|
컴터/linux 2008. 6. 3. 16:32
http://www.sulinux.net/bbs/board.php?bo_table=success&wr_id=14&page=2http://kldp.org/node/71214http://sir.co.kr/bbs/board.php?bo_table=gblog_qa&wr_id=1704&page=1
httpd.conf 안에서 설정.. 없다면 modsecurity.conf 에서 설정.
::: SecFilterScanPost On ===> SecFilterScanPost Off ::: apache restart
참고...
며칠전 뉴스에 1000여개의 웹사이트가 중국 크래커들에게
해킹당했다는 뉴스가 나왔습니다.
최근의 해킹 수법들은 웹을 통한 공격이 주를 이룬다고 합니다.
이를 방지하기 위한 방법이 mod_security 웹방화벽을 설치하는 것입니다.
pdf 문서는 인터넷 진흥원에서 배포하는 문서입니다.
압축파일은 mod_security소스파일입니다.
문서대로 설치하시고...
httpd.conf 에 아래의 내용을 파일로 다음과 같이 인클루드하거나
<IfModule mod_security.c> Include conf/modsecurity.conf </IfModule>
직접 추가하셔도 됩니다.
단 테터툴즈를 설치하시는 분들은 아래의 내용중에
##### General #####
SecFilterSelective HTTP_Host|HTTP_User-Agent|HTTP_Accept "^$" 이 부분을 주석처리 하셔야 설치가 됩니다.
이점 참고하시길 바랍니다.
##### Configuration ##### SecFilterEngine On SecFilterScanPost On SecFilterScanOutput Off SecFilterOutputMimeTypes "(null) text/html text/plain"
##### Validation ##### SecFilterCheckURLEncoding On SecUploadDir /tmp SecUploadKeepFiles Off SecFilterCheckUnicodeEncoding Off SecFilterForceByteRange 1 255 SecFilterDefaultAction "log,deny,status:403"
##### Logging ##### SecFilterDebugLog logs/modsec_debug.log SecFilterDebugLevel 1 SecAuditEngine RelevantOnly SecAuditLog logs/modsec_audit.log
##### Hardening ##### # Body를 가진 GET 또는 HEAD 요청 차단(공격 가능성 높음) SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain SecFilterSelective HTTP_Content-Length "!^$" SecFilterSelective SERVER_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$" # Content-Length가 없는 POST 요청 차단 SecFilterSelective REQUEST_METHOD "^POST$" chain SecFilterSelective HTTP_Content-Length "^$" SecFilterSelective HTTP_Transfer-Encoding "!^$"
##### General ##### SecFilterSelective HTTP_Host|HTTP_User-Agent|HTTP_Accept "^$" SecFilterSelective HTTP_User-Agent "(libwhisker|paros|wget|libwww|perl|curl|java)"
##### SQL Injection Attacks ##### SecFilterSignatureAction "log,deny,msg:'SQL Injection attack'" SecFilterSelective ARGS "delete[[:space:]]+from" SecFilterSelective ARGS "drop[[:space:]]+database" SecFilterSelective ARGS "drop[[:space:]]+table" SecFilterSelective ARGS "drop[[:space:]]+column" SecFilterSelective ARGS "drop[[:space:]]+procedure" SecFilterSelective ARGS "create[[:space:]]+table" SecFilterSelective ARGS "update.+set.+=" SecFilterSelective ARGS "insert[[:space:]]+into.+values" SecFilterSelective ARGS "select.+from" SecFilterSelective ARGS "bulk[[:space:]]+insert" SecFilterSelective ARGS "union.+select" SecFilterSelective ARGS "or.+1[[:space:]]*=[[:space:]]1" SecFilterSelective ARGS "alter[[:space:]]+table" SecFilterSelective ARGS "or 1=1--'" SecFilterSelective ARGS "'.+--" SecFilterSelective ARGS "into[[:space:]]+outfile" SecFilterSelective ARGS "load[[:space:]]+data" SecFilterSelective ARGS "/\*.