE_REQUEST "/bb-histlog\.sh"

# WEB-CGI bb-histsvc.sh access
SecFilterSelective THE_REQUEST "/bb-histsvc\.sh"

# WEB-CGI bb-hostscv.sh attempt
SecFilterSelective THE_REQUEST "/bb-hostsvc\.sh\?HOSTSVC\?\.\./\.\."

# WEB-CGI bb-hostscv.sh access
SecFilterSelective THE_REQUEST "/bb-hostsvc\.sh" log,pass

# WEB-CGI bb-rep.sh access
SecFilterSelective THE_REQUEST "/bb-rep\.sh"

# WEB-CGI bb-replog.sh access
SecFilterSelective THE_REQUEST "/bb-replog\.sh"

# WEB-CGI redirect access
SecFilterSelective THE_REQUEST "/redirect"

# WEB-CGI wayboard attempt
SecFilterSelective THE_REQUEST "/way-board/way-board\.cgi" chain
SecFilter "\.\./\.\."

# WEB-CGI way-board access
SecFilterSelective THE_REQUEST "/way-board" log,pass

# WEB-CGI pals-cgi arbitrary file access attempt
SecFilterSelective THE_REQUEST "/pals-cgi" chain
SecFilter "documentName="

# WEB-CGI pals-cgi access
SecFilterSelective THE_REQUEST "/pals-cgi"

# WEB-CGI commerce.cgi arbitrary file access attempt
SecFilterSelective THE_REQUEST "/commerce\.cgi" chain
SecFilter "/\.\./"

# WEB-CGI commerce.cgi access
SecFilterSelective THE_REQUEST "/commerce\.cgi"

# WEB-CGI Amaya templates sendtemp.pl directory traversal attempt
SecFilterSelective THE_REQUEST "/sendtemp\.pl" chain
SecFilter "templ="

# WEB-CGI Amaya templates sendtemp.pl access
SecFilterSelective THE_REQUEST "/sendtemp\.pl" log,pass

# WEB-CGI webspirs.cgi directory traversal attempt
SecFilterSelective THE_REQUEST "/webspirs\.cgi" chain
SecFilter "\.\./\.\./"

# WEB-CGI webspirs.cgi access
SecFilterSelective THE_REQUEST "/webspirs\.cgi"

# WEB-CGI tstisapi.dll access
SecFilterSelective THE_REQUEST "tstisapi\.dll"

# WEB-CGI sendmessage.cgi access
SecFilterSelective THE_REQUEST "/sendmessage\.cgi"

# WEB-CGI lastlines.cgi access
SecFilterSelective THE_REQUEST "/lastlines\.cgi"

# WEB-CGI zml.cgi attempt
SecFilterSelective THE_REQUEST "/zml\.cgi" chain
SecFilter "file=\.\./" log,pass

# WEB-CGI zml.cgi access
SecFilterSelective THE_REQUEST "/zml\.cgi" log,pass

# WEB-CGI AHG search.cgi access
SecFilterSelective THE_REQUEST "/publisher/search\.cgi" chain
SecFilter "template=" log,pass

# WEB-CGI agora.cgi attempt
SecFilterSelective THE_REQUEST "/store/agora\.cgi\?cart_id=<SCRIPT>"

# WEB-CGI agora.cgi access
SecFilterSelective THE_REQUEST "/store/agora\.cgi" log,pass

# WEB-CGI rksh access
SecFilterSelective THE_REQUEST "/rksh"

# WEB-CGI bash access
SecFilterSelective THE_REQUEST "/bash" log,pass

# WEB-CGI perl.exe command attempt
SecFilterSelective THE_REQUEST "/perl\.exe\?"

# WEB-CGI perl.exe access
SecFilterSelective THE_REQUEST "/perl\.exe"

# WEB-CGI perl command attempt
SecFilterSelective THE_REQUEST "/perl\?"

# WEB-CGI zsh access
SecFilterSelective THE_REQUEST "/zsh"

# WEB-CGI csh access
SecFilterSelective THE_REQUEST "/csh"

# WEB-CGI tcsh access
SecFilterSelective THE_REQUEST "/tcsh"

# WEB-CGI rsh access
SecFilterSelective THE_REQUEST "/rsh"

# WEB-CGI ksh access
SecFilterSelective THE_REQUEST "/ksh"

# WEB-CGI auktion.cgi directory traversal attempt
SecFilterSelective THE_REQUEST "/auktion\.cgi" chain
SecFilter "menue=\.\./\.\./"

# WEB-CGI auktion.cgi access
SecFilterSelective THE_REQUEST "/auktion\.cgi" log,pass

# WEB-CGI cgiforum.pl attempt
SecFilterSelective THE_REQUEST "/cgiforum\.pl\?thesection=\.\./\.\."

# WEB-CGI cgiforum.pl access
SecFilterSelective THE_REQUEST "/cgiforum\.pl" log,pass

# WEB-CGI directorypro.cgi attempt
SecFilterSelective THE_REQUEST "/directorypro\.cgi" chain
SecFilter "\.\./\.\."

# WEB-CGI directorypro.cgi access
SecFilterSelective THE_REQUEST "/directorypro\.cgi" log,pass

# WEB-CGI Web Shopper shopper.cgi attempt
SecFilterSelective THE_REQUEST "/shopper\.cgi" chain
SecFilter "newpage=\.\./"

# WEB-CGI Web Shopper shopper.cgi access
SecFilterSelective THE_REQUEST "/shopper\.cgi"

# WEB-CGI listrec.pl access
SecFilterSelective THE_REQUEST "/listrec\.pl"

# WEB-CGI mailnews.cgi access
SecFilterSelective THE_REQUEST "/mailnews\.cgi"

# WEB-CGI book.cgi access
SecFilterSelective THE_REQUEST "/book\.cgi" log,pass

# WEB-CGI newsdesk.cgi access
SecFilterSelective THE_REQUEST "/newsdesk\.cgi"

# WEB-CGI cal_make.pl directory traversal attempt
SecFilterSelective THE_REQUEST "/cal_make\.pl" chain
SecFilter "p0=\.\./\.\./"

# WEB-CGI cal_make.pl access
SecFilterSelective THE_REQUEST "/cal_make\.pl" log,pass

# WEB-CGI mailit.pl access
SecFilterSelective THE_REQUEST "/mailit\.pl"

# WEB-CGI sdbsearch.cgi access
SecFilterSelective THE_REQUEST "/sdbsearch\.cgi"

# WEB-CGI swc access
SecFilterSelective THE_REQUEST "/swc"

# WEB-CGI ttawebtop.cgi arbitrary file attempt
SecFilterSelective THE_REQUEST "/ttawebtop\.cgi" chain
SecFilter "pg=\.\./"

# WEB-CGI ttawebtop.cgi access
SecFilterSelective THE_REQUEST "/ttawebtop\.cgi"

# WEB-CGI upload.cgi access
SecFilterSelective THE_REQUEST "/upload\.cgi"

# WEB-CGI view_source access
SecFilterSelective THE_REQUEST "/view_source"

# WEB-CGI ustorekeeper.pl directory traversal attempt
SecFilterSelective THE_REQUEST "/ustorekeeper\.pl" chain
SecFilter "file=\.\./\.\./"

