آموزش نصب و راه اندازی Mod Security

 


mod security یک برنامه فایروال وب است (WAF ) که برای وبسرور آپاچی آنرا توسعه داده اند. این مد توسط Trustwave's SpiderLabs توسعه داده شده است. رویدادی قوی مبتنی بر زبان برنامه نویسی که دربرابر محدوده ای از حملات محافظت میکند و اجاره مانیتورینگ HTTP Traffic را به ادمین سرور میدهد.

در حال حاظر این مد بیش از 10.000 توسعه دهنده در سرتاسر جهان دارد.

برای نصب این مد دستورات زیر را به ترتیب وارد نمایید:

http://www.modsecurity.org/download/modsecurity-apache_2.5.13.tar.gz
tar -xvf  modsecurity-apache_2.5.13.tar.gz
cd modsecurity-apache_2.5.13
cd apache2/
apxs -cia mod_security.c

در نهایت باید باید این مد در بخش LoadModules وب سرور شما اضافه شده باشد.

ایجاد تغییرات در پیکربندی وبسرور:

فایل httpd.conf را بیابید:

updatedb

locate httpd.conf

آنرا با یکی از ویرایشگر ها باز کنید:

nano /etc/httpd/conf/httpd.conf

مقدار زیر را در آن بیابید: (دکمه ctrl+w بزنید سپس عبارت زیر را وارد کنید)

AddType application/x-httpd-php .php

زیر این خط عبارت زیر را قرار دهید:

AddHandler php-script .php

درنهایت ما یک فایل config/rules مد سکیورتی را در فایل پیکربندی وبسرور آپاچی include میکنیم.

مقدار زیر را در httpd.conf قرار دهید:

Include /etc/httpd/conf/modsecurity.conf

حال فایل تنظیمات / قوانین مد سکیوریتی را ایجاد میکنیم:

nano /etc/httpd/conf/modsecurity.conf

مقادیر لازم برای افزایش امنیت وب سرور شما:


# Only inspect dynamic requests
# (YOU MUST TEST TO MAKE SURE IT WORKS AS EXPECTED)
SecFilterEngine DynamicOnly

# Reject requests with status 403
SecFilterDefaultAction "deny,log,status:403"

# Some sane defaults
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat On
SecFilterCheckUnicodeEncoding Off

# Accept almost all byte values
SecFilterForceByteRange 1 255

# Server masking is optional
# SecServerSignature "Microsoft-IIS/5.0"

SecUploadDir /tmp
SecUploadKeepFiles Off

# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log

# You normally won't need debug logging
SecFilterDebugLevel 0
SecFilterDebugLog logs/modsec_debug_log

# Only accept request encodings we know how to handle
# we exclude GET requests from this because some (automated)
# clients supply "text/html" as Content-Type
SecFilterSelective REQUEST_METHOD "!^GET$" chain
SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)"

# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"

# Don't accept transfer encodings we know we don't handle
# (and you don't need it anyway)
SecFilterSelective HTTP_Transfer-Encoding "!^$"

