OVH Community, votre nouvel espace communautaire.

Mod_Security (Super config)


adamito
21/06/2011, 17h13
Bonjour,

Quand je fais :

Code:
/usr/local/apache/bin/apxs -cia mod_security.c
J'obtiens :

Code:
/usr/local/apache/build/libtool --silent --mode=compile gcc -prefer-pic -O2 -pipe -march=nocona  -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -pthread -I/usr/local/apache/include  -I/usr/local/apache/include   -I/usr/local/apache/include   -c -o mod_security.lo mod_security.c && touch mod_security.slo
gcc: mod_security.c : Aucun fichier ou répertoire de ce type
gcc: pas de fichier à l'entrée
apxs:Error: Command failed with rc=65536
.

Zalian
18/12/2010, 10h33
Votre script m'intéresse. J'aimerais également un petit avis d'expert pour éviter tout problème

VSInet
13/04/2010, 21h27
Ben je peux déjà donner le mien en tant que non expert : d'un point de vue perf sur un RPS c'est juste ingérable. Et perso maintenant j'ai bien du mal à m'en dépatouiller...

nono2a
01/04/2010, 21h21
personne pour donner plus d'avis sur ceci?? j'y capte pas grand chose mais un expert pourrait donner un avis d'expert?? :d
merci

VSInet
07/02/2010, 15h59
hors sujet mais quentinheb j'adore ta signature :-P

@Mic4el : merci pour ce tuto :-)

quentinheb
19/05/2009, 11h13
SUPER !
merci

Mic4eL
09/01/2008, 17h05
Config standard
Code:

    # Turn the filtering engine On or Off
    SecFilterEngine On

    # Change Server: string
    SecServerSignature " "

    # Make sure that URL encoding is valid
    SecFilterCheckURLEncoding On

    # This setting should be set to On only if the Web site is
    # using the Unicode encoding. Otherwise it may interfere with
    # the normal Web site operation.
    SecFilterCheckUnicodeEncoding Off

    # Only allow bytes from this range
    SecFilterForceByteRange 1 255

    # The audit engine works independently and
    # can be turned On of Off on the per-server or
    # on the per-directory basis. "On" will log everything,
    # "DynamicOrRelevant" will log dynamic requests or violations,
    # and "RelevantOnly" will only log policy violations
    SecAuditEngine RelevantOnly

    # The name of the audit log file
    SecAuditLog /var/log/httpd/audit_log

    # Should mod_security inspect POST payloads
    SecFilterScanPOST On

    # Action to take by default
    SecFilterDefaultAction "deny,log,status:500"

    # Require HTTP_USER_AGENT and HTTP_HOST in all requests
    SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

    # Prevent path traversal (..) attacks
    SecFilter "../"

    # Weaker XSS protection but allows common HTML tags
    SecFilter "<[[:space:]]*script"

    # Prevent XSS atacks (HTML/Javascript injection)
    SecFilter "<(.|n)+>"

    # Very crude filters to prevent SQL injection attacks
    SecFilter "delete[[:space:]]+from"
    SecFilter "insert[[:space:]]+into"
    SecFilter "select.+from"

    # Protecting from XSS attacks through the PHP session cookie
    SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
    SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"

Mic4eL
09/01/2008, 17h04
1. Téléchargez Mod_Security
Code:
wget http://www.modsecurity.org/download/mod_security-1.7.4.tar.gz
2. Décompression
Code:
tar zxvf mod_security-1.7.4.tar.gz
cd mod_security-1.7.4/
3. Choix de la version Apache
APACHE 1.3.x
Code:
cd apache1/
APACHE 2.x
Code:
cd apache2/
4. Installation
Code:
/usr/local/apache/bin/apxs -cia mod_security.c
5. Backup Httpd.conf:
Code:
cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.backup
6. Edition de Httpd.conf
Code:
nano /usr/local/apache/conf/httpd.conf
7. Maintenant vous avez le choix entre la config maximale (By moi) et standard (By Webhostgear).

Config Maxmimale (Pour les kimsufi qui reçoivent beaucoup de requetes, je vous recommande la standard)
Code:

#Mod_Security configuration by Mic4eL
SecFilterEngine On
SecFilterCheckURLEncoding On
SecFilterForceByteRange 0 255
SecAuditEngine RelevantOnly
SecAuditLog /var/log/httpd/audit_log

SecFilterDebugLog logs/modsec_debug_log
SecFilterDebugLevel 0
SecFilterScanPOST Off

#SecFilterDefaultAction "deny,log,status:406"
SecFilterDefaultAction "deny,log,redirect:http://www.forcis.com/fr/erreur/secured.xml"
SecFilter /boot
SecFilter /dev
SecFilter /etc
SecFilter /initrd
SecFilter /lost+found
SecFilter /mnt
SecFilter /proc/
SecFilter /root
SecFilter /sbin
SecFilter /tmp
SecFilter /usr/local/apache
SecFilter /usr/local/cpanel
SecFilter /usr/local/mysql
SecFilter /var/
SecFilter /boot/
SecFilter /dev/
SecFilter /etc/
SecFilter /initrd/
SecFilter /lost+found/
SecFilter /mnt/
SecFilter /proc/
SecFilter /root/
SecFilter /sbin/
SecFilter /tmp/
SecFilter /usr/local/apache/
SecFilter /usr/local/cpanel/
SecFilter /usr/local/mysql/
SecFilter /var/
SecFilter /bin/cc
SecFilter /bin/gcc

