debain icin modsecury kurulumu
apt-get install libapache2-mod-security
vi /etc/apache2/mods-available/mod-security.conf
# Only inspect dynamic requests
# (YOU MUST TEST TO MAKE SURE IT WORKS AS EXPECTED)
# SecFilterEngine DynamicOnly
# Turn the filtering engine On or OffSecFilterEngine On
# Reject requests with status 404
SecFilterDefaultAction “deny,log,status:404″
# Some sane defaults
SecServerResponseToken Off
SecFilterScanPOST Off
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat On
SecFilterCheckUnicodeEncoding Off# If you want to scan the output, uncomment these
# SecFilterScanOutput On
# SecFilterOutputMimeTypes “(null) text/html text/plain”
# Accept almost all byte valuesSecFilterForceByteRange 1 255
# Only record the interesting stuffSecAuditEngine RelevantOnly
SecAuditLog /var/log/apache2/audit_log
# You normally won’t need debug loggingSecFilterDebugLevel 0
SecFilterDebugLog /var/log/apache2/modsec_debug_log
# Include rules
Include /etc/apache2/modsecurity/filter.conf
kurallari include ile eklemis oldugumuz dosyanin icine yazicagiz bunun icin
mkdir /etc/apache2/modsecurity/
vi /etc/apache2/modsecurity/filter.conf
#
# —————————————————————————–
#
# Start Rules (Gerneric)
#
# —————————————————————————–# Enforce proper HTTP requests
SecFilterSelective THE_REQUEST “!HTTP\/(0\.9|1\.0|1\.1)$”
# check for bad meta characters in User-Agent fieldSecFilterSelective HTTP_USER_AGENT “.*\’”
# Require Content-Length to be provided with every POST request
SecFilterSelective REQUEST_METHOD “^POST$” chain
SecFilterSelective HTTP_Content-Length “^$”
# Don’t accept transfer encodings we know we don’t handle (and you don’t need it anyway)
SecFilterSelective HTTP_Transfer-Encoding “!^$”
# Don’t accept chunked encodings
SecFilterSelective HTTP_Transfer-Encoding “chunked”
# must have a useragent stringSecFilterSelective “HTTP_USER_AGENT|HTTP_HOST” “^$”
# Again, this is better protected by removing these functions in php.ini
SecFilterSelective ARGS “(system|exec|passthru|popen|shell_exec|proc_open|fopen|fwrite)\s*\(”# Prevent path traversal (..) attacks
SecFilter “\.\./”
# generic recursion signatureSecFilterSelective THE_REQUEST “\.\./\.\./”
# generic attack sigSecFilterSelective THE_REQUEST “cd\x20*\;(cd|\;|echo|perl|python|rpm|yum|apt-get|emerge|lynx|links|mkdir|elinks|cmd|pwd|wget|id|uname|cvs|svn|(s|r)(cp|sh)|rexec|smbclient|t?ftp|ncftp|curl|telnet|gcc|cc|g\+\+|\./)”
# generic filter to prevent SQL injection attacks
SecFilter “[[:space:]]+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|*| |\,]”
# generic PHP remote file inclusion attack
SecFilter “\.php\?” chainSecFilter “(http|https|ftp)\:/” chain
SecFilter “cmd=(cd|\;|perl|python|rpm|yum|apt-get|emerge|lynx|links|mkdir|elinks|cmd|pwd|wget|id|uname|cvs|svn|(s|r)(cp|sh)|rexec|smbclient|t?ftp|ncftp|curl|telnet|gcc|cc|g\+\+|\./)”
# generic sig for more bad PHP functions
SecFilterSelective THE_REQUEST “chr\(([0-9]{1,3})\)”
SecFilterSelective THE_REQUEST “chr\([0-9a-fA-Fx]+\)”
# SQL injection attacks
SecFilter “delete[[:space:]]+from”
SecFilter “insert[[:space:]]+into”
SecFilter “select.+from”# SQL injection in cookies
SecFilterSelective COOKIE_sessionid “.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*||\,]+[[:space:]]+(from|into|table|database|index|view)”# —————————————————————————–
# Start Rules (experimental)# —————————————————————————–
# experimental generic remote download sig foo IP or FQDN or foo http/https/ftp://whatever
SecFilterSelective THE_REQUEST “(perl|t?ftp|links|elinks|lynx|ncftp|(s|r)(cp|sh)|wget|curl|cvs|svn).*\x20((http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/)”
SecFilterSelective THE_REQUEST “( |\;|/|\’|,|\&|\=|\.)((s|r)(sh|cp)) *(.*@.*|(http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/)”
enson olarak mod secury aktive edip apacheyi yeniden calistiralim.
a2enmod mod-security
/etc/init.d/apache2 restart
su url’yi kendi internet gezgininizden cagirip. apache error.log’larini inceleyin..
http://deineDomain.de/?query=”insert into users (id, name) values (1,’stefan’)”
mod secur calisiyor ise bunu loglardan konrtol edebilirsiniz. ayriyetten sayfa bulunamadi seklinde 404 hatasi verilir…
No responses yet