# WEB-ATTACKS /bin/sh command attempt
SecFilter "/bin/sh"

# WEB-ATTACKS ps command attempt
SecFilterSelective THE_REQUEST "/bin/ps"

# WEB-ATTACKS /bin/ps command attempt
# SecFilterSelective THE_REQUEST "ps\x20"

# WEB-ATTACKS wget command attempt
SecFilter "wget\x20"

# WEB-ATTACKS uname -a command attempt
SecFilter "uname\x20-a"

# WEB-ATTACKS /usr/bin/id command attempt
SecFilter "/usr/bin/id"

# WEB-ATTACKS id command attempt
SecFilter "\;id"

# WEB-ATTACKS echo command attempt
SecFilter "/bin/echo"

# WEB-ATTACKS kill command attempt
SecFilter "/bin/kill"

# WEB-ATTACKS chmod command attempt
SecFilter "/bin/chmod"

# WEB-ATTACKS chgrp command attempt
SecFilter "/chgrp"

# WEB-ATTACKS chown command attempt
SecFilter "/chown"

# WEB-ATTACKS chsh command attempt
SecFilter "/usr/bin/chsh"

# WEB-ATTACKS tftp command attempt
SecFilter "tftp\x20"

# WEB-ATTACKS gcc command attempt
SecFilter "gcc\x20-o"

# WEB-ATTACKS cc command attempt
#SecFilter "cc\x20"

# WEB-ATTACKS /usr/bin/cpp command attempt
SecFilter "/usr/bin/cpp"

# WEB-ATTACKS cpp command attempt
SecFilter "cpp\x20"

# WEB-ATTACKS /usr/bin/g++ command attempt
SecFilter "/usr/bin/g\+\+"

# WEB-ATTACKS g++ command attempt
SecFilter "g\+\+\x20"

# WEB-ATTACKS bin/python access attempt
SecFilter "bin/python"

# WEB-ATTACKS python access attempt
SecFilter "python\x20"

# WEB-ATTACKS bin/tclsh execution attempt
SecFilter "bin/tclsh"

# WEB-ATTACKS tclsh execution attempt
SecFilter "tclsh8\x20"

# WEB-ATTACKS bin/nasm command attempt
SecFilter "bin/nasm"

# WEB-ATTACKS nasm command attempt
SecFilter "nasm\x20"

# WEB-ATTACKS /usr/bin/perl execution attempt
SecFilter "/usr/bin/perl"

# WEB-ATTACKS perl execution attempt
SecFilter "perl\x20"

# WEB-ATTACKS traceroute command attempt
SecFilter "traceroute\x20"

# WEB-ATTACKS ping command attempt
SecFilter "/bin/ping"

# WEB-ATTACKS netcat command attempt
SecFilter "nc\x20"

# WEB-ATTACKS nmap command attempt
SecFilter "nmap\x20"

# WEB-ATTACKS xterm command attempt
SecFilter "/usr/X11R6/bin/xterm"

# WEB-ATTACKS X application to remote host attempt
SecFilter "\x20-display\x20"

# WEB-ATTACKS lsof command attempt
SecFilter "lsof\x20"

# WEB-ATTACKS rm command attempt
SecFilter "rm\x20"

# WEB-ATTACKS mail command attempt
SecFilter "/bin/mail"

# WEB-ATTACKS /bin/ls command attempt
SecFilterSelective THE_REQUEST "/bin/ls"

# WEB-ATTACKS /etc/inetd.conf access
SecFilter "/etc/inetd\.conf" log,pass

# WEB-ATTACKS /etc/motd access
SecFilter "/etc/motd" log,pass

# WEB-ATTACKS /etc/shadow access
SecFilter "/etc/shadow" log,pass

# WEB-ATTACKS conf/httpd.conf attempt
SecFilter "conf/httpd\.conf" log,pass

# WEB-ATTACKS .htgroup access
SecFilterSelective THE_REQUEST "\.htgroup" log,pass

# WEB-CGI rksh access
SecFilterSelective THE_REQUEST "/rksh"

# WEB-CGI bash access
SecFilterSelective THE_REQUEST "/bash" log,pass

# WEB-CGI perl command attempt
SecFilterSelective THE_REQUEST "/perl\?"

# WEB-CGI zsh access
SecFilterSelective THE_REQUEST "/zsh"

# WEB-CGI csh access
SecFilterSelective THE_REQUEST "/csh"

# WEB-CGI tcsh access
SecFilterSelective THE_REQUEST "/tcsh"

# WEB-CGI rsh access
SecFilterSelective THE_REQUEST "/rsh"

# WEB-CGI ksh access
SecFilterSelective THE_REQUEST "/ksh"

# WEB-CGI icat access
SecFilterSelective THE_REQUEST "/icat" log,pass

# WEB-CGI /cgi-bin/ls access
SecFilterSelective THE_REQUEST "/cgi-bin/ls" log,pass

# WEB-CLIENT Javascript document.domain attempt
SecFilter "document\.domain\("

# WEB-CLIENT Javascript URL host spoofing attempt
SecFilter "javascript\://"

# WEB-MISC cross site scripting \(img src=javascript\) attempt
SecFilter "img src=javascript"

# WEB-MISC .htpasswd access
SecFilter "\.htpasswd"

# WEB-MISC http directory traversal
SecFilter "\.\.\\"

# WEB-MISC http directory traversal
SecFilter "\.\./"

# WEB-MISC ls%20-l
SecFilter "ls\x20-l"

# WEB-MISC /etc/passwd
SecFilter "/etc/passwd"

# WEB-MISC .htaccess access
SecFilter "\.htaccess"

# WEB-MISC cd..
SecFilter "cd\.\."

# WEB-MISC /.... access
SecFilter "/\.\.\.\."

# WEB-MISC cat%20 access
SecFilter "cat\x20"

# WEB-MISC long basic authorization string
SecFilter "Authorization\: Basic "

# WEB-MISC .history access
SecFilterSelective THE_REQUEST "/\.history"

# WEB-MISC .bash_history access
SecFilterSelective THE_REQUEST "/\.bash_history"

# WEB-MISC *%0a.pl access
SecFilterSelective THE_REQUEST "/*\x0a\.pl"

# WEB-MISC apache ?M=D directory list attempt
SecFilterSelective THE_REQUEST "/\?M=D" log,pass

# WEB-MISC server-status access
SecFilterSelective THE_REQUEST "/server-status" log,pass

# WEB-MISC Transfer-Encoding\: chunked

SecFilter "chunked"

