mod_security ..파일 업로드시 Access deny.. 라는 것이 로그상에 남을때 참고

컴터/linux 2008. 6. 3. 16:32
http://www.sulinux.net/bbs/board.php?bo_table=success&wr_id=14&page=2
http://kldp.org/node/71214
http://sir.co.kr/bbs/board.php?bo_table=gblog_qa&wr_id=1704&page=1

httpd.conf 안에서 설정..
없다면 modsecurity.conf  에서 설정.

::: SecFilterScanPost On   ===>   SecFilterScanPost Off
::: apache restart

참고...
며칠전 뉴스에  1000여개의 웹사이트가 중국 크래커들에게
해킹당했다는 뉴스가 나왔습니다.
최근의 해킹 수법들은 웹을 통한 공격이 주를 이룬다고 합니다.
이를 방지하기 위한 방법이 mod_security 웹방화벽을 설치하는 것입니다.
pdf 문서는 인터넷 진흥원에서 배포하는 문서입니다.
압축파일은 mod_security소스파일입니다.
문서대로 설치하시고...
httpd.conf 에 아래의 내용을 파일로 다음과 같이 인클루드하거나
 
<IfModule mod_security.c>
Include conf/modsecurity.conf
</IfModule>
직접 추가하셔도 됩니다.
 
단 테터툴즈를 설치하시는 분들은 아래의 내용중에
##### General #####
SecFilterSelective HTTP_Host|HTTP_User-Agent|HTTP_Accept "^$"
이 부분을 주석처리 하셔야 설치가 됩니다.
이점 참고하시길 바랍니다.
 
 
##### Configuration #####
SecFilterEngine On
SecFilterScanPost On
SecFilterScanOutput Off
SecFilterOutputMimeTypes "(null) text/html text/plain"
##### Validation #####
SecFilterCheckURLEncoding On
SecUploadDir /tmp
SecUploadKeepFiles Off
SecFilterCheckUnicodeEncoding Off
SecFilterForceByteRange 1 255
SecFilterDefaultAction "log,deny,status:403"
##### Logging #####
SecFilterDebugLog logs/modsec_debug.log
SecFilterDebugLevel 1
SecAuditEngine RelevantOnly
SecAuditLog logs/modsec_audit.log
##### Hardening #####
# Body를 가진 GET 또는 HEAD 요청 차단(공격 가능성 높음)
SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Length "!^$"
SecFilterSelective SERVER_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$"
# Content-Length가 없는 POST 요청 차단
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
SecFilterSelective HTTP_Transfer-Encoding "!^$"
##### General #####
SecFilterSelective HTTP_Host|HTTP_User-Agent|HTTP_Accept "^$"
SecFilterSelective HTTP_User-Agent "(libwhisker|paros|wget|libwww|perl|curl|java)"
##### SQL Injection Attacks #####
SecFilterSignatureAction "log,deny,msg:'SQL Injection attack'"
SecFilterSelective ARGS "delete[[:space:]]+from"
SecFilterSelective ARGS "drop[[:space:]]+database"
SecFilterSelective ARGS "drop[[:space:]]+table"
SecFilterSelective ARGS "drop[[:space:]]+column"
SecFilterSelective ARGS "drop[[:space:]]+procedure"
SecFilterSelective ARGS "create[[:space:]]+table"
SecFilterSelective ARGS "update.+set.+="
SecFilterSelective ARGS "insert[[:space:]]+into.+values"
SecFilterSelective ARGS "select.+from"
SecFilterSelective ARGS "bulk[[:space:]]+insert"
SecFilterSelective ARGS "union.+select"
SecFilterSelective ARGS "or.+1[[:space:]]*=[[:space:]]1"
SecFilterSelective ARGS "alter[[:space:]]+table"
SecFilterSelective ARGS "or 1=1--'"
SecFilterSelective ARGS "'.+--"
SecFilterSelective ARGS "into[[:space:]]+outfile"
SecFilterSelective ARGS "load[[:space:]]+data"
SecFilterSelective ARGS "/\*.+\*/"
##### XSS Attacks #####
SecFilterSignatureAction "log,deny,msg:'XSS attack'"
SecFilterSelective ARGS "<script"
SecFilterSelective ARGS ".javascript"
SecFilterSelective ARGS "vbscript:"
SecFilterSelective ARGS "document\.cookie"
SecFilterSelective ARGS "document\.location"
SecFilterSelective ARGS "document\.write"
##### Command Execution #####
SecFilterSignatureAction "log,deny,msg:'Command execution attack'"
SecFilterSelective ARGS_VALUES ";[[:space:]]*(ls|id|pwd|wget)"
##### PHP Attacks #####
SecFilterSelective ARGS_NAMES "(^globals\[|^globals$)"
# 파라메터에 URL이 들어 있는 요청을 차단
SecFilterSignatureAction "log,deny,msg:'PHP Injection Attacks'"
SecFilterSelective ARGS_VALUES "^http:/"
# 파라메터에 “ls", "id", "pwd", "wget" 등의 키워드가 있을 경우 차단
SecFilterSignatureAction "log,deny,msg:'Command execution attack'"
SecFilterSelective ARGS_VALUES ";[[:space:]]*(ls|id|pwd|wget)"
# 커맨드 실행 결과를 출력 필터에서 차단
# "id" 명령의 출력 결과 차단
SecFilterSelective OUTPUT "uid=[[:digit:]]+\([[:alnum:]]+\) gid=[[:digit:]]\([[:alnum:]]+\)"
# "ls -l" 명령의 출력 결과 차단
SecFilterSelective OUTPUT "total [[:digit:]]+"
# "wget" 명령의 출력 결과 차단
SecFilterSelective OUTPUT "HTTP request sent, awaiting response"
[이 게시물은 관리자님에 의해 2007-03-02 16:03:03 질문과 답변 1.0에서 이동 됨]

