I had been having some problems with latest grsecurity test patch kernels on various machines, usually core2quads with raptors on raid. I used same config I have always used but the kernel would panic on boot. So I gave the grsec rpm packages a try once more and this time they actually worked. I had tried them before but they lacked so many modules they did not work on any server I tried. But they are working now.

You can get them from:
http://rpm.cormander.com/repo/grsec/
I made a local mirror as well
http://nix101.com/repo/grsec

Recently I had a client contact me regarding the axfr query/zone transfer where someone can basically find out all a records on a domain. I had knew about this a while but never found out how to disable it. I had searched for disabling axfr, but I found out it is just a zxne transfer. To disable this it causes no compatibility issues or problems, if you have a secondary dns however you need to add the ips for that instead of localhost.

In /etc/named.conf add

allow-transfer { 127.0.0.1; };

This will disable the zone transfer and axfr requests. And actually you can just disable tcp completely on your nameserver ips without issue but the dns test places will report error on it. Big deal though.

Finally gotroot.com has came out with new rulesets a while back. they didn’t make any new ones for 1.9* to my knowledge. Gotroot always does a good job with the rules but there is nearly always some rulesets broken right out of the box and lots of unnecessary rules. I know on the old 1.9* rules when you first included them and restart apache it would fail due to syntax errors in the rules. So I had to go through and comment out a bunch, took a long time.

With the new rulesets the main problem I had was with the blacklist related rules. They simply didn’t do what they was supposed to on litespeed which is supposed to read the rules same as apache. The rules are a few rulesets which include a blacklist.txt, domains.txt, etc of blacklisted ips and domains. For some reason it wasn’t reading those files and just firing on everyone, every ip saying it was blacklisted. Those rules were definitely broken and had to be removed.

In the past I have tried to correspond with gotroot staff about the 1.9* ruleset and it being broken right out of the box but they never acknowledged my emails and never replied. I guess they must be real busy. Never the less I as well as many other people out there are happy that at least some person is making these rulesets as I sure cannot make anything more complex then a user_agent or string block. Thanks to gotroot.com for these rulesets.

And here we are, I have trimmed down these rules quite a bit removing the blacklist rules. It is a fairly complete ruleset and will provide some security against known exploits,. unknown exploits and php shells.

To install:

cd /usr/local/apache

wget nix101.com/mod.tar.gz

tar zxvf mod.tar.gz

cd conf

wget nix101.com/modsec2.conf

nano -w httpd.conf

add
Include "/usr/local/apache/conf/modsec2.conf"