[Owncloud] [Alpha] mod_security rules for ownCloud 5.0
Lukas Reschke
lukas at owncloud.org
Mon May 6 13:29:56 UTC 2013
Hey all,
I just released a custom mod_security <https://modsecurity.org/> ruleset
for ownCloud 5.0. - I've rewritten the whole set yesterday which means that
it most probably still has some bugs inside ;-)
The ruleset is written following a positive security model, this means all
request and parameters have been manually whitelisted. (e.g. an parameter
called ID only allows ^[0-9]+$) - This has the advantage that it can
prevent a lot of potential security bugs and also would have "prevented"
nearly all of the past security issues.
If you're a brave person that wants to harden your installation, check it
out <https://github.com/owncloud/mod_security/tree/stable5> and report
bugs<https://github.com/owncloud/mod_security/issues>.
- The installation should be straight forward, just clone the stable5
branch somewhere and include it as it is done in the README.
Please notice:
- Compatible with the current stable5 Git version of ownCloud (aka the
upcoming 5.0.6)
- At the moment only tested with mod_security 2.6
- Most probably only compatible with Apache since it uses <LocationMatch>
- The kiddy_blocker rules are not yet compatible with reverse proxies, if
you have a reverse proxy in place: Don't include them.
- This is only compatible with the packaged apps of ownCloud - if you need
another one: Please write the ruleset yourself and make a pull request.
(I'll write some rules for some apps I use soon - e.g. the awesome news app
by Bernhard)
Cheers,
Lukas
--
ownCloud
Your Cloud, Your Data, Your Way!
GPG: 0xEB32B77BA406BE99
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/owncloud/attachments/20130506/45d2cce7/attachment.html>
More information about the Owncloud
mailing list