+\*/"
##### XSS Attacks ##### SecFilterSignatureAction "log,deny,msg:'XSS attack'" SecFilterSelective ARGS "<script" SecFilterSelective ARGS ".javascript" SecFilterSelective ARGS "vbscript:" SecFilterSelective ARGS "document\.cookie" SecFilterSelective ARGS "document\.location" SecFilterSelective ARGS "document\.write"
##### Command Execution ##### SecFilterSignatureAction "log,deny,msg:'Command execution attack'" SecFilterSelective ARGS_VALUES ";[[:space:]]*(ls|id|pwd|wget)"
##### PHP Attacks ##### SecFilterSelective ARGS_NAMES "(^globals\[|^globals$)" # 파라메터에 URL이 들어 있는 요청을 차단 SecFilterSignatureAction "log,deny,msg:'PHP Injection Attacks'" SecFilterSelective ARGS_VALUES "^http:/" # 파라메터에 “ls", "id", "pwd", "wget" 등의 키워드가 있을 경우 차단 SecFilterSignatureAction "log,deny,msg:'Command execution attack'" SecFilterSelective ARGS_VALUES ";[[:space:]]*(ls|id|pwd|wget)" # 커맨드 실행 결과를 출력 필터에서 차단 # "id" 명령의 출력 결과 차단 SecFilterSelective OUTPUT "uid=[[:digit:]]+\([[:alnum:]]+\) gid=[[:digit:]]\([[:alnum:]]+\)" # "ls -l" 명령의 출력 결과 차단 SecFilterSelective OUTPUT "total [[:digit:]]+" # "wget" 명령의 출력 결과 차단 SecFilterSelective OUTPUT "HTTP request sent, awaiting response" [이 게시물은 관리자님에 의해 2007-03-02 16:03:03 질문과 답변 1.0에서 이동 됨] |
 |
제다이님 ^^ 항상 감사합니다. 1.5에서는 mod_security가 기본 설치 됩니다.! |
|
 |
안녕하세요. 제다이님. SULinux 1.5 발표와 동시에 제공해주신 여러 유용한 정보들로만 묶은 "설치 성공기" 게시판을 운영합니다. 게시물을 조금 이동 했습니다. 감사합니다. |
|
 |
위의 설정은 제하시고, 다음 설정을 설정하시기 바랍니다. 웹 검색을 통해 여러 설정을 통합했습니다.
제로보드4,5 그누보드 설치및 테터툴즈 phpmyadmin 설치가 가능하게 하였고, 에러가 발생하면 어느부분에서 발생했는지 쉽게 알 수 있도록 하였습니다.
수정날짜 2007년 3월 22일
# --------------------------------------------------------------- # Core ModSecurity Rule Set # Copyright (C) 2006 Breach Security Inc. All rights reserved. # # The ModSecuirty Core Rule Set is distributed under GPL version 2 # Please see the enclosed LICENCE file for full details. # ---------------------------------------------------------------
##### Configuration ##### SecFilterEngine On SecFilterScanPost On SecFilterScanOutput Off SecFilterOutputMimeTypes "(null) text/html text/plain"
##### Validation ##### SecFilterCheckURLEncoding On SecUploadDir /tmp SecUploadKeepFiles Off SecFilterCheckUnicodeEncoding Off SecFilterForceByteRange 1 255 SecFilterDefaultAction "log,deny,status:500" #SecFilterDefaultAction "log,deny,redirect:http://www.test.com" ##### Logging ##### SecFilterDebugLog logs/modsec_debug.log SecFilterDebugLevel 1 SecAuditEngine RelevantOnly SecAuditLog logs/modsec_audit.log
#SQL Injection 차단 SecFilterSignatureAction "log,deny,msg:'SQL Injection1'" #SecFilterSelective ARGS "delete[[:space:]]+from" SecFilterSignatureAction "log,deny,msg:'SQL Injection2'" #SecFilterSelective ARGS "drop[[:space:]]+database" SecFilterSignatureAction "log,deny,msg:'SQL Injection3'" #SecFilterSelective ARGS "drop[[:space:]]+table" SecFilterSignatureAction "log,deny,msg:'SQL Injection4'" #SecFilterSelective ARGS "drop[[:space:]]+column" SecFilterSignatureAction "log,deny,msg:'SQL Injection5'" SecFilterSelective ARGS "drop[[:space:]]+procedure" SecFilterSignatureAction "log,deny,msg:'SQL Injection6'" SecFilterSelective ARGS "create[[:space:]]+table" SecFilterSignatureAction "log,deny,msg:'SQL Injection7'" SecFilterSelective ARGS "update.+set.+=" SecFilterSignatureAction "log,deny,msg:'SQL Injection8'" SecFilterSelective ARGS "insert[[:space:]]+into.+values" SecFilterSignatureAction "log,deny,msg:'SQL Injection9'" #SecFilterSelective ARGS "select.