歡迎您光臨本站 註冊首頁

有關apache mod_security console的問題

←手機掃碼閱讀     火星人 @ 2014-03-04 , reply:0

有關apache mod_security console的問題

在使用mod_security這個功能時,不知道為什麼console端不能讀取mod_security生成的日誌文件,不知道大家有誰使用過這個模塊與CONSOLE端,對於AUDIT日誌進行分析,mod_security.conf配置內容如下:

<IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On
#分析一個http請求
# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On
#URL編碼確認
# Only allow bytes from this range
SecFilterForceByteRange 1 255

#位元組范Χ檢查, 以有效防止stack overflow attacks(棧溢出攻擊).
# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4\d[^4])"
SecAuditLogType Concurrent
SecAuditLogParts ABCDEFGHZ
SecAuditLogStorageDir /usr/local/apache/logs/data/
SecAuditLog "|/usr/local/apache/bin/modsec-auditlog-collector.pl \
/usr/local/apache/logs/data/ /usr/local/apache/logs/modsec_audit.log /usr/local/apache/logs/index.log"
#有效解決apache日誌對某個用戶或攻擊者信息記?的不足. 如果要
#對某一個用戶或攻擊者發出的一個請求的詳細記?, 可以訪問
#/var/log/httpd/audit_log文件.
# The name of the audit log file
SecAuditLog /usr/local/apache/logs/modsec_audit.log
SecFilterDebugLog /usr/local/apache/logs/modsec_debug.log
SecFilterDebugLevel 0
#設置調試模式下的輸出文件.
# Should mod_security inspect POST payloads
#SecFilterScanPOST On
# Action to take by default
SecFilterDefaultAction "deny,log,status:500"
#設置特別的行動, 406為行動名稱, 前面的三個為行動參數.
# Redirect user on filter match
SecFilter sh redirect:http://www.google.com
SecFilter chmod redirect:http://www.google.com
SecFilter wget redirect:http://www.google.com
# 當匹配sh的時候,重新定向到一個特殊的頁面,讓攻擊者知難而退
# Execute the external script on filter match
#SecFilter yyy log,exec:/data1/usr/apache/bin/report-attack.pl
# Simple filter
#SecFilter 111
# Only check the QUERY_STRING variable
#SecFilterSelective QUERY_STRING 222
# Only check the body of the POST request
#SecFilterSelective POST_PAYLOAD 333
# Only check arguments (will work for GET and POST)
#SecFilterSelective ARGS 444
# Test filter
SecFilter "/cgi-bin/keyword"
# Another test filter, will be denied with 404 but not logged
# action supplied as a parameter overrides the default action
#SecFilter 999 "deny,nolog,status:404"
# Prevent OS specific keywords
SecFilter /etc/password
SecFilter /etc/*passwd
SecFilter /bin/*sh
#過濾一些敏感的東西,我們使用*是為了攻擊者使用/etc/./passwd來繞開檢測
#   SecFilter "../"
# 防止double dot攻擊,也就是類似http://www.test.com/openfile.php?path=/../../.
# Prevent path traversal (..) attacks
SecFilter "/././"
SecFilter "/../../"
SecFilter "\.\./"
#阻止目?周遊攻擊.
# Weaker XSS protection but allows common HTML tags
SecFilter "<( |n)*script"
#對不安全的(跨站點腳本)XSS進行保護, 但允許普通的HTML標識.
# Prevent XSS atacks (HTML/Javascript injection)
SecFilter "<(.|n)+>"
#防止XSS攻擊 (HTML/Javascript注射)
# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
SecFilter "union[[:space:]]+from"
SecFilter "drop[[:space:]]table"
#防止SQL注射攻擊
# Require HTTP_USER_AGENT and HTTP_HOST headers
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
#需要 HTTP_USER_AGENT和HTTP_HOST頭.
# Forbid file upload
#SecFilterSelective "HTTP_CONTENT_TYPE" multipart/form-data
# Only watch argument p1
#SecFilterSelective "ARG_p1" 555
# Watch all arguments except p1
#SecFilterSelective "ARGS|!ARG_p2" 666
# Only allow our own test utility to send requests (or Mozilla)
#SecFilterSelective HTTP_USER_AGENT "!(mod_security|mozilla)"
# Do not allow variables with this name
#SecFilterSelective ARGS_NAMES 777
# Do now allow this variable value (names are ok)
#SecFilterSelective ARGS_VALUES 888
# Stop spamming through FormMail
# note the exclamation mark at the beginning
# of the filter - only requests that match this regex will
# be allowed
#<Location /cgi-bin/FormMail>
#SecFilterSelective "ARG_recipient" "!@webkreator.com$"
#</Location>
# when allowing upload, only allow images
# note that this is not foolproof, a determined attacker
# could get around this
#<Location /fileupload.php>
#SecFilterInheritance Off
#SecFilterSelective POST_PAYLOAD "!image/(jpeg|bmp|gif)"
#</Location>
#限制了/fileupload.php文件只能用來上傳jpeg.bmp和gif的圖片
#偽裝伺服器標識
SecServerSignature "Microsoft-IIS/6.0"
</IfModule>

[火星人 ] 有關apache mod_security console的問題已經有627次圍觀

http://coctec.com/docs/service/show-post-29673.html