관리자   07-02-14 17:18
제다이님 ^^ 항상 감사합니다.
1.5에서는 mod_security가 기본 설치 됩니다.!
관리자   07-03-02 16:09
안녕하세요.
제다이님.
SULinux 1.5 발표와 동시에
제공해주신 여러 유용한 정보들로만 묶은
"설치 성공기" 게시판을 운영합니다.
게시물을 조금 이동 했습니다.
감사합니다.
제다이   07-03-02 21:35
위의 설정은 제하시고, 다음 설정을 설정하시기 바랍니다.
웹 검색을 통해 여러 설정을 통합했습니다.

제로보드4,5 그누보드 설치및 테터툴즈 phpmyadmin 설치가 가능하게 하였고,
에러가 발생하면 어느부분에서 발생했는지 쉽게 알 수 있도록 하였습니다.

수정날짜 2007년 3월 22일

# ---------------------------------------------------------------
# Core ModSecurity Rule Set
# Copyright (C) 2006 Breach Security Inc. All rights reserved.
#
# The ModSecuirty Core Rule Set is distributed under GPL version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------

##### Configuration #####
SecFilterEngine On
SecFilterScanPost On
SecFilterScanOutput Off
SecFilterOutputMimeTypes "(null) text/html text/plain"

##### Validation #####
SecFilterCheckURLEncoding On
SecUploadDir /tmp
SecUploadKeepFiles Off
SecFilterCheckUnicodeEncoding Off
SecFilterForceByteRange 1 255
SecFilterDefaultAction "log,deny,status:500"
#SecFilterDefaultAction "log,deny,redirect:http://www.test.com"
##### Logging #####
SecFilterDebugLog logs/modsec_debug.log
SecFilterDebugLevel 1
SecAuditEngine RelevantOnly
SecAuditLog logs/modsec_audit.log

