apache2.2.24-mod_security2.7.3-apache安装与配置-Lastme

系统版本: CentOS release 6.4 X86_64
Apache : 2.2.24
mod_security : 2.7.3
安装文档: http://download.lastme.com/apache/mod_security/install.txt

[root@localhost /]# yum install libXtst-devel libXtst expat-devel compat-expat1 expat

[root@localhost /]# mkdir -p /data0/webroot/documents/    网站程序文件目录
[root@localhost /]# mkdir -p /data0/webroot/log/apache/   apache日志存放路径
[root@localhost /]# mkdir -p /data0/source/               源码存放路径
[root@localhost /]# cd /data0/source/

[root@localhost source]# http://download.lastme.com/apache/mod_security/mod_security-apache_2.7.3.tar.gz
[root@localhost source]# tar mod_security-apache_2.7.3.tar.gz && cd modsecurity-apache_2.7.3
[root@localhost modsecurity-apache_2.7.3]# ./configure --with-apxs=/usr/local/apache2/bin/apxs

[root@localhost /]# yum install libXtst-devel libXtst expat-devel compat-expat1 expat

[root@localhost /]# mkdir -p /data0/webroot/documents/ 网站程序文件目录

[root@localhost /]# mkdir -p /data0/webroot/log/apache/ apache日志存放路径

[root@localhost /]# mkdir -p /data0/source/ 源码存放路径

[root@localhost /]# cd /data0/source/

[root@localhost source]# http://download.lastme.com/apache/mod_security/mod_security-apache_2.7.3.tar.gz

[root@localhost source]# tar mod_security-apache_2.7.3.tar.gz && cd modsecurity-apache_2.7.3

[root@localhost modsecurity-apache_2.7.3]# ./configure --with-apxs=/usr/local/apache2/bin/apxs

如果编译出现 /usr/bin/ld: cannot find -lexpat
64位系统的话这样处理

[root@localhost modsecurity-apache_2.7.3]# echo "/usr/lib64/" >> /etc/ld.so.conf
[root@localhost modsecurity-apache_2.7.3]# ldconfig

[root@localhost modsecurity-apache_2.7.3]# echo "/usr/lib64/" >> /etc/ld.so.conf

[root@localhost modsecurity-apache_2.7.3]# ldconfig

32位系统的话这样处理

[root@localhost modsecurity-apache_2.7.3]# echo "/usr/lib/" >> /etc/ld.so.conf
[root@localhost modsecurity-apache_2.7.3]# ldconfig

[root@localhost modsecurity-apache_2.7.3]# echo "/usr/lib/" >> /etc/ld.so.conf

[root@localhost modsecurity-apache_2.7.3]# ldconfig

[root@localhost modsecurity-apache_2.7.3]# make && make install
[root@localhost modsecurity-apache_2.7.3]# chmod 755 /usr/local/apache2/modules/mod_security2.so
[root@localhost modsecurity-apache_2.7.3]# cd /usr/local/apache2/conf/
[root@localhost conf]#
[root@localhost conf]#
[root@localhost conf]# vim httpd.conf   在httpd.conf 里面添加如下两行
    LoadModule security2_module modules/mod_security2.so
    Include conf/mod_security.conf

[root@localhost conf]#
[root@localhost conf]# vim mod_security.conf  输入以下内容
<IfModule mod_security.c>
    SecFilterEngine On
    SecFilterCheckURLEncoding On
    SecFilterForceByteRange 32 126
    SecAuditEngine RelevantOnly
    SecAuditLog /data0/webroot/log/apache/audit_log.log
    SecFilterDebugLog /data0/webroot/log/apache/modsec_debug_log.log
    SecFilterDebugLevel 0
    SecFilterDefaultAction "deny,log,status:406"
    SecFilter chmod redirect:http://127.0.0.1
    SecFilter wget redirect:http://127.0.0.1
    SecFilter cat redirect:http://127.0.0.1
    SecFilter /etc/password
    SecFilter /etc/shadow
    SecFilter /etc/group
    SecFilter "\.\./"
    SecFilter "<( |\n)*script"
    SecFilter "<(.|\n)+>"
    SecFilter "delete[[:space:]]+from"
    SecFilter "insert[[:space:]]+into"
    SecFilter "select.+from"
    SecServerSignature "microsoft-IIS/6.0"
    SecFilterSelective REQUEST_URI "py" "redirect:http://127.0.0.1"
    SecFilterSelective REQUEST_URI "asp" "redirect:http://127.0.0.1"
    SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$" 
</IfModule>