#añadido por mic4el :start

SecServerSignature "ForcisHTTPd"

#:end

SecFilterSelective REQUEST_METHOD "!^GET$" chain


SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
"!^(|application/x-www-form-urlencoded|multipart/form-data)$"

SecFilterSelective HTTP_Transfer-Encoding "!^$"

 
SecFilterSelective REMOTE_ADDR "^127.0.0.1$" nolog,allow
SecFilterSelective REMOTE_ADDR "^65.75.158.80$" nolog,allow

# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

# PHPNUKE MAIL-FLOOD FILTROS
SecFilter "name=WebMail"
# PHPNUKE FILTROS
SecFilter "displayCategory.php\?basepath=http:"
SecFilter "displayCategory.php\?basepath=https:"
SecFilter "displayCategory.php\?basepath=ftp:"
SecFilter "displayCategory.php\?adminpath=http:"
SecFilter "displayCategory.php\?adminpath=https:"
SecFilter "displayCategory.php\?adminpath=ftp:"
# PHPBB BUG HIGHLIGHT

#phpBB bug
SecFilter "login.php\?redirect=privmsg.php&folder=savebox&mode=read&p=99&sid="

SecFilterSelective THE_REQUEST "/viewtopic\.php" chain
SecFilter "highlight=.\d+"

# Prevent XSS atacks (HTML/Javascript injection) < PUEDE FALLAR
#SecFilter "<(.|\n)+>"

# Prevent path traversal (..) attacks < PUEDE FALLAR
SecFilter "\.\./"

# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"

# WEB-ATTACKS ps command attempt
SecFilterSelective THE_REQUEST "/bin/ps"

# WEB-ATTACKS /bin/ps command attempt <- falla con groups si pones ps\x20 solo
SecFilterSelective THE_REQUEST "ps\x20aux"

#FILTRADO DE SNAKE
SecFilter "xs.hz.zj.cn"
SecFilter "riwachem"