#SQL Injection 차단
SecFilterSignatureAction "log,deny,msg:'SQL Injection1'"
#SecFilterSelective ARGS "delete[[:space:]]+from"
SecFilterSignatureAction "log,deny,msg:'SQL Injection2'"
#SecFilterSelective ARGS "drop[[:space:]]+database"
SecFilterSignatureAction "log,deny,msg:'SQL Injection3'"
#SecFilterSelective ARGS "drop[[:space:]]+table"
SecFilterSignatureAction "log,deny,msg:'SQL Injection4'"
#SecFilterSelective ARGS "drop[[:space:]]+column"
SecFilterSignatureAction "log,deny,msg:'SQL Injection5'"
SecFilterSelective ARGS "drop[[:space:]]+procedure"
SecFilterSignatureAction "log,deny,msg:'SQL Injection6'"
SecFilterSelective ARGS "create[[:space:]]+table"
SecFilterSignatureAction "log,deny,msg:'SQL Injection7'"
SecFilterSelective ARGS "update.+set.+="
SecFilterSignatureAction "log,deny,msg:'SQL Injection8'"
SecFilterSelective ARGS "insert[[:space:]]+into.+values"
SecFilterSignatureAction "log,deny,msg:'SQL Injection9'"
#SecFilterSelective ARGS "select.+from"
SecFilterSignatureAction "log,deny,msg:'SQL Injection10'"
SecFilterSelective ARGS "bulk[[:space:]]+insert"
SecFilterSignatureAction "log,deny,msg:'SQL Injection11'"
SecFilterSelective ARGS "union.+select"
SecFilterSignatureAction "log,deny,msg:'SQL Injection12'"
SecFilterSelective ARGS "or.+1[[:space:]]*=[[:space:]]1"
SecFilterSignatureAction "log,deny,msg:'SQL Injection13'"
#SecFilterSelective ARGS "alter[[:space:]]+table"
SecFilterSignatureAction "log,deny,msg:'SQL Injection14'"
SecFilterSelective ARGS "or 1=1--'"
SecFilterSignatureAction "log,deny,msg:'SQL Injection15'"
SecFilterSelective ARGS "'.+--"
SecFilterSignatureAction "log,deny,msg:'SQL Injection16'"
SecFilterSelective ARGS "into[[:space:]]+outfile"
SecFilterSignatureAction "log,deny,msg:'SQL Injection17'"
SecFilterSelective ARGS "load[[:space:]]+data"
SecFilterSignatureAction "log,deny,msg:'SQL Injection18'"
SecFilterSelective ARGS "/\*.+\*/"

##### Hardening #####
# Body를 가진 GET 또는 HEAD 요청 차단(공격 가능성 높음)
SecFilterSignatureAction "log,deny,msg:'Hardening attack1'"
SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain
SecFilterSignatureAction "log,deny,msg:'Hardening attack2'"
SecFilterSelective HTTP_Content-Length "!^$"
SecFilterSignatureAction "log,deny,msg:'Hardening attack3'"
SecFilterSelective SERVER_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$"

##### Content-Length가 없는 POST 요청 차단
SecFilterSignatureAction "log,deny,msg:'POST attack1'"
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSignatureAction "log,deny,msg:'POST attack2'"
SecFilterSelective HTTP_Content-Length "^$"
SecFilterSignatureAction "log,deny,msg:'POST attack3'"
SecFilterSelective HTTP_Transfer-Encoding "!^$"

##### General #####
SecFilterSignatureAction "log,deny,msg:'General attack1'"
#SecFilterSelective HTTP_Host|HTTP_User-Agent|HTTP_Accept "^$"
SecFilterSignatureAction "log,deny,msg:'General attack2'"
SecFilterSelective HTTP_User-Agent "(libwhisker|paros|wget|libwww|perl|curl|java)"

##### XSS Attacks #####
SecFilterSignatureAction "log,deny,msg:'XSS attack1'"
SecFilterSelective ARGS "<script"
SecFilterSignatureAction "log,deny,msg:'XSS attack2'"
SecFilterSelective ARGS ".javascript"
SecFilterSignatureAction "log,deny,msg:'XSS attack3'"
SecFilterSelective ARGS "vbscript:"
SecFilterSignatureAction "log,deny,msg:'XSS attack4'"
SecFilterSelective ARGS "document\.cookie"
SecFilterSignatureAction "log,deny,msg:'XSS attack5'"
SecFilterSelective ARGS "document\.location"
SecFilterSignatureAction "log,deny,msg:'XSS attack6'"
SecFilterSelective ARGS "document\.write"
SecFilterSignatureAction "log,deny,msg:'XSS attack7'"
#SecFilterSelective ARGS "<.+>"
SecFilterSignatureAction "log,deny,msg:'XSS attack8'"
SecFilterSelective ARGS "http-equiv"
SecFilterSignatureAction "log,deny,msg:'XSS attack9'"
SecFilterSelective ARGS "-->"
SecFilterSignatureAction "log,deny,msg:'XSS attack10'"
SecFilterSelective ARGS "innerHTML"
SecFilterSignatureAction "log,deny,msg:'XSS attack11'"
SecFilterSelective ARGS "document\.body"
SecFilterSignatureAction "log,deny,msg:'XSS attack12'"
SecFilterSelective ARGS "style[[:space:]]*="
SecFilterSignatureAction "log,deny,msg:'XSS attack13'"
SecFilterSelective ARGS "dynsrc"
SecFilterSignatureAction "log,deny,msg:'XSS attack14'"
SecFilterSelective ARGS "<applet"