# WEB-CGI ustorekeeper.pl access
SecFilterSelective THE_REQUEST "/ustorekeeper\.pl" log,pass

# WEB-CGI icat access
SecFilterSelective THE_REQUEST "/icat" log,pass

# WEB-CGI Bugzilla doeditvotes.cgi access
SecFilterSelective THE_REQUEST "/doeditvotes\.cgi" log,pass

# WEB-CGI htsearch arbitrary configuration file attempt
SecFilterSelective THE_REQUEST "/htsearch\?-c"

# WEB-CGI htsearch arbitrary file read attempt
SecFilterSelective THE_REQUEST "/htsearch\?exclude=`"

# WEB-CGI htsearch access
SecFilterSelective THE_REQUEST "/htsearch" log,pass

# WEB-CGI a1stats a1disp3.cgi directory traversal attempt
SecFilterSelective THE_REQUEST "/a1disp3\.cgi\?/\.\./\.\./"

# WEB-CGI a1stats a1disp3.cgi access
SecFilterSelective THE_REQUEST "/a1disp3\.cgi" log,pass

# WEB-CGI a1stats access
SecFilterSelective THE_REQUEST "/a1stats/" log,pass

# WEB-CGI admentor admin.asp access
SecFilterSelective THE_REQUEST "/admentor/admin/admin\.asp" log,pass

# WEB-CGI alchemy http server PRN arbitrary command execution attempt
SecFilterSelective THE_REQUEST "/PRN/\.\./\.\./" log,pass

# WEB-CGI alchemy http server NUL arbitrary command execution attempt
SecFilterSelective THE_REQUEST "/NUL/\.\./\.\./" log,pass

# WEB-CGI alibaba.pl access
SecFilterSelective THE_REQUEST "/alibaba\.pl" log,pass

# WEB-CGI AltaVista Intranet Search directory traversal attempt
SecFilterSelective THE_REQUEST "/query\?mss=\.\."

# WEB-CGI /cgi-bin/ls access
SecFilterSelective THE_REQUEST "/cgi-bin/ls" log,pass

# WEB-CGI cgimail access
SecFilterSelective THE_REQUEST "/cgimail" log,pass

# WEB-CGI cgiwrap access
SecFilterSelective THE_REQUEST "/cgiwrap" log,pass

# WEB-CGI csSearch.cgi arbitrary command execution attempt
SecFilterSelective THE_REQUEST "/csSearch\.cgi" chain
SecFilter "`"

# WEB-CGI csSearch.cgi access
SecFilterSelective THE_REQUEST "/csSearch\.cgi" log,pass

# WEB-CGI /cart/cart.cgi access
SecFilterSelective THE_REQUEST "/cart/cart\.cgi" log,pass

# WEB-CGI dbman db.cgi access
SecFilterSelective THE_REQUEST "/dbman/db\.cgi" log,pass

# WEB-CGI DCShop access
SecFilterSelective THE_REQUEST "/dcshop" log,pass

# WEB-CGI DCShop orders.txt access
SecFilterSelective THE_REQUEST "/orders/orders\.txt" log,pass

# WEB-CGI DCShop auth_user_file.txt access
SecFilterSelective THE_REQUEST "/auth_data/auth_user_file\.txt"
log,pass

# WEB-CGI eshop.pl arbitrary commane execution attempt
SecFilterSelective THE_REQUEST "/eshop\.pl\?seite=\;"

# WEB-CGI eshop.pl access
SecFilterSelective THE_REQUEST "/eshop\.pl" log,pass

# WEB-CGI loadpage.cgi directory traversal attempt
SecFilterSelective THE_REQUEST "/loadpage\.cgi" chain
SecFilter "file=\.\./"

# WEB-CGI loadpage.cgi access
SecFilterSelective THE_REQUEST "/loadpage\.cgi" log,pass

# WEB-CGI faqmanager.cgi arbitrary file access attempt
SecFilterSelective THE_REQUEST "\x00"

# WEB-CGI faqmanager.cgi access
SecFilterSelective THE_REQUEST "/faqmanager\.cgi" log,pass

# WEB-CGI /fcgi-bin/echo.exe access
SecFilterSelective THE_REQUEST "/fcgi-bin/echo\.exe" log,pass

# WEB-CGI FormHandler.cgi directory traversal attempt attempt
SecFilterSelective THE_REQUEST "/FormHandler\.cgi" chain
SecFilter "/\.\./"

# WEB-CGI FormHandler.cgi external site redirection attempt
SecFilterSelective THE_REQUEST "/FormHandler\.cgi" chain
SecFilter "redirect=http"

# WEB-CGI FormHandler.cgi access
SecFilterSelective THE_REQUEST "/FormHandler\.cgi" log,pass

# WEB-CGI guestbook.cgi access
SecFilterSelective THE_REQUEST "/guestbook\.cgi" log,pass

# WEB-CGI Home Free search.cgi directory traversal attempt
SecFilterSelective THE_REQUEST "/search\.cgi" chain
SecFilter "letter=\.\./\.\."

# WEB-CGI search.cgi access
SecFilterSelective THE_REQUEST "/search\.cgi" log,pass

# WEB-CGI enivorn.pl access
SecFilterSelective THE_REQUEST "/enivron\.pl" log,pass

# WEB-CGI campus attempt
SecFilterSelective THE_REQUEST "/campus\?\x0a"

# WEB-CGI campus access
SecFilterSelective THE_REQUEST "/campus" log,pass

# WEB-CGI pfdispaly.cgi arbitrary command execution attempt
SecFilterSelective THE_REQUEST "/pfdispaly\.cgi\?'"

# WEB-CGI pfdispaly.cgi access
SecFilterSelective THE_REQUEST "/pfdispaly\.cgi" log,pass

# WEB-CGI pagelog.cgi directory traversal attempt
SecFilterSelective THE_REQUEST "/pagelog\.cgi" chain
SecFilter "name=\.\./" log,pass

# WEB-CGI pagelog.cgi access
SecFilterSelective THE_REQUEST "/pagelog\.cgi" log,pass

# WEB-CGI ad.cgi access
SecFilterSelective THE_REQUEST "/ad\.cgi" log,pass

# WEB-CGI bbs_forum.cgi access
SecFilterSelective THE_REQUEST "/bbs_forum\.cgi" log,pass

# WEB-CGI bsguest.cgi access
SecFilterSelective THE_REQUEST "/bsguest\.cgi" log,pass

# WEB-CGI bslist.cgi access
SecFilterSelective THE_REQUEST "/bslist\.cgi" log,pass

# WEB-CGI cgforum.cgi access
SecFilterSelective THE_REQUEST "/cgforum\.cgi" log,pass

# WEB-CGI newdesk access
SecFilterSelective THE_REQUEST "/newdesk" log,pass

# WEB-CGI register.cgi access
SecFilterSelective THE_REQUEST "/register\.cgi" log,pass

# WEB-CGI gbook.cgi access
SecFilterSelective THE_REQUEST "/gbook\.cgi" log,pass

# WEB-CGI simplestguest.cgi access
SecFilterSelective THE_REQUEST "/simplestguest\.cgi" log,pass

# WEB-CGI statusconfig.pl access
SecFilterSelective THE_REQUEST "/statusconfig\.pl" log,pass

# WEB-CGI talkback.cgi directory traversal attempt
SecFilterSelective THE_REQUEST "/talkbalk\.cgi" chain
SecFilter "article=\.\./\.\./"