[root@localhost conf]# /etc/init.d/httpd restart

[root@localhost modsecurity-apache_2.7.3]# make && make install

[root@localhost modsecurity-apache_2.7.3]# chmod 755 /usr/local/apache2/modules/mod_security2.so

[root@localhost modsecurity-apache_2.7.3]# cd /usr/local/apache2/conf/

[root@localhost conf]#

[root@localhost conf]# vim httpd.conf 在httpd.conf 里面添加如下两行

LoadModule security2_module modules/mod_security2.so

Include conf/mod_security.conf

[root@localhost conf]#

[root@localhost conf]# vim mod_security.conf 输入以下内容

SecFilterEngine On

SecFilterCheckURLEncoding On

SecFilterForceByteRange 32 126

SecAuditEngine RelevantOnly

SecAuditLog /data0/webroot/log/apache/audit_log.log

SecFilterDebugLog /data0/webroot/log/apache/modsec_debug_log.log

SecFilterDebugLevel 0

SecFilterDefaultAction "deny,log,status:406"

SecFilter chmod redirect:http://127.0.0.1

SecFilter wget redirect:http://127.0.0.1

SecFilter cat redirect:http://127.0.0.1

SecFilter /etc/password

SecFilter /etc/shadow

SecFilter /etc/group

SecFilter "\.\./"

SecFilter "<( |\n)*script"

SecFilter "<(.|\n)+>"

SecFilter "delete[[:space:]]+from"

SecFilter "insert[[:space:]]+into"

SecFilter "select.+from"

SecServerSignature "microsoft-IIS/6.0"

SecFilterSelective REQUEST_URI "py" "redirect:http://127.0.0.1"

SecFilterSelective REQUEST_URI "asp" "redirect:http://127.0.0.1"

SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

[root@localhost conf]# /etc/init.d/httpd restart

或者下载已经编辑好的配置文件

[root@localhost conf]# wget http://download.lastme.com/apache/mod_security/mod_security.conf

1	[root@localhost conf]# wget http://download.lastme.com/apache/mod_security/mod_security.conf

# 配置文件说明
# 配置文件参考
# http://fedoranews.org/jorge/mod_security/mod_security.conf
<IfModule mod_security.c>

    # Turn the filtering engine On or Off
	# 分析每一个http请求,不开启就等于没用
    SecFilterEngine On

    # Make sure that URL encoding is valid
	# URL编码确认
    SecFilterCheckURLEncoding On

    # Only allow bytes from this range
	# 字节范围检查, 以有效防止stack overflow attacks(栈溢出攻击).
    SecFilterForceByteRange 32 126

    # The audit engine works independently and
    # can be turned On of Off on the per-server or
    # on the per-directory basis
	# 有效解决apache日志对某个用户或攻击者信息记录的不足. 如果要
　　# 对某一个用户或攻击者发出的一个请求的详细记录，
	# 可以查看 /data0/webroot/log/apache/audit_log.log 日志文件
    SecAuditEngine RelevantOnly

    # The name of the audit log file
	# 日志文件存放路径以及名称
    SecAuditLog /data0/webroot/log/apache/audit_log.log

	# 设置调试模式下的日志文件以及存放路径
    SecFilterDebugLog /data0/webroot/log/apache/modsec_debug_log.log
    SecFilterDebugLevel 0

    # Should mod_security inspect POST payloads
	# 开启此项将检查post值的有效性
    #SecFilterScanPOST On

    # Action to take by default
	# 设置默认的操作,406为操作名称, 前面的三个为操作参数.
    SecFilterDefaultAction "deny,log,status:406"

    #当匹配chmod,wget等命令的时候,重新定向到一个特殊的页面
	SecFilter chmod redirect:http://127.0.0.1
	SecFilter wget redirect:http://127.0.0.1
	SecFilter cat redirect:http://127.0.0.1
	# 重定向py和asp请求
	SecFilterSelective REQUEST_URI "py" "redirect:http://127.0.0.1"
	SecFilterSelective REQUEST_URI "asp" "redirect:http://127.0.0.1"