##### Command Execution #####
# 파라메터에 “ls", "id", "pwd", "wget" 등의 키워드가 있을 경우 차단
SecFilterSignatureAction "log,deny,msg:'Command execution ls id pwd wget attack'"
SecFilterSelective ARGS_VALUES ";[[:space:]]*(ls|id|pwd|wget)"

# 커맨드 실행 결과를 출력 필터에서 차단
# "id" 명령의 출력 결과 차단
#SecFilterSelective OUTPUT "uid=[[:digit:]]+\([[:alnum:]]+\) gid=[[:digit:]]\([[:alnum:]]+\)"

# "ls -l" 명령의 출력 결과 차단
SecFilterSignatureAction "log,deny,msg:'ls -1 attack'"
SecFilterSelective OUTPUT "total [[:digit:]]+"

# "wget" 명령의 출력 결과 차단
SecFilterSignatureAction "log,deny,msg:'wget attack'"
SecFilterSelective OUTPUT "HTTP request sent, awaiting response"

# 파라메터에 URL이 들어 있는 요청을 차단 PHP Injection Attacks
SecFilterSignatureAction "log,deny,msg:'PHP Injection Attacks1'"
#SecFilterSelective ARGS_VALUES "^http:/"
SecFilterSignatureAction "log,deny,msg:'PHP Injection Attacks2'"
SecFilterSelective ARGS_VALUES "^ftp:/"
SecFilterSignatureAction "log,deny,msg:'PHP Injection Attacks3'"
SecFilterSelective ARGS_NAMES "^php:/"
SecFilterSignatureAction "log,deny,msg:'PHP Injection Attacks4'"
SecFilterSelective ARGS_NAMES "(^globals\[|^globals$)"
SecFilterSignatureAction "log,deny,msg:'PHP Injection Attacks5'"
SecFilter "^GET (http|https|ftp)\:/"
SecFilterSignatureAction "log,deny,msg:'PHP Injection Attacks6'"
SecFilter "^HEAD (http|https|ftp)\:/"
SecFilterSignatureAction "log,deny,msg:'PHP Injection Attacks7'"
SecFilter "^POST (http|https|ftp)\:/"
SecFilterSignatureAction "log,deny,msg:'PHP Injection Attacks8'"
SecFilterSelective THE_REQUEST "^CONNECT "
SecFilterSignatureAction "log,deny,msg:'PHP Injection Attacks9'"
SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)"
SecFilterSignatureAction "log,deny,msg:'PHP Injection Attacks10'"
SecFilterSelective HTTP_Transfer-Encoding "!^$"

#GET HEAD POST 가 아니면 차단.
SecFilterSignatureAction "log,deny,msg:'GET HEAD POST attack'"
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD|POST)$"

# 제로보드,알지보드 url 파라메터에 아래 이름이 있다면 차단.
SecFilterSignatureAction "log,deny,msg:'zero rgboard attack1'"
SecFilterSelective ARGS_NAMES "_zb_path"
SecFilterSignatureAction "log,deny,msg:'zero rgboard attack2'"
SecFilterSelective ARGS_NAMES "site_path"

