apache2.2.24-mod_security2.7.3-apache安装与配置
系统版本: CentOS release 6.4 X86_64
Apache : 2.2.24
mod_security : 2.7.3
安装文档: http://download.lastme.com/apache/mod_security/install.txt
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
[root@localhost /]# yum install libXtst-devel libXtst expat-devel compat-expat1 expat [root@localhost /]# mkdir -p /data0/webroot/documents/ 网站程序文件目录 [root@localhost /]# mkdir -p /data0/webroot/log/apache/ apache日志存放路径 [root@localhost /]# mkdir -p /data0/source/ 源码存放路径 [root@localhost /]# cd /data0/source/ [root@localhost source]# http://download.lastme.com/apache/mod_security/mod_security-apache_2.7.3.tar.gz [root@localhost source]# tar mod_security-apache_2.7.3.tar.gz && cd modsecurity-apache_2.7.3 [root@localhost modsecurity-apache_2.7.3]# ./configure --with-apxs=/usr/local/apache2/bin/apxs |
如果编译出现 /usr/bin/ld: cannot find -lexpat
64位系统的话这样处理
1 2 3 |
[root@localhost modsecurity-apache_2.7.3]# echo "/usr/lib64/" >> /etc/ld.so.conf [root@localhost modsecurity-apache_2.7.3]# ldconfig |
32位系统的话这样处理
1 2 3 |
[root@localhost modsecurity-apache_2.7.3]# echo "/usr/lib/" >> /etc/ld.so.conf [root@localhost modsecurity-apache_2.7.3]# ldconfig |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 |
[root@localhost modsecurity-apache_2.7.3]# make && make install [root@localhost modsecurity-apache_2.7.3]# chmod 755 /usr/local/apache2/modules/mod_security2.so [root@localhost modsecurity-apache_2.7.3]# cd /usr/local/apache2/conf/ [root@localhost conf]# [root@localhost conf]# [root@localhost conf]# vim httpd.conf 在httpd.conf 里面添加如下两行 LoadModule security2_module modules/mod_security2.so Include conf/mod_security.conf [root@localhost conf]# [root@localhost conf]# vim mod_security.conf 输入以下内容 SecFilterEngine On SecFilterCheckURLEncoding On SecFilterForceByteRange 32 126 SecAuditEngine RelevantOnly SecAuditLog /data0/webroot/log/apache/audit_log.log SecFilterDebugLog /data0/webroot/log/apache/modsec_debug_log.log SecFilterDebugLevel 0 SecFilterDefaultAction "deny,log,status:406" SecFilter chmod redirect:http://127.0.0.1 SecFilter wget redirect:http://127.0.0.1 SecFilter cat redirect:http://127.0.0.1 SecFilter /etc/password SecFilter /etc/shadow SecFilter /etc/group SecFilter "\.\./" SecFilter "<( |\n)*script" SecFilter "<(.|\n)+>" SecFilter "delete[[:space:]]+from" SecFilter "insert[[:space:]]+into" SecFilter "select.+from" SecServerSignature "microsoft-IIS/6.0" SecFilterSelective REQUEST_URI "py" "redirect:http://127.0.0.1" SecFilterSelective REQUEST_URI "asp" "redirect:http://127.0.0.1" SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$" [root@localhost conf]# /etc/init.d/httpd restart |
或者下载已经编辑好的配置文件
1 |
[root@localhost conf]# wget http://download.lastme.com/apache/mod_security/mod_security.conf |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 |