# WEB-CGI talkback.cgi access
SecFilterSelective THE_REQUEST "/talkbalk\.cgi" log,pass

# WEB-CGI adcycle access
SecFilterSelective THE_REQUEST "/adcycle" log,pass

# WEB-CGI MachineInfo access
SecFilterSelective THE_REQUEST "/MachineInfo" log,pass

# WEB-CGI emumail.cgi NULL attempt
SecFilterSelective THE_REQUEST "/emumail\.cgi" chain
SecFilter "\x00" log,pass

# WEB-CGI emumail.cgi access
SecFilterSelective THE_REQUEST "/emumail\.cgi" log,pass

# WEB-CGI document.d2w access
SecFilterSelective THE_REQUEST "/document\.d2w" log,pass

# WEB-CGI db2www access
SecFilterSelective THE_REQUEST "/db2www" log,pass

# WEB-CGI /cgi-bin/ access
SecFilterSelective THE_REQUEST "/cgi-bin/" chain
SecFilter "/cgi-bin/ HTTP"

# WEB-CGI /cgi-dos/ access
SecFilterSelective THE_REQUEST "/cgi-dos/" chain
SecFilter "/cgi-dos/ HTTP"

# WEB-CGI technote main.cgi file directory traversal attempt
SecFilterSelective THE_REQUEST "/technote/main\.cgi" chain
SecFilter "\.\./\.\./"

# WEB-CGI technote print.cgi directory traversal attempt
SecFilterSelective THE_REQUEST "/technote/print\.cgi" chain
SecFilter "\x00"

# WEB-CGI eXtropia webstore directory traversal
SecFilterSelective THE_REQUEST "/web_store\.cgi" chain
SecFilter "page=\.\./"

# WEB-CGI eXtropia webstore access
SecFilterSelective THE_REQUEST "/web_store\.cgi" log,pass

# WEB-CGI shopping cart directory traversal
SecFilterSelective THE_REQUEST "/shop\.cgi" chain
SecFilter "page=\.\./"

# WEB-CGI count.cgi access
SecFilterSelective THE_REQUEST "/count\.cgi" log,pass

# WEB-CGI webdist.cgi arbitrary command attempt
SecFilterSelective THE_REQUEST "/webdist\.cgi" chain
SecFilter "distloc=\;"

# WEB-CGI webdist.cgi access
SecFilterSelective THE_REQUEST "/webdist\.cgi" log,pass

# WEB-CGI bigconf.cgi access
SecFilterSelective THE_REQUEST "/bigconf\.cgi" log,pass

# WEB-CGI /cgi-bin/jj access
SecFilterSelective THE_REQUEST "/cgi-bin/jj" log,pass

# WEB-CGI bizdbsearch attempt
SecFilterSelective THE_REQUEST "/bizdb1-search\.cgi" chain
SecFilter "mail"

# WEB-CGI bizdbsearch access
SecFilterSelective THE_REQUEST "/bizdb1-search\.cgi" log,pass

# WEB-CGI sojourn.cgi File attempt
SecFilterSelective THE_REQUEST "/sojourn\.cgi\?cat=" chain
SecFilter "\x00"

# WEB-CGI sojourn.cgi access
SecFilterSelective THE_REQUEST "/sojourn\.cgi" log,pass

# WEB-CGI SGI InfoSearch fname attempt
SecFilterSelective THE_REQUEST "/infosrch\.cgi\?" chain
SecFilter "fname="

# WEB-CGI SGI InfoSearch fname access
SecFilterSelective THE_REQUEST "/infosrch\.cgi" log,pass

# WEB-CGI ax-admin.cgi access
SecFilterSelective THE_REQUEST "/ax-admin\.cgi" log,pass

# WEB-CGI axs.cgi access
SecFilterSelective THE_REQUEST "/axs\.cgi" log,pass

# WEB-CGI cachemgr.cgi access
SecFilterSelective THE_REQUEST "/cachemgr\.cgi" log,pass

# WEB-CGI responder.cgi access
SecFilterSelective THE_REQUEST "/responder\.cgi" log,pass

# WEB-CGI web-map.cgi access
SecFilterSelective THE_REQUEST "/web-map\.cgi" log,pass

# WEB-CGI ministats admin access
SecFilterSelective THE_REQUEST "/ministats/admin\.cgi" log,pass

# WEB-CGI dfire.cgi access
SecFilterSelective THE_REQUEST "/dfire\.cgi" log,pass

# WEB-CGI txt2html.cgi directory traversal attempt
SecFilterSelective THE_REQUEST "/txt2html\.cgi" chain
SecFilter "/\.\./\.\./\.\./\.\./"

# WEB-CGI txt2html.cgi access
SecFilterSelective THE_REQUEST "/txt2html\.cgi" log,pass

# WEB-CGI store.cgi directory traversal attempt
SecFilterSelective THE_REQUEST "/store\.cgi" chain
SecFilter "\.\./"

# WEB-CGI store.cgi access
SecFilterSelective THE_REQUEST "/store\.cgi" log,pass

# WEB-CGI SIX webboard generate.cgi attempt
SecFilterSelective THE_REQUEST "/generate\.cgi" chain
SecFilter "content=\.\./"