#검색 로봇과 특정 에이젼트의 접근을 차단.
SecFilterSignatureAction "log,deny,msg:'robot Attacks'"
SecFilterSelective HTTP_USER_AGENT "Web Downloader"
SecFilterSelective HTTP_USER_AGENT "Webster"
SecFilterSelective HTTP_USER_AGENT "teleport pro"
SecFilterSelective HTTP_USER_AGENT "combine"
SecFilterSelective HTTP_USER_AGENT "Black Hole"
SecFilterSelective HTTP_USER_AGENT "SiteSnagger"
SecFilterSelective HTTP_USER_AGENT "ProWebWalker"
SecFilterSelective HTTP_USER_AGENT "CheeseBot"
SecFilterSelective HTTP_USER_AGENT "SmartDownload"
SecFilterSelective HTTP_USER_AGENT "Offline Explorer"
SecFilterSelective HTTP_USER_AGENT "Ninja"
SecFilterSelective HTTP_USER_AGENT "NetZIP"
SecFilterSelective HTTP_USER_AGENT "HTTrack"
SecFilterSelective HTTP_USER_AGENT "Googlebot-Image"
SecFilterSelective HTTP_USER_AGENT "Download"
SecFilterSelective HTTP_USER_AGENT "BackDoorBot"
SecFilterSelective HTTP_USER_AGENT "ah-ha"
SecFilterSelective HTTP_USER_AGENT "Alexibot"
SecFilterSelective HTTP_USER_AGENT "Atomz"
SecFilterSelective HTTP_USER_AGENT "Microsoft-WebDAV-MiniRedir"
SecFilterSelective HTTP_USER_AGENT "Googlebot/"
SecFilterSelective HTTP_USER_AGENT "PlantyNet_WebRobot_V1\.9"
SecFilterSelective HTTP_USER_AGENT "lwp"
SecFilterSelective HTTP_USER_AGENT "Mozilla/2\.0"
SecFilterSelective HTTP_USER_AGENT "WebZIP"
SecFilterSelective HTTP_USER_AGENT "Teleport"
SecFilterSelective HTTP_USER_AGENT "GetRight"
SecFilterSelective HTTP_USER_AGENT "FlashGet"
SecFilterSelective HTTP_USER_AGENT "JetCar"
SecFilterSelective HTTP_USER_AGENT "Go!Zilla"
SecFilterSelective HTTP_USER_AGENT "NamoWebEditor"
SecFilterSelective HTTP_USER_AGENT "MSFrontPage"
SecFilterSelective HTTP_USER_AGENT "WebTrack-HTTPP"
SecFilterSelective HTTP_USER_AGENT "WebSymmetrix"
SecFilterSelective HTTP_USER_AGENT "AD2000"
SecFilterSelective HTTP_USER_AGENT "WebSpy"
SecFilterSelective HTTP_USER_AGENT "WebStripper"
SecFilterSelective HTTP_USER_AGENT "WebSnatcher"
SecFilterSelective HTTP_USER_AGENT "WebGet"
SecFilterSelective HTTP_USER_AGENT "HSlide"
SecFilterSelective HTTP_USER_AGENT "WebCopier"
SecFilterSelective HTTP_USER_AGENT "Microsoft URL Control"
SecFilterSelective HTTP_USER_AGENT "Website eXtractor"
SecFilterSelective HTTP_USER_AGENT "Internet Ninja"
SecFilterSelective HTTP_USER_AGENT "fortuna"
SecFilterSelective HTTP_USER_AGENT "SuperHTTP"
SecFilterSelective HTTP_USER_AGENT "WISEbot/"
SecFilterSelective HTTP_USER_AGENT "NaverBot-1\.0"
SecFilterSelective HTTP_USER_AGENT "Talkro"
SecFilterSelective HTTP_USER_AGENT "Web-Shot/"
SecFilterSelective HTTP_USER_AGENT "Arachmo"