+from" SecFilterSignatureAction "log,deny,msg:'SQL Injection10'" SecFilterSelective ARGS "bulk[[:space:]]+insert" SecFilterSignatureAction "log,deny,msg:'SQL Injection11'" SecFilterSelective ARGS "union.+select" SecFilterSignatureAction "log,deny,msg:'SQL Injection12'" SecFilterSelective ARGS "or.+1[[:space:]]*=[[:space:]]1" SecFilterSignatureAction "log,deny,msg:'SQL Injection13'" #SecFilterSelective ARGS "alter[[:space:]]+table" SecFilterSignatureAction "log,deny,msg:'SQL Injection14'" SecFilterSelective ARGS "or 1=1--'" SecFilterSignatureAction "log,deny,msg:'SQL Injection15'" SecFilterSelective ARGS "'.+--" SecFilterSignatureAction "log,deny,msg:'SQL Injection16'" SecFilterSelective ARGS "into[[:space:]]+outfile" SecFilterSignatureAction "log,deny,msg:'SQL Injection17'" SecFilterSelective ARGS "load[[:space:]]+data" SecFilterSignatureAction "log,deny,msg:'SQL Injection18'" SecFilterSelective ARGS "/\*.+\*/"
##### Hardening ##### # Body를 가진 GET 또는 HEAD 요청 차단(공격 가능성 높음) SecFilterSignatureAction "log,deny,msg:'Hardening attack1'" SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain SecFilterSignatureAction "log,deny,msg:'Hardening attack2'" SecFilterSelective HTTP_Content-Length "!^$" SecFilterSignatureAction "log,deny,msg:'Hardening attack3'" SecFilterSelective SERVER_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$"
##### Content-Length가 없는 POST 요청 차단 SecFilterSignatureAction "log,deny,msg:'POST attack1'" SecFilterSelective REQUEST_METHOD "^POST$" chain SecFilterSignatureAction "log,deny,msg:'POST attack2'" SecFilterSelective HTTP_Content-Length "^$" SecFilterSignatureAction "log,deny,msg:'POST attack3'" SecFilterSelective HTTP_Transfer-Encoding "!^$"
##### General ##### SecFilterSignatureAction "log,deny,msg:'General attack1'" #SecFilterSelective HTTP_Host|HTTP_User-Agent|HTTP_Accept "^$" SecFilterSignatureAction "log,deny,msg:'General attack2'" SecFilterSelective HTTP_User-Agent "(libwhisker|paros|wget|libwww|perl|curl|java)"
##### XSS Attacks ##### SecFilterSignatureAction "log,deny,msg:'XSS attack1'" SecFilterSelective ARGS "<script" SecFilterSignatureAction "log,deny,msg:'XSS attack2'" SecFilterSelective ARGS ".javascript" SecFilterSignatureAction "log,deny,msg:'XSS attack3'" SecFilterSelective ARGS "vbscript:" SecFilterSignatureAction "log,deny,msg:'XSS attack4'" SecFilterSelective ARGS "document\.cookie" SecFilterSignatureAction "log,deny,msg:'XSS attack5'" SecFilterSelective ARGS "document\.location" SecFilterSignatureAction "log,deny,msg:'XSS attack6'" SecFilterSelective ARGS "document\.write" SecFilterSignatureAction "log,deny,msg:'XSS attack7'" #SecFilterSelective ARGS "<.+>" SecFilterSignatureAction "log,deny,msg:'XSS attack8'" SecFilterSelective ARGS "http-equiv" SecFilterSignatureAction "log,deny,msg:'XSS attack9'" SecFilterSelective ARGS "-->" SecFilterSignatureAction "log,deny,msg:'XSS attack10'" SecFilterSelective ARGS "innerHTML" SecFilterSignatureAction "log,deny,msg:'XSS attack11'" SecFilterSelective ARGS "document\.body" SecFilterSignatureAction "log,deny,msg:'XSS attack12'" SecFilterSelective ARGS "style[[:space:]]*=" SecFilterSignatureAction "log,deny,msg:'XSS attack13'" SecFilterSelective ARGS "dynsrc" SecFilterSignatureAction "log,deny,msg:'XSS attack14'" SecFilterSelective ARGS "<applet"
##### Command Execution ##### # 파라메터에 “ls", "id", "pwd", "wget" 등의 키워드가 있을 경우 차단 SecFilterSignatureAction "log,deny,msg:'Command execution ls id pwd wget attack'" SecFilterSelective ARGS_VALUES ";[[:space:]]*(ls|id|pwd|wget)"
# 커맨드 실행 결과를 출력 필터에서 차단 # "id" 명령의 출력 결과 차단 #SecFilterSelective OUTPUT "uid=[[:digit:]]+\([[:alnum:]]+\) gid=[[:digit:]]\([[:alnum:]]+\)"
# "ls -l" 명령의 출력 결과 차단 SecFilterSignatureAction "log,deny,msg:'ls -1 attack'" SecFilterSelective OUTPUT "total [[:digit:]]+"
# "wget" 명령의 출력 결과 차단 SecFilterSignatureAction "log,deny,msg:'wget attack'" SecFilterSelective OUTPUT "HTTP request sent, awaiting response"
# 파라메터에 URL이 들어 있는 요청을 차단 PHP Injection Attacks SecFilterSignatureAction "log,deny,msg:'PHP Injection Attacks1'" #SecFilterSelective ARGS_VALUES "^http:/" SecFilterSignatureAction "log,deny,msg:'PHP Injection Attacks2'" SecFilterSelective ARGS_VALUES "^ftp:/" SecFilterSignatureAction "log,deny,msg:'PHP Injection Attacks3'" SecFilterSelective ARGS_NAMES "^php:/" SecFilterSignatureAction "log,deny,msg:'PHP Injection Attacks4'" SecFilterSelective ARGS_NAMES "(^globals\[|^globals$)" SecFilterSignatureAction "log,deny,msg:'PHP Injection Attacks5'" SecFilter "^GET (http|https|ftp)\:/" SecFilterSignatureAction "log,deny,msg:'PHP Injection Attacks6'" SecFilter "^HEAD (http|https|ftp)\:/" SecFilterSignatureAction "log,deny,msg:'PHP Injection Attacks7'" SecFilter "^POST (http|https|ftp)\:/" SecFilterSignatureAction "log,deny,msg:'PHP Injection Attacks8'" SecFilterSelective THE_REQUEST "^CONNECT " SecFilterSignatureAction "log,deny,msg:'PHP Injection Attacks9'" SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)" SecFilterSignatureAction "log,deny,msg:'PHP Injection Attacks10'" SecFilterSelective HTTP_Transfer-Encoding "!^$"
#GET HEAD POST 가 아니면 차단. SecFilterSignatureAction "log,deny,msg:'GET HEAD POST attack'" SecFilterSelective REQUEST_METHOD "!^(GET|HEAD|POST)$"
# 제로보드,알지보드 url 파라메터에 아래 이름이 있다면 차단. SecFilterSignatureAction "log,deny,msg:'zero rgboard attack1'" SecFilterSelective ARGS_NAMES "_zb_path" SecFilterSignatureAction "log,deny,msg:'zero rgboard attack2'" SecFilterSelective ARGS_NAMES "site_path"
#검색 로봇과 특정 에이젼트의 접근을 차단. SecFilterSignatureAction "log,deny,msg:'robot Attacks'" SecFilterSelective HTTP_USER_AGENT "Web Downloader" SecFilterSelective HTTP_USER_AGENT "Webster" SecFilterSelective HTTP_USER_AGENT "teleport pro" SecFilterSelective HTTP_USER_AGENT "combine" SecFilterSelective HTTP_USER_AGENT "Black Hole" SecFilterSelective HTTP_USER_AGENT "SiteSnagger" SecFilterSelective HTTP_USER_AGENT "ProWebWalker" SecFilterSelective HTTP_USER_AGENT "CheeseBot" SecFilterSelective HTTP_USER_AGENT "SmartDownload" SecFilterSelective HTTP_USER_AGENT "Offline Explorer" SecFilterSelective HTTP_USER_AGENT "Ninja" SecFilterSelective HTTP_USER_AGENT "NetZIP" SecFilterSelective HTTP_USER_AGENT "HTTrack" SecFilterSelective HTTP_USER_AGENT "Googlebot-Image" SecFilterSelective HTTP_USER_AGENT "Download" SecFilterSelective HTTP_USER_AGENT "BackDoorBot" SecFilterSelective HTTP_USER_AGENT "ah-ha" SecFilterSelective HTTP_USER_AGENT "Alexibot" SecFilterSelective HTTP_USER_AGENT "Atomz" SecFilterSelective HTTP_USER_AGENT "Microsoft-WebDAV-MiniRedir" SecFilterSelective HTTP_USER_AGENT "Googlebot/" SecFilterSelective HTTP_USER_AGENT "PlantyNet_WebRobot_V1\.9" SecFilterSelective HTTP_USER_AGENT "lwp" SecFilterSelective HTTP_USER_AGENT "Mozilla/2\.0" SecFilterSelective HTTP_USER_AGENT "WebZIP" SecFilterSelective HTTP_USER_AGENT "Teleport" SecFilterSelective HTTP_USER_AGENT "GetRight" SecFilterSelective HTTP_USER_AGENT "FlashGet" SecFilterSelective HTTP_USER_AGENT "JetCar" SecFilterSelective HTTP_USER_AGENT "Go!Zilla" SecFilterSelective HTTP_USER_AGENT "NamoWebEditor" SecFilterSelective HTTP_USER_AGENT "MSFrontPage" SecFilterSelective HTTP_USER_AGENT "WebTrack-HTTPP" SecFilterSelective HTTP_USER_AGENT "WebSymmetrix" SecFilterSelective HTTP_USER_AGENT "AD2000" SecFilterSelective HTTP_USER_AGENT "WebSpy" SecFilterSelective HTTP_USER_AGENT "WebStripper" SecFilterSelective HTTP_USER_AGENT "WebSnatcher" SecFilterSelective HTTP_USER_AGENT "WebGet" SecFilterSelective HTTP_USER_AGENT "HSlide" SecFilterSelective HTTP_USER_AGENT "WebCopier" SecFilterSelective HTTP_USER_AGENT "Microsoft URL Control" SecFilterSelective HTTP_USER_AGENT "Website eXtractor" SecFilterSelective HTTP_USER_AGENT "Internet Ninja" SecFilterSelective HTTP_USER_AGENT "fortuna" SecFilterSelective HTTP_USER_AGENT "SuperHTTP" SecFilterSelective HTTP_USER_AGENT "WISEbot/" SecFilterSelective HTTP_USER_AGENT "NaverBot-1\.0" SecFilterSelective HTTP_USER_AGENT "Talkro" SecFilterSelective HTTP_USER_AGENT "Web-Shot/" SecFilterSelective HTTP_USER_AGENT "Arachmo" SecFilterSelective HTTP_USER_AGENT "WinHTTrack Website Copier" SecFilterSelective HTTP_USER_AGENT "BlackWidow" SecFilterSelective HTTP_USER_AGENT "SuperBot" SecFilterSelective HTTP_USER_AGENT "MM3-WebAssistant" SecFilterSelective HTTP_USER_AGENT "Website Extractor" SecFilterSelective HTTP_USER_AGENT "Offline Explorer Pro" SecFilterSelective HTTP_USER_AGENT "GetBot" SecFilterSelective HTTP_USER_AGENT "SBWcc Website Capture" SecFilterSelective HTTP_USER_AGENT "Leech" SecFilterSelective HTTP_USER_AGENT "HTTP Weazel" SecFilterSelective HTTP_USER_AGENT "WebGainer" SecFilterSelective HTTP_USER_AGENT "Offline Explorer Enterprise" SecFilterSelective HTTP_USER_AGENT "PageSucker" SecFilterSelective HTTP_USER_AGENT "QuadSucker/Web" SecFilterSelective HTTP_USER_AGENT "BackStreet Browser" SecFilterSelective HTTP_USER_AGENT "Offline Navigator" SecFilterSelective HTTP_USER_AGENT "Aaron's WebVacuum" SecFilterSelective HTTP_USER_AGENT "JOC Web Spider" SecFilterSelective HTTP_USER_AGENT "Grab-a-Site" SecFilterSelective HTTP_USER_AGENT "PicScour" SecFilterSelective HTTP_USER_AGENT "RafaBot" SecFilterSelective HTTP_USER_AGENT "Cli-Mate" SecFilterSelective HTTP_USER_AGENT "eNotebook" SecFilterSelective HTTP_USER_AGENT "WebSlinky" SecFilterSelective HTTP_USER_AGENT "Pictures Grabber" SecFilterSelective HTTP_USER_AGENT "Web Dumper" SecFilterSelective HTTP_USER_AGENT "WebCatcher" SecFilterSelective HTTP_USER_AGENT "SurfOffline" SecFilterSelective HTTP_USER_AGENT "NetGrabber" SecFilterSelective