# yum install mod_security mod_security_crs
/etc/httpd/conf.d/mod_security.conf (抜粋)
# Maximum request body size we will
# accept for buffering
#SecRequestBodyLimit 131072
SecRequestBodyLimit 5242880
SecRequestBodyNoFilesLimit 51200
/etc/httpd/modsecurity.d/modsecurity_localrules.conf
# Drop your local rules in here.
# White List IP
SecRule REMOTE_ADDR "@pmFromFile /etc/httpd/modsecurity.d/whitelist_ip.txt" \
"phase:1,id:'1000001',nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"
# White List URI
SecRule REQUEST_URI "@pmFromFile /etc/httpd/modsecurity.d/whitelist_uri.txt" \
"phase:1,id:'1000002',nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"
# White List URI 2
SecRule REQUEST_URI "@rx ^\/Etc\/" \
"phase:1,id:'1000003',nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"
# White List Sub-Domain
SecRule REQUEST_HEADERS:Host "@pmFromFile /etc/httpd/modsecurity.d/whitelist_subdomain.txt" \
"phase:1,id:'1000004',nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"
# ZmEu Attack / phpMyAdmin
SecRule REQUEST_URI "@rx (?i)\/(php-?My-?Admin[^\/]*|mysqlmanager|myadmin|pma2005|pma\/scripts|w00tw00t[^\/]+)\/" \
"severity:alert,id:'0000013',deny,log,status:400,msg:'Unacceptable folder.',severity:'2'"
ModSecurity: No action id present within the rule
/etc/httpd/modsecurity.d/whitelist_ip.txt
mod_security による制限を行わない IP アドレスを列挙する。
コメントは行頭から「#」で始める。
# localhost
127.0.0.1
# example.com
xxx.xxx.xxx.xxx
# example.net
yyy.yyy.yyy.yyy
/etc/httpd/modsecurity.d/whitelist_uri.txt
mod_security による制限を行わない URI を列挙する。
/cgi-bin/etc/PrintEnv.cgi
/cgi-bin/etc/PrintEnv_txt.cgi
/cgi-bin/etc/index.cgi
/cgi-bin/etc/testCGI.cgi
/etc/httpd/modsecurity.d/whitelist_subdomain.txt
mod_security による制限を行わないホスト名を列挙する。
# WebApp1
vh1.takeash.net
/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_20_protocol_violations.conf
Last edited by TakeAsh, 2018-09-06 03:06:08