SecFilterSelective HTTP_USER_AGENT "WinHTTrack Website Copier"
SecFilterSelective HTTP_USER_AGENT "BlackWidow"
SecFilterSelective HTTP_USER_AGENT "SuperBot"
SecFilterSelective HTTP_USER_AGENT "MM3-WebAssistant"
SecFilterSelective HTTP_USER_AGENT "Website Extractor"
SecFilterSelective HTTP_USER_AGENT "Offline Explorer Pro"
SecFilterSelective HTTP_USER_AGENT "GetBot"
SecFilterSelective HTTP_USER_AGENT "SBWcc Website Capture"
SecFilterSelective HTTP_USER_AGENT "Leech"
SecFilterSelective HTTP_USER_AGENT "HTTP Weazel"
SecFilterSelective HTTP_USER_AGENT "WebGainer"
SecFilterSelective HTTP_USER_AGENT "Offline Explorer Enterprise"
SecFilterSelective HTTP_USER_AGENT "PageSucker"
SecFilterSelective HTTP_USER_AGENT "QuadSucker/Web"
SecFilterSelective HTTP_USER_AGENT "BackStreet Browser"
SecFilterSelective HTTP_USER_AGENT "Offline Navigator"
SecFilterSelective HTTP_USER_AGENT "Aaron's WebVacuum"
SecFilterSelective HTTP_USER_AGENT "JOC Web Spider"
SecFilterSelective HTTP_USER_AGENT "Grab-a-Site"
SecFilterSelective HTTP_USER_AGENT "PicScour"
SecFilterSelective HTTP_USER_AGENT "RafaBot"
SecFilterSelective HTTP_USER_AGENT "Cli-Mate"
SecFilterSelective HTTP_USER_AGENT "eNotebook"
SecFilterSelective HTTP_USER_AGENT "WebSlinky"
SecFilterSelective HTTP_USER_AGENT "Pictures Grabber"
SecFilterSelective HTTP_USER_AGENT "Web Dumper"
SecFilterSelective HTTP_USER_AGENT "WebCatcher"
SecFilterSelective HTTP_USER_AGENT "SurfOffline"
SecFilterSelective HTTP_USER_AGENT "NetGrabber"
SecFilterSelective HTTP_USER_AGENT "Power Siphon"
SecFilterSelective HTTP_USER_AGENT "Rip Clip"
SecFilterSelective HTTP_USER_AGENT "WebWhacker"
SecFilterSelective HTTP_USER_AGENT "Offline CHM"
SecFilterSelective HTTP_USER_AGENT "webpictureboss"
SecFilterSelective HTTP_USER_AGENT "Visual Web Task"
SecFilterSelective HTTP_USER_AGENT "Web Shutter"
SecFilterSelective HTTP_USER_AGENT "NavRoad"
SecFilterSelective HTTP_USER_AGENT "7 Download Services"
SecFilterSelective HTTP_USER_AGENT "WebCloner Standard"
SecFilterSelective HTTP_USER_AGENT "EZ Save MHT"
SecFilterSelective HTTP_USER_AGENT "Yahoo! Slurp"
SecFilterSelective HTTP_USER_AGENT "msnbot/"
SecFilterSelective HTTP_USER_AGENT "1Noonbot 1\.0"
SecFilterSelective HTTP_USER_AGENT "Gigabot/"
SecFilterSelective HTTP_USER_AGENT "CopyRightCheck"
SecFilterSelective HTTP_USER_AGENT "CopyGuard"
SecFilterSelective HTTP_USER_AGENT "Digimarc WebReader"
SecFilterSelective "HTTP_USER_AGENT" "<.+>"
SecFilterSelective THE_REQUEST "robotsxx\.txt"
SecFilterSelective THE_REQUEST "robots\.txt"