# WEB-CGI SIX webboard generate.cgi access
SecFilterSelective THE_REQUEST "/generate\.cgi" log,pass

# WEB-CGI spin_client.cgi access
SecFilterSelective THE_REQUEST "/spin_client\.cgi" log,pass

# WEB-CGI csPassword.cgi access
SecFilterSelective THE_REQUEST "/csPassword\.cgi" log,pass

# WEB-CGI csPassword password.cgi.tmp access
SecFilterSelective THE_REQUEST "/password\.cgi\.tmp" log,pass

# WEB-CGI Nortel Contivity cgiproc DOS attempt
SecFilterSelective THE_REQUEST "/cgiproc\?Nocfile="

# WEB-CGI Nortel Contivity cgiproc DOS attempt
SecFilterSelective THE_REQUEST "/cgiproc\?\$"

# WEB-CGI Nortel Contivity cgiproc access
SecFilterSelective THE_REQUEST "/cgiproc" log,pass

# WEB-CGI Oracle reports CGI access
SecFilterSelective THE_REQUEST "/rwcgi60" chain
SecFilter "setauth=" log,pass

# WEB-CGI alienform.cgi access
SecFilterSelective THE_REQUEST "/alienform\.cgi" log,pass

# WEB-CGI AlienForm af.cgi access
SecFilterSelective THE_REQUEST "/af\.cgi" log,pass

# WEB-CGI story.pl arbitrary file read attempt
SecFilterSelective THE_REQUEST "/story\.pl" chain
SecFilter "next=\.\./"

# WEB-CGI story.pl access
SecFilterSelective THE_REQUEST "/story\.pl"

# WEB-CGI siteUserMod.cgi access
SecFilterSelective THE_REQUEST "/\.cobalt/siteUserMod/siteUserMod\.cgi"
log,pass

# WEB-CGI cgicso access
SecFilterSelective THE_REQUEST "/cgicso" log,pass

# WEB-CGI nph-publish.cgi access
SecFilterSelective THE_REQUEST "/nph-publish\.cgi" log,pass

# WEB-CGI printenv access
SecFilterSelective THE_REQUEST "/printenv" log,pass

# WEB-CGI sdbsearch.cgi access
SecFilterSelective THE_REQUEST "/sdbsearch\.cgi" log,pass

# WEB-CGI rpc-nlog.pl access
SecFilterSelective THE_REQUEST "/rpc-nlog\.pl" log,pass

# WEB-CGI rpc-smb.pl access
SecFilterSelective THE_REQUEST "/rpc-smb\.pl" log,pass

# WEB-CGI cart.cgi access
SecFilterSelective THE_REQUEST "/cart\.cgi" log,pass

# WEB-CGI vpasswd.cgi access
SecFilterSelective THE_REQUEST "/vpasswd\.cgi" log,pass

# WEB-CGI alya.cgi access
SecFilterSelective THE_REQUEST "/alya\.cgi" log,pass

# WEB-CGI viralator.cgi access
SecFilterSelective THE_REQUEST "/viralator\.cgi" log,pass

# WEB-CGI smartsearch.cgi access
SecFilterSelective THE_REQUEST "/smartsearch\.cgi" log,pass

# WEB-CGI mrtg.cgi directory traversal attempt
SecFilterSelective THE_REQUEST "/mrtg\.cgi" chain
SecFilter "cfg=/\.\./"

# WEB-CGI overflow.cgi access
SecFilterSelective THE_REQUEST "/overflow\.cgi" log,pass

# WEB-CGI way-board.cgi access
SecFilterSelective THE_REQUEST "/way-board\.cgi" log,pass

# WEB-CGI process_bug.cgi access
SecFilterSelective THE_REQUEST "/process_bug\.cgi" log,pass

# WEB-CGI enter_bug.cgi arbitrary command attempt
SecFilterSelective THE_REQUEST "/enter_bug\.cgi" chain
SecFilter "\;"

# WEB-CGI enter_bug.cgi access
SecFilterSelective THE_REQUEST "/enter_bug\.cgi" log,pass

# WEB-CGI parse_xml.cgi access
SecFilterSelective THE_REQUEST "/parse_xml\.cgi" log,pass

# WEB-CGI streaming server parse_xml.cgi access
SecFilter "/parse_xml\.cgi" log,pass

# WEB-CGI album.pl access
SecFilter "/album\.pl" log,pass

# WEB-CGI chipcfg.cgi access
SecFilterSelective THE_REQUEST "/chipcfg\.cgi" log,pass

# WEB-CGI ikonboard.cgi access
SecFilterSelective THE_REQUEST "/ikonboard\.cgi" log,pass

# WEB-CGI swsrv.cgi access
SecFilterSelective THE_REQUEST "/srsrv\.cgi" log,pass

# WEB-CLIENT Outlook EML access
SecFilterSelective THE_REQUEST "\.eml"

# WEB-CLIENT XMLHttpRequest attempt
SecFilter "file\://"

# WEB-CLIENT readme.eml download attempt
SecFilterSelective THE_REQUEST "/readme\.eml"

# WEB-CLIENT readme.eml autoload attempt
SecFilter "window\.open\(\"readme\.eml\""

# WEB-CLIENT Javascript document.domain attempt
SecFilter "document\.domain\("

# WEB-CLIENT Javascript URL host spoofing attempt
SecFilter "javascript\://"

# WEB-MISC cross site scripting attempt
SecFilter "<SCRIPT>"

# WEB-MISC cross site scripting \(img src=javascript\) attempt
SecFilter "img src=javascript"

# WEB-MISC Cisco IOS HTTP configuration attempt
SecFilterSelective THE_REQUEST "/exec/"

# WEB-MISC Netscape Enterprise DOS
SecFilter "REVLOG / "

# WEB-MISC Netscape Enterprise directory listing attempt
SecFilter "INDEX "

# WEB-MISC iPlanet GETPROPERTIES attempt
SecFilter "GETPROPERTIES"

# WEB-MISC weblogic view source attempt
SecFilterSelective THE_REQUEST "\.js\x70"

# WEB-MISC Tomcat directory traversal attempt
SecFilterSelective THE_REQUEST "\x00\.jsp"

# WEB-MISC Tomcat view source attempt
SecFilterSelective THE_REQUEST "\x252ejsp"

# WEB-MISC xp_enumdsn attempt
SecFilter "xp_enumdsn"

# WEB-MISC xp_filelist attempt
SecFilter "xp_filelist"

# WEB-MISC xp_availablemedia attempt
SecFilter "xp_availablemedia"

# WEB-MISC xp_cmdshell attempt
SecFilter "xp_cmdshell"

# WEB-MISC xp_regread attempt
SecFilter "xp_regread" log,pass

# WEB-MISC xp_regwrite attempt
SecFilter "xp_regwrite" log,pass

# WEB-MISC xp_regdeletekey attempt
SecFilter "xp_regdeletekey" log,pass

# WEB-MISC WebDAV search access
SecFilter "SEARCH " log,pass

# WEB-MISC .htpasswd access
SecFilter "\.htpasswd"

# WEB-MISC queryhit.htm access
SecFilterSelective THE_REQUEST "/samples/search/queryhit\.htm" log,pass

# WEB-MISC WebDAV propfind access
SecFilter "xmlns\:a=\"DAV\">" log,pass

# WEB-MISC unify eWave ServletExec upload
SecFilterSelective THE_REQUEST
"/servlet/com\.unify\.servletexec\.UploadServlet"

