<IfModule mod_security.c> # Turn the filtering engine On or Off SecFilterEngine On #分析一個http請求 # Make sure that URL encoding is valid SecFilterCheckURLEncoding On #URL編碼確認 # Only allow bytes from this range SecFilterForceByteRange 1 255
#位元組范Χ檢查, 以有效防止stack overflow attacks(棧溢出攻擊). # The audit engine works independently and # can be turned On of Off on the per-server or # on the per-directory basis SecAuditEngine RelevantOnly SecAuditLogRelevantStatus "^(?:5|4\d[^4])" SecAuditLogType Concurrent SecAuditLogParts ABCDEFGHZ SecAuditLogStorageDir /usr/local/apache/logs/data/ SecAuditLog "|/usr/local/apache/bin/modsec-auditlog-collector.pl \ /usr/local/apache/logs/data/ /usr/local/apache/logs/modsec_audit.log /usr/local/apache/logs/index.log" #有效解決apache日誌對某個用戶或攻擊者信息記?的不足. 如果要 #對某一個用戶或攻擊者發出的一個請求的詳細記?, 可以訪問 #/var/log/httpd/audit_log文件. # The name of the audit log file SecAuditLog /usr/local/apache/logs/modsec_audit.log SecFilterDebugLog /usr/local/apache/logs/modsec_debug.log SecFilterDebugLevel 0 #設置調試模式下的輸出文件. # Should mod_security inspect POST payloads #SecFilterScanPOST On # Action to take by default SecFilterDefaultAction "deny,log,status:500" #設置特別的行動, 406為行動名稱, 前面的三個為行動參數. # Redirect user on filter match SecFilter sh redirect:http://www.google.com SecFilter chmod redirect:http://www.google.com SecFilter wget redirect:http://www.google.com # 當匹配sh的時候,重新定向到一個特殊的頁面,讓攻擊者知難而退 # Execute the external script on filter match #SecFilter yyy log,exec:/data1/usr/apache/bin/report-attack.pl # Simple filter #SecFilter 111 # Only check the QUERY_STRING variable #SecFilterSelective QUERY_STRING 222 # Only check the body of the POST request #SecFilterSelective POST_PAYLOAD 333 # Only check arguments (will work for GET and POST) #SecFilterSelective ARGS 444 # Test filter SecFilter "/cgi-bin/keyword" # Another test filter, will be denied with 404 but not logged # action supplied as a parameter overrides the default action #SecFilter 999 "deny,nolog,status:404" # Prevent OS specific keywords SecFilter /etc/password SecFilter /etc/*passwd SecFilter /bin/*sh #過濾一些敏感的東西,我們使用*是為了攻擊者使用/etc/./passwd來繞開檢測 # SecFilter "../" # 防止double dot攻擊,也就是類似http://www.test.com/openfile.php?path=/../../. # Prevent path traversal (..) attacks SecFilter "/././" SecFilter "/../../" SecFilter "\.\./" #阻止目?周遊攻擊. # Weaker XSS protection but allows common HTML tags SecFilter "<( |n)*script" #對不安全的(跨站點腳本)XSS進行保護, 但允許普通的HTML標識. # Prevent XSS atacks (HTML/Javascript injection) SecFilter "<(.|n)+>" #防止XSS攻擊 (HTML/Javascript注射) # Very crude filters to prevent SQL injection attacks SecFilter "delete[[:space:]]+from" SecFilter "insert[[:space:]]+into" SecFilter "select.+from" SecFilter "union[[:space:]]+from" SecFilter "drop[[:space:]]table" #防止SQL注射攻擊 # Require HTTP_USER_AGENT and HTTP_HOST headers SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$" #需要 HTTP_USER_AGENT和HTTP_HOST頭. # Forbid file upload #SecFilterSelective "HTTP_CONTENT_TYPE" multipart/form-data # Only watch argument p1 #SecFilterSelective "ARG_p1" 555 # Watch all arguments except p1 #SecFilterSelective "ARGS|!ARG_p2" 666 # Only allow our own test utility to send requests (or Mozilla) #SecFilterSelective HTTP_USER_AGENT "!(mod_security|mozilla)" # Do not allow variables with this name #SecFilterSelective ARGS_NAMES 777 # Do now allow this variable value (names are ok) #SecFilterSelective ARGS_VALUES 888 # Stop spamming through FormMail # note the exclamation mark at the beginning # of the filter - only requests that match this regex will # be allowed #<Location /cgi-bin/FormMail> #SecFilterSelective "ARG_recipient" "!@webkreator.com$" #</Location> # when allowing upload, only allow images # note that this is not foolproof, a determined attacker # could get around this #<Location /fileupload.php> #SecFilterInheritance Off #SecFilterSelective POST_PAYLOAD "!image/(jpeg|bmp|gif)" #</Location> #限制了/fileupload.php文件只能用來上傳jpeg.bmp和gif的圖片 #偽裝伺服器標識 SecServerSignature "Microsoft-IIS/6.0" </IfModule>