	#伪装服务器标识
	SecServerSignature "microsoft-IIS/6.0"

    # Prevent OS specific keywords
	# 防止操作系统特定的关键字
    SecFilter /etc/password
	SecFilter /etc/shadow
	SecFilter /etc/group

    # Prevent path traversal (..) attacks
	# 防止 .. 类型的攻击比如 cat ../../../../../etc/passwd
    SecFilter "\.\./"

    # Weaker XSS protection but allows common HTML tags
	# 防止 XSS 跨站攻击
    SecFilter "<( |\n)*script"

    # Prevent XSS atacks (HTML/Javascript injection)
	# 对不安全的(跨站点脚本)XSS进行保护, 但允许普通的HTML标识
    SecFilter "<(.|\n)+>"

    # Very crude filters to prevent SQL injection attacks
	# 过滤防御注入攻击的关键词
    SecFilter "delete[[:space:]]+from"
    SecFilter "insert[[:space:]]+into"
    SecFilter "select.+from"

    # Require HTTP_USER_AGENT and HTTP_HOST headers
	# 请求的头部信息
    SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

    # Simple filter
    #SecFilter 111

    # Only check the QUERY_STRING variable
    #SecFilterSelective QUERY_STRING 222

    # Only check the body of the POST request
    #SecFilterSelective POST_PAYLOAD 333

    # Only check arguments (will work for GET and POST)
    #SecFilterSelective ARGS 444

    # Test filter
    #SecFilter "/cgi-bin/keyword"

    # Another test filter, will be denied with 404 but not logged
    # action supplied as a parameter overrides the default action
    #SecFilter 999 "deny,nolog,status:404"

    # Forbid file upload
    #SecFilterSelective "HTTP_CONTENT_TYPE" multipart/form-data

    # Only watch argument p1
    #SecFilterSelective "ARG_p1" 555

    # Watch all arguments except p1
    #SecFilterSelective "ARGS|!ARG_p2" 666

    # Only allow our own test utility to send requests (or Mozilla)
    #SecFilterSelective HTTP_USER_AGENT "!(mod_security|mozilla)"

    # Do not allow variables with this name
    #SecFilterSelective ARGS_NAMES 777

    # Do now allow this variable value (names are ok)
    #SecFilterSelective ARGS_VALUES 888

    # Stop spamming through FormMail
    # note the exclamation mark at the beginning
    # of the filter - only requests that match this regex will
    # be allowed
    #<Location /cgi-bin/FormMail>
        #SecFilterSelective "ARG_recipient" "!@webkreator.com$"
    #</Location>

    # when allowing upload, only allow images
    # note that this is not foolproof, a determined attacker
    # could get around this 
    #<Location /fileupload.php>
        #SecFilterInheritance Off
        #SecFilterSelective POST_PAYLOAD "!image/(jpeg|bmp|gif)"
    #</Location>