# WEB-MISC Netscape Servers suite DOS
SecFilterSelective THE_REQUEST "/dsgw/bin/search\?context="

# WEB-MISC amazon 1-click cookie theft
SecFilter "ref\x3Cscript\x20language\x3D\x22Javascript"

# WEB-MISC unify eWave ServletExec DOS
SecFilterSelective THE_REQUEST "/servlet/ServletExec" log,pass

# WEB-MISC Allaire JRUN DOS attempt
SecFilterSelective THE_REQUEST "servlet/\.\.\.\.\.\.\."

# WEB-MISC ICQ Webfront HTTP DOS
SecFilterSelective THE_REQUEST "\?\?\?\?\?\?\?\?\?\?"

# WEB-MISC Nessus 404 probe
SecFilterSelective THE_REQUEST "/nessus_is_probing_you_"

# WEB-MISC Netscape admin passwd
SecFilterSelective THE_REQUEST "/admin-serv/config/admpw"

# WEB-MISC BigBrother access
SecFilterSelective THE_REQUEST "/bb-hostsvc\.sh\?HOSTSVC"

# WEB-MISC ftp.pl attempt
SecFilterSelective THE_REQUEST "/ftp\.pl\?dir=\.\./\.\."

# WEB-MISC ftp.pl access
SecFilterSelective THE_REQUEST "/ftp\.pl" log,pass

# WEB-MISC Tomcat server snoop access
SecFilterSelective THE_REQUEST "\.snp"

# WEB-MISC apache source.asp file access
SecFilterSelective THE_REQUEST "/site/eg/source\.asp"

# WEB-MISC Tomcat server exploit access
SecFilterSelective THE_REQUEST "/contextAdmin/contextAdmin\.html"

# WEB-MISC http directory traversal
SecFilter "\.\.\\"

# WEB-MISC ICQ webserver DOS
SecFilterSelective THE_REQUEST "\.html/\.\.\.\.\.\."

# WEB-MISC ls%20-l
SecFilter "ls\x20-l"

# WEB-MISC mlog.phtml access
SecFilterSelective THE_REQUEST "/mlog\.phtml"

# WEB-MISC mylog.phtml access
SecFilterSelective THE_REQUEST "/mylog\.phtml"

# WEB-MISC /etc/passwd
SecFilter "/etc/passwd"

# WEB-MISC ?PageServices access
SecFilterSelective THE_REQUEST "\?PageServices"

# WEB-MISC Ecommerce check.txt access
SecFilterSelective THE_REQUEST "/config/check\.txt"

# WEB-MISC webcart access
SecFilterSelective THE_REQUEST "/webcart/"

# WEB-MISC AuthChangeUrl access
SecFilterSelective THE_REQUEST "_AuthChangeUrl\?"

# WEB-MISC convert.bas access
SecFilterSelective THE_REQUEST "/scripts/convert\.bas"

# WEB-MISC cpshost.dll access
SecFilterSelective THE_REQUEST "/scripts/cpshost\.dll"

# WEB-MISC .htaccess access
SecFilter "\.htaccess"

# WEB-MISC .wwwacl access
SecFilterSelective THE_REQUEST "\.wwwacl"

# WEB-MISC .wwwacl access
SecFilterSelective THE_REQUEST "\.www_acl"

# WEB-MISC cd..
SecFilter "cd\.\."

# WEB-MISC guestbook.pl access
SecFilterSelective THE_REQUEST "/guestbook\.pl"

# WEB-MISC handler access
SecFilterSelective THE_REQUEST "/handler" log,pass

# WEB-MISC /.... access
SecFilter "/\.\.\.\."

# WEB-MISC ///cgi-bin access
SecFilterSelective THE_REQUEST "///cgi-bin"

# WEB-MISC /cgi-bin/// access
SecFilterSelective THE_REQUEST "/cgi-bin///"

# WEB-MISC /~root access
SecFilterSelective THE_REQUEST "/~root"

# WEB-MISC /~ftp access
SecFilterSelective THE_REQUEST "/~ftp"

# WEB-MISC Ecommerce import.txt access
SecFilterSelective THE_REQUEST "/config/import\.txt"

# WEB-MISC cat%20 access
SecFilter "cat\x20"

# WEB-MISC Ecommerce import.txt access
SecFilterSelective THE_REQUEST "/orders/import\.txt"

# WEB-MISC Ecommerce checks.txt access
SecFilterSelective THE_REQUEST "/orders/checks\.txt"

# WEB-MISC Netscape PublishingXpert access
SecFilterSelective THE_REQUEST "/PSUser/PSCOErrPage\.htm" log,pass

# WEB-MISC webplus access
SecFilterSelective THE_REQUEST "/webplus\?script"

# WEB-MISC Netscape dir index wp
SecFilterSelective THE_REQUEST "\?wp-"

# WEB-MISC shopping cart access
SecFilterSelective THE_REQUEST "/quikstore\.cfg"

# WEB-MISC Novell Groupwise gwweb.exe attempt
SecFilterSelective THE_REQUEST "/GWWEB\.EXE\?HELP="

# WEB-MISC Novell Groupwise gwweb.exe access
SecFilter "/GWWEB\.EXE"

# WEB-MISC ws_ftp.ini access
SecFilterSelective THE_REQUEST "/ws_ftp\.ini"

# WEB-MISC rpm_query access
SecFilterSelective THE_REQUEST "/rpm_query"

# WEB-MISC mall log order access
SecFilterSelective THE_REQUEST "/mall_log_files/order\.log"

# WEB-MISC architext_query.pl access
SecFilterSelective THE_REQUEST "/ews/architext_query\.pl"

# WEB-MISC wwwboard.pl access
SecFilterSelective THE_REQUEST "/wwwboard\.pl"

# WEB-MISC order.log access
SecFilterSelective THE_REQUEST "/admin_files/order\.log"

# WEB-MISC Netscape Enterprise Server directory view
SecFilterSelective THE_REQUEST "\?wp-verify-link"

# WEB-MISC Annex Terminal DOS attempt
SecFilterSelective THE_REQUEST "/ping\?query="

# WEB-MISC cgitest.exe access
SecFilterSelective THE_REQUEST "/cgitest\.exe" log,pass

# WEB-MISC Netscape Enterprise Server directory view
SecFilterSelective THE_REQUEST "\?wp-cs-dump"

# WEB-MISC Netscape Enterprise Server directory view
SecFilterSelective THE_REQUEST "\?wp-ver-info"

# WEB-MISC Netscape Enterprise Server directory view
SecFilterSelective THE_REQUEST "\?wp-ver-diff"

# WEB-MISC SalesLogix Eviewer web command attempt
SecFilterSelective THE_REQUEST "/slxweb\.dll/admin\?command="

# WEB-MISC SalesLogix Eviewer access
SecFilterSelective THE_REQUEST "/slxweb\.dll" log,pass

# WEB-MISC Netscape Enterprise Server directory view
SecFilterSelective THE_REQUEST "\?wp-start-ver"

# WEB-MISC Netscape Enterprise Server directory view
SecFilterSelective THE_REQUEST "\?wp-stop-ver"

# WEB-MISC Netscape Enterprise Server directory view
SecFilterSelective THE_REQUEST "\?wp-uncheckout"

# WEB-MISC Netscape Enterprise Server directory view
SecFilterSelective THE_REQUEST "\?wp-html-rend"

# WEB-MISC Trend Micro OfficeScan attempt
SecFilterSelective THE_REQUEST "event="

# WEB-MISC Trend Micro OfficeScan access
SecFilterSelective THE_REQUEST "/officescan/cgi/jdkRqNotify\.exe"

# WEB-MISC oracle web arbitrary command execution attempt
SecFilterSelective THE_REQUEST "\?&"