# WEB-ATTACKS wget command attempt
SecFilter "wget\x20"
SecFilter "chmod\x20"
#SecFilter "echo\x20" falla

# WEB-ATTACKS uname -a command attempt
SecFilter "uname\x20-a"

# WEB-ATTACKS /usr/bin/id command attempt
SecFilterSelective THE_REQUEST "/usr/bin/id"

# WEB-ATTACKS id command attempt
SecFilter "\;id"

# WEB-ATTACKS kill command attempt
SecFilterSelective THE_REQUEST "/bin/kill"

# WEB-ATTACKS chsh command attempt
SecFilterSelective THE_REQUEST "/usr/bin/chsh"

# WEB-ATTACKS tftp command attempt
SecFilter "tftp\x20"

# WEB-ATTACKS /usr/bin/gcc command attempt
SecFilterSelective THE_REQUEST "/usr/bin/gcc"

# WEB-ATTACKS gcc command attempt
SecFilter "gcc\x20"

# WEB-ATTACKS /usr/bin/cc command attempt
SecFilterSelective THE_REQUEST "/usr/bin/cc"

# WEB-ATTACKS cc command attempt
SecFilter "cc\x20"

# WEB-ATTACKS /usr/bin/cpp command attempt
SecFilterSelective THE_REQUEST "/usr/bin/cpp"

# WEB-ATTACKS cpp command attempt
SecFilter "cpp\x20"

# WEB-ATTACKS /usr/bin/g++ command attempt
SecFilterSelective THE_REQUEST "/usr/bin/g\+\+"

# WEB-ATTACKS g++ command attempt
SecFilter "g\+\+\x20"

# WEB-ATTACKS bin/python access attempt
SecFilterSelective THE_REQUEST "bin/python"

# WEB-ATTACKS python access attempt
SecFilter "python\x20"

# WEB-ATTACKS bin/tclsh execution attempt
SecFilter "bin/tclsh"

# WEB-ATTACKS tclsh execution attempt
SecFilter "tclsh8 "

# WEB-ATTACKS bin/nasm command attempt
SecFilterSelective THE_REQUEST "bin/nasm"

# WEB-ATTACKS nasm command attempt
SecFilter "nasm\x20"

# WEB-ATTACKS perl execution attempt
SecFilter "perl\x20"

# WEB-ATTACKS traceroute command attempt
SecFilter "traceroute\x20"

# WEB-ATTACKS ping command attempt
SecFilterSelective THE_REQUEST "/bin/ping"

# WEB-ATTACKS netcat command attempt
SecFilter "nc\x20"

# WEB-ATTACKS nmap command attempt
SecFilter "nmap\x20"

# WEB-ATTACKS xterm command attempt
SecFilterSelective THE_REQUEST "/usr/X11R6/bin/xterm"

# WEB-ATTACKS X application to remote host attempt
SecFilter "\x20-display\x20"

# WEB-ATTACKS lsof command attempt
SecFilter "lsof\x20"

# WEB-ATTACKS rm command attempt
SecFilter "rm\x20"
SecFilter "remove\x20"

# WEB-ATTACKS mail command attempt
SecFilterSelective THE_REQUEST "/bin/mail"

# WEB-ATTACKS mail command attempt
#SecFilter "mail\x20"

# WEB-ATTACKS /bin/ls command attempt
SecFilterSelective THE_REQUEST "/bin/ls"

# WEB-ATTACKS /etc/shadow access
SecFilter "/etc/shadow"

# WEB-ATTACKS .htgroup access
SecFilterSelective THE_REQUEST "\.htgroup"

# WEB-CGI websitepro path access
SecFilter " /HTTP/1\."

# WEB-CGI formmail arbitrary command execution attempt
SecFilterSelective THE_REQUEST "/formmail" chain
SecFilter "\x0a"

# WEB-CGI formmail access
SecFilterSelective THE_REQUEST "/formmail" log,pass

# WEB-CGI phf arbitrary command execution attempt
SecFilterSelective THE_REQUEST "/phf" chain
SecFilter "\x0a/"

# WEB-CGI phf access
SecFilterSelective THE_REQUEST "/phf" log,pass

# WEB-CGI rksh access
SecFilterSelective THE_REQUEST "/rksh"

# WEB-CGI bash access
SecFilterSelective THE_REQUEST "/bash" log,pass

# WEB-CGI zsh access
SecFilterSelective THE_REQUEST "/zsh"

# WEB-CGI csh access
SecFilterSelective THE_REQUEST "/csh"

# WEB-CGI tcsh access
SecFilterSelective THE_REQUEST "/tcsh"

# WEB-CGI rsh access
SecFilterSelective THE_REQUEST "/rsh"

# WEB-CGI ksh access
SecFilterSelective THE_REQUEST "/ksh"

# WEB-CLIENT Javascript URL host spoofing attempt
SecFilter "javascript\://"

# WEB-MISC cross site scripting \(img src=javascript\) attempt
SecFilter "img src=javascript"

# WEB-MISC .htpasswd access
SecFilter "\.htpasswd"

# WEB-MISC .htaccess access
SecFilter "\.htaccess"

# WEB-MISC cd..
SecFilter "cd\.\."

# WEB-MISC ///cgi-bin access
SecFilterSelective THE_REQUEST "///cgi-bin"

# WEB-MISC /cgi-bin/// access
SecFilterSelective THE_REQUEST "/cgi-bin///"

# WEB-MISC /~root access
SecFilterSelective THE_REQUEST "/~root"

# WEB-MISC /~ftp access
SecFilterSelective THE_REQUEST "/~ftp"

# WEB-MISC cat%20 access
SecFilter "cat\x20"

# WEB-MISC rpm_query access
SecFilterSelective THE_REQUEST "/rpm_query"

# WEB-MISC htgrep attempt
SecFilterSelective THE_REQUEST "/htgrep" chain
SecFilter "hdr=/"

# WEB-MISC htgrep access
SecFilterSelective THE_REQUEST "/htgrep" log,pass

# WEB-MISC .history access
SecFilterSelective THE_REQUEST "/\.history"

# WEB-MISC .bash_history access
SecFilterSelective THE_REQUEST "/\.bash_history"

# WEB-MISC /~nobody access
SecFilterSelective THE_REQUEST "/~nobody"

# WEB-MISC *%0a.pl access
SecFilterSelective THE_REQUEST "/*\x0a\.pl"

# WEB-MISC Apache Chunked-Encoding worm attempt
SecFilter "CCCCCCC\: AAAAAAAAAAAAAAAAAAA"

# WEB-MISC Transfer-Encoding\: chunked
SecFilter "chunked"

# WEB-PHP squirrel mail theme arbitrary command attempt
SecFilterSelective THE_REQUEST "/left_main\.php" chain
SecFilter "cmdd="

# WEB-PHP DNSTools administrator authentication bypass attempt
SecFilterSelective THE_REQUEST "/dnstools\.php" chain
SecFilter "user_dnstools_administrator=true"

# WEB-PHP DNSTools authentication bypass attempt
SecFilterSelective THE_REQUEST "/dnstools\.php" chain
SecFilter "user_logged_in=true"

# WEB-PHP DNSTools access
SecFilterSelective THE_REQUEST "/dnstools\.php" log,pass

# WEB-PHP Blahz-DNS dostuff.php modify user attempt
SecFilterSelective THE_REQUEST "/dostuff\.php\?action=modify_user"

# WEB-PHP PHP-Wiki cross site scripting attempt
# SecFilterSelective THE_REQUEST "