Attachment 27550 Details for Bug 32190 – an example of 99_mod_security.conf

an example of 99_mod_security.conf

99_mod_security.conf (text/plain), 3.32 KB, created by Julien Allanos (RETIRED) on 2004-03-18 07:09:12 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Julien Allanos (RETIRED)

Created: 2004-03-18 07:09:12 UTC

Size: 3.32 KB

patch

obsolete

><IfDefine SECURITY>
>  <IfModule !mod_security.c>
>    LoadModule security_module    extramodules/mod_security.so
>  </IfModule>
></IfDefine>
>
># Examples below are taken from the online documentation
># Refer to:
># http://www.modsecurity.org/documentation/quick-examples.html
>
><IfModule mod_security.c>
>
>    # Turn the filtering engine On or Off
>    SecFilterEngine On
>
>    # Make sure that URL encoding is valid
>    SecFilterCheckURLEncoding On
>
>    # Only allow bytes from this range
>    SecFilterForceByteRange 32 126
>
>    # The audit engine works independently and
>    # can be turned On of Off on the per-server or
>    # on the per-directory basis
>    SecAuditEngine RelevantOnly
>
>    # The name of the audit log file
>    SecAuditLog logs/audit_log
>
>    SecFilterDebugLog logs/modsec_debug_log
>    SecFilterDebugLevel 0
>
>    # Should mod_security inspect POST payloads
>    SecFilterScanPOST On
>
>    # Action to take by default
>    SecFilterDefaultAction "deny,log,status:406"
>
>    # Redirect user on filter match
>    SecFilter xxx redirect:http://www.webkreator.com
>
>    # Execute the external script on filter match
>    SecFilter yyy log,exec:/home/ivanr/apache/bin/report-attack.pl
>
>    # Simple filter
>    SecFilter 111
>    
>    # Only check the QUERY_STRING variable
>    SecFilterSelective QUERY_STRING 222
>
>    # Only check the body of the POST request
>    SecFilterSelective POST_PAYLOAD 333
>
>    # Only check arguments (will work for GET and POST)
>    SecFilterSelective ARGS 444
>
>    # Test filter
>    SecFilter "/cgi-bin/keyword"
>
>    # Another test filter, will be denied with 404 but not logged
>    # action supplied as a parameter overrides the default action
>    SecFilter 999 "deny,nolog,status:404"
>
>    # Prevent OS specific keywords
>    SecFilter /etc/password
>
>    # Prevent path traversal (..) attacks
>    SecFilter "\.\./"
>
>    # Weaker XSS protection but allows common HTML tags
>    SecFilter "<( |\n)*script"
>
>    # Prevent XSS atacks (HTML/Javascript injection)
>    SecFilter "<(.|\n)+>"
>
>    # Very crude filters to prevent SQL injection attacks
>    SecFilter "delete[[:space:]]+from"
>    SecFilter "insert[[:space:]]+into"
>    SecFilter "select.+from"
>
>    # Require HTTP_USER_AGENT and HTTP_HOST headers
>    SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
>
>    # Forbid file upload
>    SecFilterSelective "HTTP_CONTENT_TYPE" multipart/form-data
>
>    # Only watch argument p1
>    SecFilterSelective "ARG_p1" 555
>
>    # Watch all arguments except p1
>    SecFilterSelective "ARGS|!ARG_p2" 666
>
>    # Only allow our own test utility to send requests (or Mozilla)
>    SecFilterSelective HTTP_USER_AGENT "!(mod_security|mozilla)"
>
>    # Do not allow variables with this name
>    SecFilterSelective ARGS_NAMES 777
>
>    # Do now allow this variable value (names are ok)
>    SecFilterSelective ARGS_VALUES 888
>
>    # Stop spamming through FormMail
>    # note the exclamation mark at the beginning
>    # of the filter - only requests that match this regex will
>    # be allowed
>    <Location /cgi-bin/FormMail>
>        SecFilterSelective "ARG_recipient" "!@webkreator.com$"
>    </Location>
>
>    # when allowing upload, only allow images
>    # note that this is not foolproof, a determined attacker
>    # could get around this 
>    <Location /fileupload.php>
>        SecFilterInheritance Off
>        SecFilterSelective POST_PAYLOAD "!image/(jpeg|bmp|gif)"
>    </Location>
>
></IfModule>

Actions: View

Attachments on bug 32190: 19891 | 19926 | 26532 | 27550 | 27924 | 27925 | 27926 | 27927