# WEB-MISC oracle web application server access
SecFilterSelective THE_REQUEST "/ows-bin/" log,pass

# WEB-MISC Netscape Enterprise Server directory view
SecFilterSelective THE_REQUEST "\?wp-usr-prop"

# WEB-MISC search.vts access
SecFilterSelective THE_REQUEST "/search\.vts"

# WEB-MISC htgrep attempt
SecFilterSelective THE_REQUEST "/htgrep" chain
SecFilter "hdr=/"

# WEB-MISC htgrep access
SecFilterSelective THE_REQUEST "/htgrep" log,pass

# WEB-MISC .nsconfig access
SecFilterSelective THE_REQUEST "/\.nsconfig"

# WEB-MISC Admin_files access
SecFilterSelective THE_REQUEST "/admin_files"

# WEB-MISC backup access
SecFilterSelective THE_REQUEST "/backup"

# WEB-MISC intranet access
SecFilterSelective THE_REQUEST "/intranet/"

# WEB-MISC filemail access
SecFilterSelective THE_REQUEST "/filemail"

# WEB-MISC plusmail access
SecFilterSelective THE_REQUEST "/plusmail"

# WEB-MISC adminlogin access
SecFilterSelective THE_REQUEST "/adminlogin"

# WEB-MISC ultraboard access
SecFilterSelective THE_REQUEST "/ultraboard"

# WEB-MISC musicat empower attempt
SecFilterSelective THE_REQUEST "/empower\?DB="

# WEB-MISC musicat empower access
SecFilterSelective THE_REQUEST "/empower" log,pass

# WEB-MISC ROADS search.pl attempt
SecFilterSelective THE_REQUEST "/ROADS/cgi-bin/search\.pl" chain
SecFilter "form="

# WEB-MISC Tomcat sourecode view
SecFilterSelective THE_REQUEST "\.js\x2570"

# WEB-MISC Tomcat sourecode view
SecFilterSelective THE_REQUEST "\.j\x2573p"

# WEB-MISC Tomcat sourecode view
SecFilterSelective THE_REQUEST "\.\x256Asp"

# WEB-MISC SWEditServlet directory traversal attempt
SecFilterSelective THE_REQUEST "/SWEditServlet" chain
SecFilter "template=\.\./\.\./\.\./"

# WEB-MISC SWEditServlet access
SecFilterSelective THE_REQUEST "/SWEditServlet"

# WEB-MISC whisker HEAD/./
SecFilter "HEAD/\./"

# WEB-MISC long basic authorization string
SecFilter "Authorization\: Basic "

# WEB-MISC sml3com access
SecFilterSelective THE_REQUEST "/graphics/sml3com" log,pass

# WEB-MISC http directory traversal
SecFilter "\.\./"

# WEB-MISC sadmind worm access
SecFilter "GET x HTTP/1\.0"

# WEB-MISC jrun directory browse attempt
SecFilterSelective THE_REQUEST "/\x3f\.jsp"

# WEB-MISC mod-plsql administration access
SecFilterSelective THE_REQUEST "/admin_/" log,pass

# WEB-MISC Phorecast remote code execution attempt
SecFilter "includedir="

# WEB-MISC viewcode access
SecFilterSelective THE_REQUEST "/viewcode"

# WEB-MISC showcode access
SecFilterSelective THE_REQUEST "/showcode"

# WEB-MISC .history access
SecFilterSelective THE_REQUEST "/\.history"

# WEB-MISC .bash_history access
SecFilterSelective THE_REQUEST "/\.bash_history"

# WEB-MISC /~nobody access
SecFilterSelective THE_REQUEST "/~nobody"

# WEB-MISC RBS ISP /newuser directory traversal attempt
SecFilterSelective THE_REQUEST "/newuser\?Image=\.\./\.\."

# WEB-MISC RBS ISP /newuser access
SecFilterSelective THE_REQUEST "/newuser" log,pass

# WEB-MISC *%0a.pl access
SecFilterSelective THE_REQUEST "/*\x0a\.pl"

# WEB-MISC PCCS mysql database admin tool access
SecFilter "pccsmysqladm/incs/dbconnect\.inc"

# WEB-MISC .DS_Store access
SecFilterSelective THE_REQUEST "/\.DS_Store" log,pass

# WEB-MISC .FBCIndex access
SecFilterSelective THE_REQUEST "/\.FBCIndex" log,pass

# WEB-MISC ExAir access
SecFilterSelective THE_REQUEST "/exair/search/" log,pass

# WEB-MISC apache ?M=D directory list attempt
SecFilterSelective THE_REQUEST "/\?M=D" log,pass

# WEB-MISC server-info access
SecFilterSelective THE_REQUEST "/server-info" log,pass

# WEB-MISC server-status access
SecFilterSelective THE_REQUEST "/server-status" log,pass

# WEB-MISC ans.pl attempt
SecFilterSelective THE_REQUEST "/ans\.pl\?p=\.\./\.\./"

# WEB-MISC ans.pl access
SecFilterSelective THE_REQUEST "/ans\.pl" log,pass

# WEB-MISC AxisStorpoint CD attempt
SecFilterSelective THE_REQUEST "/cd/\.\./config/html/cnf_gi\.htm"

# WEB-MISC Axis Storpoint CD access
SecFilterSelective THE_REQUEST "/config/html/cnf_gi\.htm" log,pass

# WEB-MISC basilix sendmail.inc access
SecFilterSelective THE_REQUEST "/inc/sendmail\.inc" log,pass

# WEB-MISC basilix mysql.class access
SecFilterSelective THE_REQUEST "/class/mysql\.class" log,pass

# WEB-MISC BBoard access
SecFilterSelective THE_REQUEST "/servlet/sunexamples\.BBoardServlet"
log,pass

# WEB-MISC Cisco Catalyst command execution attempt
SecFilterSelective THE_REQUEST "/exec/show/config/cr" log,pass

# WEB-MISC Cisco /%% DOS attempt
SecFilterSelective THE_REQUEST "/%%"

# WEB-MISC /CVS/Entries access
SecFilterSelective THE_REQUEST "/CVS/Entries" log,pass

# WEB-MISC cvsweb version access
SecFilterSelective THE_REQUEST "/cvsweb/version" log,pass

# WEB-MISC /doc/packages access
SecFilterSelective THE_REQUEST "/doc/packages" log,pass

# WEB-MISC /doc/ access
SecFilterSelective THE_REQUEST "/doc/" log,pass

# WEB-MISC ?open access
SecFilterSelective THE_REQUEST "\?open" log,pass

# WEB-MISC login.htm attempt
SecFilterSelective THE_REQUEST "/login\.htm\?password=" log,pass

# WEB-MISC login.htm access
SecFilterSelective THE_REQUEST "/login\.htm" log,pass

# WEB-MISC DELETE attempt
SecFilter "DELETE " log,pass

# WEB-MISC /home/ftp access
SecFilterSelective THE_REQUEST "/home/ftp" log,pass

# WEB-MISC /home/www access
SecFilterSelective THE_REQUEST "/home/www" log,pass

# WEB-MISC global.inc access
SecFilterSelective THE_REQUEST "/global\.inc"

# WEB-MISC SecureSite authentication bypass attempt
SecFilter "secure_site, ok"

# WEB-MISC b2 arbitrary command execution attempt
SecFilterSelective THE_REQUEST "/b2/b2-include/" chain
SecFilter "http\://"