# 크래킹 차단.
SecFilterSignatureAction "log,deny,msg:'cracking attack1'"
SecFilterSelective THE_REQUEST "/htmlscript\?\.\./\.\."
SecFilterSignatureAction "log,deny,msg:'cracking attack2'"
SecFilterSelective THE_REQUEST "/view-source"
SecFilterSignatureAction "log,deny,msg:'cracking attack3'"
SecFilterSelective THE_REQUEST "///"
SecFilterSignatureAction "log,deny,msg:'cracking attack4'"
SecFilterSelective THE_REQUEST "\?\?\?\?\?\?\?\?\?\?"
SecFilterSignatureAction "log,deny,msg:'cracking attack5'"
SecFilterSelective THE_REQUEST "\.html/\.\.\.\.\.\."
SecFilterSignatureAction "log,deny,msg:'cracking attack6'"
SecFilterSelective THE_REQUEST "<script"
SecFilterSignatureAction "log,deny,msg:'cracking attack7'"
SecFilterSelective THE_REQUEST "/config\.php"
SecFilterSignatureAction "log,deny,msg:'cracking attack8'"
SecFilterSelective THE_REQUEST "/db\.inc\.php"
SecFilterSignatureAction "log,deny,msg:'cracking attack9'"
SecFilterSelective THE_REQUEST "/include"
SecFilterSignatureAction "log,deny,msg:'cracking attack10'"
SecFilterSelective QUERY_STRING "\.\./" chain
SecFilterSignatureAction "log,deny,msg:'cracking attack11'"
SecFilterSelective QUERY_STRING "http://"
SecFilterSignatureAction "log,deny,msg:'cracking attack12'"
SecFilterSelective QUERY_STRING "ftp://"
SecFilterSignatureAction "log,deny,msg:'cracking attack13'"
SecFilter "&cmd=chdir\x20"
SecFilterSignatureAction "log,deny,msg:'cracking attack14'"
SecFilter "img src=javascript"
SecFilterSignatureAction "log,deny,msg:'cracking attack15'"
#SecFilter "\.\./"
SecFilterSignatureAction "log,deny,msg:'cracking attack16'"
SecFilter "/RWAPM/RTM20040531"
SecFilterSignatureAction "log,deny,msg:'cracking attack17'"
SecFilter "/RWAPM/RTM20040531/bin"
SecFilterSignatureAction "log,deny,msg:'cracking attack18'"
SecFilter "conf/httpd\.conf"
SecFilterSignatureAction "log,deny,msg:'cracking attack19'"
SecFilter "\.\./\.\."
SecFilterSignatureAction "log,deny,msg:'cracking attack20'"
SecFilter "\.\./\.\./"
SecFilterSignatureAction "log,deny,msg:'cracking attack21'"
SecFilter "/\.\./\.\./\.\./\.\./"
SecFilterSignatureAction "log,deny,msg:'cracking attack22'"
SecFilter "net localgroup administrators /add"
SecFilterSignatureAction "log,deny,msg:'cracking attack23'"
SecFilter "file\://"
SecFilterSignatureAction "log,deny,msg:'cracking attack24'"
SecFilter "window\.open\(readme\.eml"
SecFilterSignatureAction "log,deny,msg:'cracking attack25'"
SecFilter "document\.domain\("
SecFilterSignatureAction "log,deny,msg:'cracking attack26'"
SecFilter "javascript\://"
SecFilterSignatureAction "log,deny,msg:'cracking attack27'"
SecFilter "<SCRIPT>"
SecFilterSignatureAction "log,deny,msg:'cracking attack28'"
SecFilter "\.htpasswd"
SecFilterSignatureAction "log,deny,msg:'cracking attack29'"
SecFilter "\.htaccess"
SecFilterSignatureAction "log,deny,msg:'cracking attack30'"
SecFilter "cd\.\."
SecFilterSignatureAction "log,deny,msg:'cracking attack31'"
SecFilter "/\.\.\.\."
SecFilterSignatureAction "log,deny,msg:'cracking attack32'"
SecFilter "GET x HTTP/1\.0"
SecFilterSignatureAction "log,deny,msg:'cracking attack33'"
SecFilter "includedir="
SecFilterSignatureAction "log,deny,msg:'cracking attack34'"
SecFilter "http\://"
SecFilterSignatureAction "log,deny,msg:'cracking attack35'"
SecFilter "whois\://"
SecFilterSignatureAction "log,deny,msg:'cracking attack36'"
SecFilter "path=http\://"
SecFilterSignatureAction "log,deny,msg:'cracking attack37'"
SecFilter "file=http\://"
SecFilterSignatureAction "log,deny,msg:'cracking attack38'"
SecFilter "Server\[path\]=http"
SecFilterSignatureAction "log,deny,msg:'cracking attack39'"
SecFilter "<[[:space:]]*script"
SecFilterSignatureAction "log,deny,msg:'cracking attack40'"
#SecFilter "<(.|\n)+>"
SecFilterSignatureAction "log,deny,msg:'cracking attack41'"
SecFilterSelective ARG_highlight "%27"
SecFilterSignatureAction "log,deny,msg:'cracking attack42'"
SecFilterSelective ARG_highlight "%2527"