</IfModule>

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

# 配置文件说明

# 配置文件参考

# http://fedoranews.org/jorge/mod_security/mod_security.conf

# Turn the filtering engine On or Off

# 分析每一个http请求,不开启就等于没用

SecFilterEngine On

# Make sure that URL encoding is valid

# URL编码确认

SecFilterCheckURLEncoding On

# Only allow bytes from this range

# 字节范围检查, 以有效防止stack overflow attacks(栈溢出攻击).

SecFilterForceByteRange 32 126

# The audit engine works independently and

# can be turned On of Off on the per-server or

# on the per-directory basis

# 有效解决apache日志对某个用户或攻击者信息记录的不足. 如果要

　　# 对某一个用户或攻击者发出的一个请求的详细记录，

# 可以查看 /data0/webroot/log/apache/audit_log.log 日志文件

SecAuditEngine RelevantOnly

# The name of the audit log file

# 日志文件存放路径以及名称

SecAuditLog /data0/webroot/log/apache/audit_log.log

# 设置调试模式下的日志文件以及存放路径

SecFilterDebugLog /data0/webroot/log/apache/modsec_debug_log.log

SecFilterDebugLevel 0

# Should mod_security inspect POST payloads

# 开启此项将检查post值的有效性

#SecFilterScanPOST On

# Action to take by default

# 设置默认的操作,406为操作名称, 前面的三个为操作参数.

SecFilterDefaultAction "deny,log,status:406"

#当匹配chmod,wget等命令的时候,重新定向到一个特殊的页面

SecFilter chmod redirect:http://127.0.0.1

SecFilter wget redirect:http://127.0.0.1

SecFilter cat redirect:http://127.0.0.1

# 重定向py和asp请求

SecFilterSelective REQUEST_URI "py" "redirect:http://127.0.0.1"

SecFilterSelective REQUEST_URI "asp" "redirect:http://127.0.0.1"

#伪装服务器标识

SecServerSignature "microsoft-IIS/6.0"

# Prevent OS specific keywords

# 防止操作系统特定的关键字

SecFilter /etc/password

SecFilter /etc/shadow

SecFilter /etc/group

# Prevent path traversal (..) attacks

# 防止 .. 类型的攻击比如 cat ../../../../../etc/passwd

SecFilter "\.\./"

# Weaker XSS protection but allows common HTML tags

# 防止 XSS 跨站攻击

SecFilter "<( |\n)*script"

# Prevent XSS atacks (HTML/Javascript injection)

# 对不安全的(跨站点脚本)XSS进行保护, 但允许普通的HTML标识

SecFilter "<(.|\n)+>"

# Very crude filters to prevent SQL injection attacks

# 过滤防御注入攻击的关键词

SecFilter "delete[[:space:]]+from"

SecFilter "insert[[:space:]]+into"

SecFilter "select.+from"

# Require HTTP_USER_AGENT and HTTP_HOST headers

# 请求的头部信息

SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

# Simple filter

#SecFilter 111

# Only check the QUERY_STRING variable

#SecFilterSelective QUERY_STRING 222

# Only check the body of the POST request

#SecFilterSelective POST_PAYLOAD 333

# Only check arguments (will work for GET and POST)

#SecFilterSelective ARGS 444

# Test filter

#SecFilter "/cgi-bin/keyword"

# Another test filter, will be denied with 404 but not logged

# action supplied as a parameter overrides the default action

#SecFilter 999 "deny,nolog,status:404"

# Forbid file upload

#SecFilterSelective "HTTP_CONTENT_TYPE" multipart/form-data

# Only watch argument p1

#SecFilterSelective "ARG_p1" 555

# Watch all arguments except p1

#SecFilterSelective "ARGS|!ARG_p2" 666

# Only allow our own test utility to send requests (or Mozilla)

#SecFilterSelective HTTP_USER_AGENT "!(mod_security|mozilla)"

# Do not allow variables with this name

#SecFilterSelective ARGS_NAMES 777

# Do now allow this variable value (names are ok)

#SecFilterSelective ARGS_VALUES 888

# Stop spamming through FormMail

# note the exclamation mark at the beginning

# of the filter - only requests that match this regex will

# be allowed

#SecFilterSelective "ARG_recipient" "!@webkreator.com$"

# when allowing upload, only allow images

# note that this is not foolproof, a determined attacker

# could get around this

#SecFilterInheritance Off

#SecFilterSelective POST_PAYLOAD "!image/(jpeg|bmp|gif)"

项目主页: http://www.modsecurity.org/
说明文档: https://github.com/SpiderLabs/ModSecurity/wiki/
http://www.modsecurity.org/documentation/modsecurity-apache/2.5.6/modsecurity2-apache-reference.html#N1001D

Lastme

apache2.2.24-mod_security2.7.3-apache安装与配置

No Comments

Leave A Reply.

Archives

Meta