# WEB-MISC b2 access
SecFilterSelective THE_REQUEST "/b2/b2-include/" chain
SecFilter "http\://"

# WEB-MISC PIX firewall manager directory traversal attempt
SecFilterSelective THE_REQUEST "/\.\./\.\./"

# WEB-MISC iChat directory traversal attempt
SecFilterSelective THE_REQUEST "/\.\./\.\./" log,pass

# WEB-MISC Delegate whois overflow attempt
SecFilter "whois\://" log,pass

# WEB-MISC nstelemetry.adp access
SecFilterSelective THE_REQUEST "/nstelemetry\.adp" log,pass

# WEB-MISC Compaq Insight directory traversal
SecFilterSelective THE_REQUEST "\.\./"

# WEB-MISC VirusWall catinfo access
SecFilterSelective THE_REQUEST "/catinfo"

# WEB-MISC VirusWall catinfo access
SecFilterSelective THE_REQUEST "/catinfo"

# WEB-MISC Apache Chunked-Encoding worm attempt
SecFilter "CCCCCCC\: AAAAAAAAAAAAAAAAAAA"

# WEB-MISC Transfer-Encoding\: chunked
SecFilter "chunked"

# WEB-MISC CISCO VoIP DOS ATTEMPT
SecFilterSelective THE_REQUEST "/StreamingStatistics"

# WEB-MISC IBM Net.Commerce orderdspc.d2w access
SecFilterSelective THE_REQUEST "/ncommerce3/ExecMacro/orderdspc\.d2w"
log,pass

# WEB-MISC WEB-INF access
SecFilterSelective THE_REQUEST "/WEB-INF" log,pass

# WEB-MISC Tomcat servlet mapping cross site scripting attempt
SecFilterSelective THE_REQUEST "/org\.apache\."

# WEB-MISC iPlanet Search directory traversal attempt
SecFilterSelective THE_REQUEST "/search" chain
SecFilter "\.\./\.\./"

# WEB-MISC Tomcat TroubleShooter servlet access
SecFilterSelective THE_REQUEST "/examples/servlet/TroubleShooter"
log,pass

# WEB-MISC Tomcat SnoopServlet servlet access
SecFilterSelective THE_REQUEST "/examples/servlet/SnoopServlet"
log,pass

# WEB-MISC jigsaw dos attempt
SecFilterSelective THE_REQUEST "/servlet/con"

# WEB-MISC Macromedia SiteSpring cross site scripting attempt
SecFilterSelective THE_REQUEST "<script"

# WEB-MISC mailman cross site scripting attempt
SecFilterSelective THE_REQUEST "<script"

# WEB-MISC webalizer access
SecFilterSelective THE_REQUEST "/webalizer/" log,pass

# WEB-MISC webcart-lite access
SecFilterSelective THE_REQUEST "/webcart-lite/" log,pass

# WEB-MISC active.log access
SecFilterSelective THE_REQUEST "/active\.log" log,pass

# WEB-MISC robots.txt access
SecFilterSelective THE_REQUEST "/robots\.txt" log,pass

# WEB-MISC robot.txt access
SecFilterSelective THE_REQUEST "/robot\.txt" log,pass

# WEB-MISC CISCO PIX Firewall Manager directory traversal attempt
SecFilterSelective THE_REQUEST "/pixfir~1/how_to_login\.html"

# WEB-MISC Sun JavaServer default password login attempt
SecFilterSelective THE_REQUEST "/servlet/admin" chain
SecFilter "ae9f86d6beaa3f9ecb9a5b7e072a4138"

# WEB-MISC Linksys router default password login attempt \(\:admin\)
SecFilter "Authorization\: Basic OmFkbWlu"

# WEB-MISC Linksys router default password login attempt
\(admin\:admin\)
SecFilter "YWRtaW46YWRtaW4"

# WEB-MISC Oracle XSQLConfig.xml access
SecFilterSelective THE_REQUEST "/XSQLConfig\.xml" log,pass

# WEB-MISC Oracle Dynamic Monitoring Services (dms) access
SecFilterSelective THE_REQUEST "/dms0" log,pass

# WEB-MISC globals.jsa access
SecFilterSelective THE_REQUEST "/globals\.jsa" log,pass

# WEB-MISC Oracle Java Process Manager access
SecFilterSelective THE_REQUEST "/oprocmgr-status" log,pass

# WEB-MISC /Carello/add.exe access
SecFilterSelective THE_REQUEST "/Carello/add\.exe" log,pass

# WEB-MISC ion-p access
SecFilterSelective THE_REQUEST "/ion-p" log,pass

# WEB-MISC answerbook2 admin attempt
SecFilterSelective THE_REQUEST "/cgi-bin/admin/admin" log,pass

# WEB-MISC answerbook2 arbitrary command execution attempt
SecFilterSelective THE_REQUEST "/ab2/" chain
SecFilter "\;"

# WEB-MISC perl post attempt
SecFilterSelective THE_REQUEST "/perl/" chain
SecFilter "POST"

# WEB-MISC TRACE attempt
SecFilter "TRACE"

# WEB-MISC DB4Web access
SecFilterSelective THE_REQUEST "/DB4Web/" log,pass

# WEB-MISC iPlanet .perf access
SecFilterSelective THE_REQUEST "/\.perf" log,pass

# WEB-MISC Demarc SQL injection attempt
SecFilterSelective THE_REQUEST "/dm/demarc" chain
SecFilter "'" log,pass

# WEB-MISC Lotus Notes .csp script source download attempt
#SecFilterSelective THE_REQUEST "\.csp" chain
#SecFilter "\."

# WEB-MISC Lotus Notes .pl script source download attempt
#SecFilterSelective THE_REQUEST "\.pl" chain
#SecFilter "\."

# WEB-MISC BitKeeper arbitrary command attempt
SecFilterSelective THE_REQUEST "/diffs/" chain
SecFilter "'"

# WEB-MISC chip.ini access
SecFilterSelective THE_REQUEST "/chip\.ini" log,pass

# WEB-MISC lyris.pl access
SecFilterSelective THE_REQUEST "/lyris\.pl" log,pass

# WEB-MISC globals.pl access
SecFilterSelective THE_REQUEST "/globals\.pl" log,pass

# WEB-MISC philboard.mdb access
SecFilterSelective THE_REQUEST "/philboard\.mdb" log,pass

# WEB-MISC philboard_admin.asp authentication bypass attempt
SecFilterSelective THE_REQUEST "/philboard_admin\.asp" chain
SecFilter "philboard_admin=True"

# WEB-MISC philboard_admin.asp access
SecFilterSelective THE_REQUEST "/philboard_admin\.asp" log,pass

# WEB-MISC logicworks.ini access
SecFilterSelective THE_REQUEST "/logicworks\.ini" log,pass

# WEB-MISC /*.shtml access
SecFilterSelective THE_REQUEST "/*\.shtml" log,pass

# WEB-MISC mod_gzip_status access
SecFilterSelective THE_REQUEST "/mod_gzip_status" log,pass

# WEB-PHP bb_smilies.php access
SecFilterSelective THE_REQUEST "/bb_smilies\.php" log,pass

# WEB-PHP squirrel mail spell-check arbitrary command attempt
SecFilterSelective THE_REQUEST
"/squirrelspell/modules/check_me\.mod\.php" chain
SecFilter "SQSPELL_APP\["

# WEB-PHP squirrel mail theme arbitrary command attempt
SecFilterSelective THE_REQUEST "/left_main\.php" chain
SecFilter "cmdd="

# WEB-PHP DNSTools administrator authentication bypass attempt
SecFilterSelective THE_REQUEST "/dnstools\.php" chain
SecFilter "user_dnstools_administrator=true"