HTTP_USER_AGENT "Power Siphon" SecFilterSelective HTTP_USER_AGENT "Rip Clip" SecFilterSelective HTTP_USER_AGENT "WebWhacker" SecFilterSelective HTTP_USER_AGENT "Offline CHM" SecFilterSelective HTTP_USER_AGENT "webpictureboss" SecFilterSelective HTTP_USER_AGENT "Visual Web Task" SecFilterSelective HTTP_USER_AGENT "Web Shutter" SecFilterSelective HTTP_USER_AGENT "NavRoad" SecFilterSelective HTTP_USER_AGENT "7 Download Services" SecFilterSelective HTTP_USER_AGENT "WebCloner Standard" SecFilterSelective HTTP_USER_AGENT "EZ Save MHT" SecFilterSelective HTTP_USER_AGENT "Yahoo! Slurp" SecFilterSelective HTTP_USER_AGENT "msnbot/" SecFilterSelective HTTP_USER_AGENT "1Noonbot 1\.0" SecFilterSelective HTTP_USER_AGENT "Gigabot/" SecFilterSelective HTTP_USER_AGENT "CopyRightCheck" SecFilterSelective HTTP_USER_AGENT "CopyGuard" SecFilterSelective HTTP_USER_AGENT "Digimarc WebReader" SecFilterSelective "HTTP_USER_AGENT" "<.+>" SecFilterSelective THE_REQUEST "robotsxx\.txt" SecFilterSelective THE_REQUEST "robots\.txt"
# 크래킹 차단. SecFilterSignatureAction "log,deny,msg:'cracking attack1'" SecFilterSelective THE_REQUEST "/htmlscript\?\.\./\.\." SecFilterSignatureAction "log,deny,msg:'cracking attack2'" SecFilterSelective THE_REQUEST "/view-source" SecFilterSignatureAction "log,deny,msg:'cracking attack3'" SecFilterSelective THE_REQUEST "///" SecFilterSignatureAction "log,deny,msg:'cracking attack4'" SecFilterSelective THE_REQUEST "\?\?\?\?\?\?\?\?\?\?" SecFilterSignatureAction "log,deny,msg:'cracking attack5'" SecFilterSelective THE_REQUEST "\.html/\.\.\.\.\.\." SecFilterSignatureAction "log,deny,msg:'cracking attack6'" SecFilterSelective THE_REQUEST "<script" SecFilterSignatureAction "log,deny,msg:'cracking attack7'" SecFilterSelective THE_REQUEST "/config\.php" SecFilterSignatureAction "log,deny,msg:'cracking attack8'" SecFilterSelective THE_REQUEST "/db\.inc\.php" SecFilterSignatureAction "log,deny,msg:'cracking attack9'" SecFilterSelective THE_REQUEST "/include" SecFilterSignatureAction "log,deny,msg:'cracking attack10'" SecFilterSelective QUERY_STRING "\.\./" chain SecFilterSignatureAction "log,deny,msg:'cracking attack11'" SecFilterSelective QUERY_STRING "http://" SecFilterSignatureAction "log,deny,msg:'cracking attack12'" SecFilterSelective QUERY_STRING "ftp://" SecFilterSignatureAction "log,deny,msg:'cracking attack13'" SecFilter "&cmd=chdir\x20" SecFilterSignatureAction "log,deny,msg:'cracking attack14'" SecFilter "img src=javascript" SecFilterSignatureAction "log,deny,msg:'cracking attack15'" #SecFilter "\.\./" SecFilterSignatureAction "log,deny,msg:'cracking attack16'" SecFilter "/RWAPM/RTM20040531" SecFilterSignatureAction "log,deny,msg:'cracking attack17'" SecFilter "/RWAPM/RTM20040531/bin" SecFilterSignatureAction "log,deny,msg:'cracking attack18'" SecFilter "conf/httpd\.conf" SecFilterSignatureAction "log,deny,msg:'cracking attack19'" SecFilter "\.\./\.\." SecFilterSignatureAction "log,deny,msg:'cracking attack20'" SecFilter "\.\./\.\./" SecFilterSignatureAction "log,deny,msg:'cracking attack21'" SecFilter "/\.\./\.\./\.\./\.