#Protect against attacks on critical directories
SecFilterSignatureAction "log,deny,msg:'Protect against attacks on critical directories'"
SecFilter "/boot"
SecFilter "/dev"
SecFilter "/etc"
SecFilter "/initrd"
SecFilter "/lost+found"
SecFilter "/mnt"
SecFilter "/proc"
SecFilter "/root"
SecFilter "/sbin"
SecFilter "/tmp"
SecFilter "/usr/local/apache"
SecFilter "/usr/local/mysql"
SecFilter "/usr/local/php"
SecFilter "/var/spool"
SecFilter "/bin/cc"
SecFilter "/bin/gcc"

# Basic protection agains Command execution attacks
SecFilterSignatureAction "log,deny,msg:'Basic protection agains Command execution attacks'"
SecFilter "/bin/sh"
SecFilter "/bin/bash"
SecFilter "/bin/ls"
SecFilter "/etc/passwd"
SecFilter "/etc/shadow"   

#허위정보를 보냄.
SecFilterSelective OUTPUT "Fatal error:"

# 웹서버 정보를 허위로 보냄, 위장.
SecServerSignature "Microsoft-IIS/5.0"
히어로한이   07-03-05 12:53
제다이님.. 초보 리눅스 서버 유저입니다.

제로보드 사용에 문제가 있어서요.. 보안문서 적용하면 zb5 베타 사용에 문제가 상당히 많아서요 get값을 못 넘겨줘서 그런거 같은데..

어느 부분을 만져야 할지 ㅡㅜ

zb5 도 잘 적용되려면 어느부분을 손봐야 될까용?
제다이   07-03-06 00:49
에러메시지를 보시면 에러로그가 남아있을겁니다.
위 내용에서 예를 든다면
에러코드가 'cracking attack6' 라고 한다면
SecFilterSignatureAction "log,deny,msg:''cracking attack6''
다음에서 에러가 발생했다는 말입니다.
SecFilter "path=http\://"
SecFilter "file=http\://"
SecFilter "Server\[path\]=http"
SecFilter "<[[:space:]]*script"
SecFilter "<(.|\n)+>"
SecFilterSelective ARG_highlight %27
그러므로 위에서 6가지중에 하나에서 에러가 발생했다는 말이니
주석처리해가면서 좁혀보면 쉽게 알 수 있습니다.
     
히어로한이   07-03-06 12:55
제다이님 감사합니다..

modsec_audit.log 에 에러 나는게 남더군요...

하나 하나 해결해서 사이트 잘 나옵니다..

감사합니다 ^^*
         
돌맹이D   07-03-06 13:14
희어로한이님!!
웬만하면 수정한 정보도 공유하시죠^^;
다른분들께도 많은 도움이 될듯 한데요~~
               
히어로한이   07-03-06 14:00
저와 비슷하게 어려움을 겪으시는 분들이 역시나..
우선 제다이님이 제시해주신 modsecurity.conf 파일을 적용하시면
제로보드 설치 보는데는 문제가 없습니다.
대신  저는 zb5로 사이트를 만들었는데 수정이라든지 이미지 본문에 추가하는데 문제가 쫌 있더라구요
그래서 수정하는데 어떤게 필터 되어서 걸리는지 몰라서 해메다가
/usr/local/apache/logs/modsec_audit.log  <-- 이경로에 로그가 쌓입니다(제경우)

대략 아래와 같이...

POST /zb5/server.php HTTP/1.1
Accept: */*
Accept-Language: ko
Referer: http://love.apm.unix.ne.kr/zb5/?sid=68&article_srl=309&action=modify
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: love.apm.unix.ne.kr
Content-Length: 2136
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ZAN=bf7182e48833572eef7c401fed0cf6ca; PHPSESSID=0ca0cbc80be3682efc35e248e3557cbb
mod_security-action: 403
mod_security-message: Access denied with code 403. Pattern match "style[[:space:]]*=" at POST_PAYLOAD [msg "XSS attack2"] [severity "EMERGENCY"]

....

 
이런식에 메시지가 남는데요...

여기서 봐야 할 부분은 아래
====================================================
mod_security-message: Access denied with code 403. Pattern match "style[[:space:]]*=" at POST_PAYLOAD [msg "XSS attack2"] [severity "EMERGENCY"]
====================================================

우선 modsecurity.conf 열어서
SecFilterSignatureAction "log,deny,msg:''msg "XSS attack2''
이부분을 찾아서 제다이님 말씀처럼 Pattern match 으로 된 곳을 하나 하나
막으면서 문제점을 좁혀 나가시면 될 것같습니다.

저두  이것 저것 걸려서 여러군데 막었습니다 ^^;;
BLUEDAY   07-05-06 09:36
저는 태터툴즈 사용하는데 글쓰는 곳에서 화일 업로드와 스킨에서 사이드바 기능이 작동을 안해서 아래와 같이 설정을 바꾸었습니다.
# Configuration의 SecFilterScanPost On  을 off로 바꾸면 바로 설정 됩니다.
Trackbacks 0 : Comments 0

Write a comment