# WEB-PHP DNSTools authentication bypass attempt
SecFilterSelective THE_REQUEST "/dnstools\.php" chain
SecFilter "user_logged_in=true"

# WEB-PHP DNSTools access
SecFilterSelective THE_REQUEST "/dnstools\.php" log,pass

# WEB-PHP Blahz-DNS dostuff.php modify user attempt
SecFilterSelective THE_REQUEST "/dostuff\.php\?action=modify_user"

# WEB-PHP Blahz-DNS dostuff.php access
SecFilterSelective THE_REQUEST "/dostuff\.php" log,pass

# WEB-PHP Messagerie supp_membre.php access
SecFilterSelective THE_REQUEST "/supp_membre\.php" log,pass

# WEB-PHP php.exe access
SecFilterSelective THE_REQUEST "/php\.exe" log,pass

# WEB-PHP directory.php arbitrary command attempt
SecFilterSelective THE_REQUEST "/directory\.php" chain
SecFilter "\;"

# WEB-PHP directory.php access
SecFilterSelective THE_REQUEST "/directory\.php"

# WEB-PHP PHP-Wiki cross site scripting attempt
SecFilterSelective THE_REQUEST "<script"

# WEB-PHP phpbb quick-reply.php arbitrary command attempt
SecFilterSelective THE_REQUEST "/quick-reply\.php" chain
SecFilter "phpbb_root_path="

# WEB-PHP phpbb quick-reply.php access
SecFilterSelective THE_REQUEST "/quick-reply\.php" log,pass

# WEB-PHP read_body.php access attempt
SecFilterSelective THE_REQUEST "/read_body\.php" log,pass

# WEB-PHP calendar.php access
SecFilterSelective THE_REQUEST "/calendar\.php" log,pass

# WEB-PHP edit_image.php access
SecFilterSelective THE_REQUEST "/edit_image\.php" log,pass

# WEB-PHP readmsg.php access
SecFilterSelective THE_REQUEST "/readmsg\.php" log,pass

# WEB-PHP external include path
SecFilterSelective THE_REQUEST "\.php" chain
SecFilter "path=http\://"

# WEB-PHP Phorum admin access
SecFilterSelective THE_REQUEST "/admin\.php3"

# WEB-PHP piranha passwd.php3 access
SecFilterSelective THE_REQUEST "/passwd\.php3"

# WEB-PHP Phorum read access
SecFilterSelective THE_REQUEST "/read\.php3"

# WEB-PHP Phorum violation access
SecFilterSelective THE_REQUEST "/violation\.php3"

# WEB-PHP Phorum code access
SecFilterSelective THE_REQUEST "/code\.php3"

# WEB-PHP admin.php file upload attempt
SecFilterSelective THE_REQUEST "/admin\.php" chain
SecFilter "file_name="

# WEB-PHP admin.php access
SecFilterSelective THE_REQUEST "/admin\.php"

# WEB-PHP smssend.php access
SecFilterSelective THE_REQUEST "/smssend\.php" log,pass

# WEB-PHP PHP-Nuke remote file include attempt
SecFilterSelective THE_REQUEST "index\.php" chain
SecFilter "file=http\://"

# WEB-PHP Phorum /support/common.php attempt
SecFilterSelective THE_REQUEST "/support/common\.php" chain
SecFilter "ForumLang=\.\./"

# WEB-PHP Phorum /support/common.php access
SecFilterSelective THE_REQUEST "/support/common\.php"

# WEB-PHP Phorum authentication access
SecFilter "PHP_AUTH_USER=boogieman"

# WEB-PHP strings overflow
SecFilterSelective THE_REQUEST "\?STRENGUR"

# WEB-PHP PHPLIB remote command attempt
SecFilter "_PHPLIB\[libdir\]"

# WEB-PHP PHPLIB remote command attempt
SecFilterSelective THE_REQUEST "/db_mysql\.inc"

# WEB-PHP Mambo uploadimage.php upload php file attempt
SecFilterSelective THE_REQUEST "/uploadimage\.php" chain
SecFilter "\.php"

# WEB-PHP Mambo upload.php upload php file attempt
SecFilterSelective THE_REQUEST "/upload\.php" chain
SecFilter "\.php"

# WEB-PHP Mambo uploadimage.php access
SecFilterSelective THE_REQUEST "/uploadimage\.php" log,pass

# WEB-PHP Mambo upload.php access
SecFilterSelective THE_REQUEST "/upload\.php" log,pass

# WEB-PHP phpBB privmsg.php access
SecFilterSelective THE_REQUEST "/privmsg\.php" log,pass

# WEB-PHP p-news.php access
SecFilterSelective THE_REQUEST "/p-news\.php" log,pass

# WEB-PHP shoutbox.php directory traversal attempt
SecFilterSelective THE_REQUEST "/shoutbox\.php" chain
SecFilter "\.\./"

# WEB-PHP shoutbox.php access
SecFilterSelective THE_REQUEST "/shoutbox\.php" log,pass

# WEB-PHP b2 cafelog gm-2-b2.php remote command execution attempt
SecFilterSelective THE_REQUEST "/gm-2-b2\.php" chain
SecFilter "b2inc=http"

# WEB-PHP b2 cafelog gm-2-b2.php access
SecFilterSelective THE_REQUEST "/gm-2-b2\.php" log,pass

# WEB-PHP TextPortal admin.php default password (admin) attempt
SecFilterSelective THE_REQUEST "/admin\.php" chain
SecFilter "password=admin" log,pass

# WEB-PHP TextPortal admin.php default password (12345) attempt
SecFilterSelective THE_REQUEST "/admin\.php" chain
SecFilter "password=12345" log,pass

# WEB-PHP BLNews objects.inc.php4 remote command execution attempt
SecFilterSelective THE_REQUEST "/objects\.inc\.php4" chain
SecFilter "Server\[path\]=http"

# WEB-PHP BLNews objects.inc.php4 access
SecFilterSelective THE_REQUEST "/objects\.inc\.php4" log,pass

# WEB-PHP Turba status.php access
SecFilterSelective THE_REQUEST "/turba/status\.php" log,pass

# WEB-PHP ttCMS header.php remote command execution attempt
SecFilterSelective THE_REQUEST "/admin/templates/header\.php" chain
SecFilter "admin_root=http"

# WEB-PHP ttCMS header.php access
SecFilterSelective THE_REQUEST "/admin/templates/header\.php" log,pass

# WEB-PHP test.php access
SecFilterSelective THE_REQUEST "/test\.php" log,pass

# WEB-PHP autohtml.php directory traversal attempt
SecFilterSelective THE_REQUEST "/autohtml\.php" chain
SecFilter "\.\./\.\./"

# WEB-PHP autohtml.php access
SecFilterSelective THE_REQUEST "/autohtml\.php" log,pass

# WEB-PHP ttforum remote command execution attempt
SecFilterSelective THE_REQUEST "forum/index\.php" chain
SecFilter "template=http"

Reader Comments

• Hat nichts mit dem angefragten Problem zu tun!

Like what you see?
Sign up for our weekly newsletter. 

Want to contribute?
It could earn you a nano! Learn more. 

Like Wikis?
Join the Cool Solutions Wiki. 

Interested? Request a sales call

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com