How to prevent executing perl script in /var/tmp

[bipinkdas]

Hi
I am using apache 1.3.37 with debian sarge. I had installed mod security 1.9.4. Please let me know how to prevent executing perl script in the /var/tmp directory. Which rule should I add ??

Thanks in advance
BipinDas
L\

 

[nobaloney]

We make /var/tmp a link to /tmp and make that a partition with NOEXEC set.

Jeff

 

[felosi]

no matter if tmp is noexec or not ive always still been able to run perl exploits by just typing perl sploit.pl

 

[nobaloney]

and the only way to fix that is to make your tmp directory non-readable.

Which of course greatly limits its usefulness.



Jeff

 

[gazkin]

chmod 700 /usr/bin/perl
Normal users wont be able to run perl

 

[bipinkdas]

Dear
I would like to prevent by this way

perl test.pl

Any Advice?

Thanks

 

[floyd]

chmod 700 /usr/bin/perl
Normal users wont be able to run perl

And therefore users can't use perl cgi scripts either.

 

[bipinkdas]

Dear friends,
Thats OK. I am looking for is there any possibility to prevent the execution?
If the answer is No,no problem. I dont have so much experience in server hardening thats why I am searchin

thanks

 

[nobaloney]

And therefore users can't use perl cgi scripts either.

Are you sure, floyd? cgi programs should be running through the perl module built into apache.

But it will stop users from running perl scripts from cronjobs.

Jeff

 

[floyd]

Are you sure, floyd? cgi programs should be running through the perl module built into apache.

If you chmod 700 /usr/bin/perl then only root can run the perl interpreter. Cgi's run as the user. They can also run as apache if run under mod_perl much like php does. But either way will be prevented when you chmod perl to 700. The only way to run a perl script for a web page at that point would be to run it as root and nobody wants that.

 

[wdc]

As a noob, i think that ModSecurity can examine whole request/URL triggered by the hacker and find "perl " phrasse and block the request. Maybe following rule by Comodo (https://waf.comodo.com/ ; https://modsecurity.comodo.com/) does that.

SecMarker SECMARKER_211070
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:prev_sql_query|!ARGS:sql_query|!ARGS:text|!ARGS:/^where_clause(?:\[\d*])?$/|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@pm cd chmod cmd .exe echo net tclsh telnet tftp traceroute tracert g++ gcc chgrp chown chsh cpp finger ftp id ls lsof nasm nc nmap passwd [B]perl [/B]ping ps python telnet uname xterm rm kill mail" \
        "id:211210,chain,msg:'COMODO WAF: System Command Injection||%{tx.domain}|%{tx.mode}|2',phase:2,block,setvar:'tx.matched_var_name=%{MATCHED_VAR_NAME}',logdata:'Matched Data: %{TX.0} found within %{tx.matched_var_name}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,t:cmdLine,rev:8,severity:2,tag:'CWAF',tag:'Generic'"
SecRule MATCHED_VAR "@rx (?:\b(?:c(?:d(?:\b[^a-zA-Z0-9_]{0,}?[\/]|[^a-zA-Z0-9_]{0,}?\.\.)|hmod.{0,40}?\+.{0,3}x|md(?:\b[^a-zA-Z0-9_]{0,}?\/c|(?:\.exe|32)\b))|(?:echo\b[^a-zA-Z0-9_]{0,}?\by{1,}|n(?:et(?:\b[^a-zA-Z0-9_]{1,}?\blocalgroup|\.exe)|(?:c|map)\.exe)|t(?:clsh8{0,1}|elnet\.exe|ftp|racer(?:oute|t))|(?:ftp|rcmd|w(?:guest|sh))\.exe)\b)|[;`|][^a-zA-Z0-9_]{0,}?\b(?:g(?:\+\+|cc\b)|(?:c(?:h(?:grp|mod|own|sh)|md|pp)|echo|f(?:inger|tp)|id|ls(?:of){0,1}|n(?:asm|c|map)|p(?:asswd|erl|ing|s|ython)|telnet|uname|(?:xte){0,1}rm|(?:kil|mai)l)\b))" \
        "capture,setvar:'tx.points=+%{tx.points_limit4}',t:none,t:cmdLine,t:lowercase"

btw, unsure if disabling apache handling for cgi files can be anyhow effective.