# 配置文件说明 # 配置文件参考 # http://fedoranews.org/jorge/mod_security/mod_security.conf # Turn the filtering engine On or Off # 分析每一个http请求,不开启就等于没用 SecFilterEngine On # Make sure that URL encoding is valid # URL编码确认 SecFilterCheckURLEncoding On # Only allow bytes from this range # 字节范围检查, 以有效防止stack overflow attacks(栈溢出攻击). SecFilterForceByteRange 32 126 # The audit engine works independently and # can be turned On of Off on the per-server or # on the per-directory basis # 有效解决apache日志对某个用户或攻击者信息记录的不足. 如果要 # 对某一个用户或攻击者发出的一个请求的详细记录, # 可以查看 /data0/webroot/log/apache/audit_log.log 日志文件 SecAuditEngine RelevantOnly # The name of the audit log file # 日志文件存放路径以及名称 SecAuditLog /data0/webroot/log/apache/audit_log.log # 设置调试模式下的日志文件以及存放路径 SecFilterDebugLog /data0/webroot/log/apache/modsec_debug_log.log SecFilterDebugLevel 0 # Should mod_security inspect POST payloads # 开启此项将检查post值的有效性 #SecFilterScanPOST On # Action to take by default # 设置默认的操作,406为操作名称, 前面的三个为操作参数. SecFilterDefaultAction "deny,log,status:406" #当匹配chmod,wget等命令的时候,重新定向到一个特殊的页面 SecFilter chmod redirect:http://127.0.0.1 SecFilter wget redirect:http://127.0.0.1 SecFilter cat redirect:http://127.0.0.1 # 重定向py和asp请求 SecFilterSelective REQUEST_URI "py" "redirect:http://127.0.0.1" SecFilterSelective REQUEST_URI "asp" "redirect:http://127.0.0.1" #伪装服务器标识 SecServerSignature "microsoft-IIS/6.0" # Prevent OS specific keywords # 防止操作系统特定的关键字 SecFilter /etc/password SecFilter /etc/shadow SecFilter /etc/group # Prevent path traversal (..) attacks # 防止 .. 类型的攻击比如 cat ../../../../../etc/passwd SecFilter "\.\./" # Weaker XSS protection but allows common HTML tags # 防止 XSS 跨站攻击 SecFilter "<( |\n)*script" # Prevent XSS atacks (HTML/Javascript injection) # 对不安全的(跨站点脚本)XSS进行保护, 但允许普通的HTML标识 SecFilter "<(.|\n)+>" # Very crude filters to prevent SQL injection attacks # 过滤防御注入攻击的关键词 SecFilter "delete[[:space:]]+from" SecFilter "insert[[:space:]]+into" SecFilter "select.+from" # Require HTTP_USER_AGENT and HTTP_HOST headers # 请求的头部信息 SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$" # Simple filter #SecFilter 111 # Only check the QUERY_STRING variable #SecFilterSelective QUERY_STRING 222 # Only check the body of the POST request #SecFilterSelective POST_PAYLOAD 333 # Only check arguments (will work for GET and POST) #SecFilterSelective ARGS 444 # Test filter #SecFilter "/cgi-bin/keyword" # Another test filter, will be denied with 404 but not logged # action supplied as a parameter overrides the default action #SecFilter 999 "deny,nolog,status:404" # Forbid file upload #SecFilterSelective "HTTP_CONTENT_TYPE" multipart/form-data # Only watch argument p1 #SecFilterSelective "ARG_p1" 555 # Watch all arguments except p1 #SecFilterSelective "ARGS|!ARG_p2" 666 # Only allow our own test utility to send requests (or Mozilla) #SecFilterSelective HTTP_USER_AGENT "!(mod_security|mozilla)" # Do not allow variables with this name #SecFilterSelective ARGS_NAMES 777 # Do now allow this variable value (names are ok) #SecFilterSelective ARGS_VALUES 888 # Stop spamming through FormMail # note the exclamation mark at the beginning # of the filter - only requests that match this regex will # be allowed # #SecFilterSelective "ARG_recipient" "!@webkreator.com$" # # when allowing upload, only allow images # note that this is not foolproof, a determined attacker # could get around this # #SecFilterInheritance Off #SecFilterSelective POST_PAYLOAD "!image/(jpeg|bmp|gif)" # |
项目主页: http://www.modsecurity.org/
说明文档: https://github.com/SpiderLabs/ModSecurity/wiki/
http://www.modsecurity.org/documentation/modsecurity-apache/2.5.6/modsecurity2-apache-reference.html#N1001D
No Comments