# WEB-MISC perl post attempt
SecFilterSelective THE_REQUEST "/perl/" chain
SecFilter "POST"

# WEB-MISC mod_gzip_status access
SecFilterSelective THE_REQUEST "/mod_gzip_status" log,pass

# WEB-PHP squirrel mail spell-check arbitrary command attempt
SecFilterSelective THE_REQUEST "/squirrelspell/modules/check_me\.mod\.php" chain
SecFilter "SQSPELL_APP\["

# WEB-PHP squirrel mail theme arbitrary command attempt
SecFilterSelective THE_REQUEST "/left_main\.php" chain
SecFilter "cmdd="

# WEB-PHP phpbb quick-reply.php arbitrary command attempt
SecFilterSelective THE_REQUEST "/quick-reply\.php" chain
SecFilter "phpbb_root_path="

# WEB-PHP phpbb quick-reply.php access
SecFilterSelective THE_REQUEST "/quick-reply\.php" log,pass
SecFilterSelective THE_REQUEST "\.php" chain
SecFilter "path=http\://"

# WEB-PHP Mambo uploadimage.php upload php file attempt
SecFilterSelective THE_REQUEST "/uploadimage\.php" chain
SecFilter "\.php"

# WEB-PHP Mambo upload.php upload php file attempt
SecFilterSelective THE_REQUEST "/upload\.php" chain
SecFilter "\.php"

# WEB-PHP Mambo uploadimage.php access
SecFilterSelective THE_REQUEST "/uploadimage\.php" log,pass

# WEB-PHP Mambo upload.php access
SecFilterSelective THE_REQUEST "/upload\.php" log,pass

# WEB-PHP phpBB privmsg.php access
SecFilterSelective THE_REQUEST "/privmsg\.php" log,pass

# WEB-PHP test.php access
SecFilterSelective THE_REQUEST "/test\.php" log,pass

# WEB-PHP phpBB viewtopic.php
SecFilterSelective THE_REQUEST "viewtopic.php" chain
SecFilterSelective "THE_REQUEST|ARG_VALUES" "(system|exec|passthru|cmd|fopen|exit|fwrite)" deny,log

# EXTRAS

SecFilter "/boot"
SecFilter "/dev"
SecFilter "/etc"
SecFilter "/initrd"
SecFilter "/lost+found"
SecFilter "/mnt"
SecFilter "/proc"
SecFilter "/root"
SecFilter "/sbin"
SecFilter "/tmp"
SecFilter "/usr/local/apache"
SecFilter "/var/spool"
SecFilter "/bin/cc"
SecFilter "/bin/gcc"
SecFilter "<[[:space:]]*script"
SecFilter "<(.|\n)+>"
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"

 

کار به اتمام رسید، وب سرور خود را ری-استارت کنید تا این مد از وبسرور شما محافظت کند.

service httpd restart

لاگها: /var/log/httpd/audit_log

 

¿Fue útil la respuesta?

 Imprimir éste Artículo

Leer también

دستور های مانیتور لود سرور لینوکس

Following are few commands used for the Linux server load monitoring and maintenance Commands:...

نحوه بکاپ گیری و یا ری استور کردن بکاپ دیتابیس بوسیله SSH

گاهی اوقات حجم بانک اطلاعاتی MySQL شما ممکن است بالا باشد که بکاپ گیری و یا بازنشانی بکاپ برای...

نصب و تنظیم Rootkit Hunter

برای نصب ابتدا دستور های زیر را وارد نمایید : wget...

آموزش کانفیگ آپاچی

وب نوبتی هم باشه نوبت کانفیگ apache هست. همونطور که گفتم تنظیمات apache و mysql به میزان رم و...

بلاک کردن یک کشور بوسیله فایروال CSF

مراحل زیر را با هم طی میکنیم : وارد محیط ssh شوید و nano /etc/csf/csf.conf سپس CC_DENY را پیدا...