\./" SecFilterSignatureAction "log,deny,msg:'cracking attack22'" SecFilter "net localgroup administrators /add" SecFilterSignatureAction "log,deny,msg:'cracking attack23'" SecFilter "file\://" SecFilterSignatureAction "log,deny,msg:'cracking attack24'" SecFilter "window\.open\(readme\.eml" SecFilterSignatureAction "log,deny,msg:'cracking attack25'" SecFilter "document\.domain\(" SecFilterSignatureAction "log,deny,msg:'cracking attack26'" SecFilter "javascript\://" SecFilterSignatureAction "log,deny,msg:'cracking attack27'" SecFilter "<SCRIPT>" SecFilterSignatureAction "log,deny,msg:'cracking attack28'" SecFilter "\.htpasswd" SecFilterSignatureAction "log,deny,msg:'cracking attack29'" SecFilter "\.htaccess" SecFilterSignatureAction "log,deny,msg:'cracking attack30'" SecFilter "cd\.\." SecFilterSignatureAction "log,deny,msg:'cracking attack31'" SecFilter "/\.\.\.\." SecFilterSignatureAction "log,deny,msg:'cracking attack32'" SecFilter "GET x HTTP/1\.0" SecFilterSignatureAction "log,deny,msg:'cracking attack33'" SecFilter "includedir=" SecFilterSignatureAction "log,deny,msg:'cracking attack34'" SecFilter "http\://" SecFilterSignatureAction "log,deny,msg:'cracking attack35'" SecFilter "whois\://" SecFilterSignatureAction "log,deny,msg:'cracking attack36'" SecFilter "path=http\://" SecFilterSignatureAction "log,deny,msg:'cracking attack37'" SecFilter "file=http\://" SecFilterSignatureAction "log,deny,msg:'cracking attack38'" SecFilter "Server\[path\]=http" SecFilterSignatureAction "log,deny,msg:'cracking attack39'" SecFilter "<[[:space:]]*script" SecFilterSignatureAction "log,deny,msg:'cracking attack40'" #SecFilter "<(.|\n)+>" SecFilterSignatureAction "log,deny,msg:'cracking attack41'" SecFilterSelective ARG_highlight "%27" SecFilterSignatureAction "log,deny,msg:'cracking attack42'" SecFilterSelective ARG_highlight "%2527"
#Protect against attacks on critical directories SecFilterSignatureAction "log,deny,msg:'Protect against attacks on critical directories'" SecFilter "/boot" SecFilter "/dev" SecFilter "/etc" SecFilter "/initrd" SecFilter "/lost+found" SecFilter "/mnt" SecFilter "/proc" SecFilter "/root" SecFilter "/sbin" SecFilter "/tmp" SecFilter "/usr/local/apache" SecFilter "/usr/local/mysql" SecFilter "/usr/local/php" SecFilter "/var/spool" SecFilter "/bin/cc" SecFilter "/bin/gcc"
# Basic protection agains Command execution attacks SecFilterSignatureAction "log,deny,msg:'Basic protection agains Command execution attacks'" SecFilter "/bin/sh" SecFilter "/bin/bash" SecFilter "/bin/ls" SecFilter "/etc/passwd" SecFilter "/etc/shadow"
#허위정보를 보냄. SecFilterSelective OUTPUT "Fatal error:"
# 웹서버 정보를 허위로 보냄, 위장. SecServerSignature "Microsoft-IIS/5.0" |
|
 |
제다이님.. 초보 리눅스 서버 유저입니다.
제로보드 사용에 문제가 있어서요.. 보안문서 적용하면 zb5 베타 사용에 문제가 상당히 많아서요 get값을 못 넘겨줘서 그런거 같은데..
어느 부분을 만져야 할지 ㅡㅜ
zb5 도 잘 적용되려면 어느부분을 손봐야 될까용? |
|
 |
에러메시지를 보시면 에러로그가 남아있을겁니다. 위 내용에서 예를 든다면 에러코드가 'cracking attack6' 라고 한다면 SecFilterSignatureAction "log,deny,msg:''cracking attack6'' 다음에서 에러가 발생했다는 말입니다. SecFilter "path=http\://" SecFilter "file=http\://" SecFilter "Server\[path\]=http" SecFilter "<[[:space:]]*script" SecFilter "<(.|\n)+>" SecFilterSelective ARG_highlight %27 그러므로 위에서 6가지중에 하나에서 에러가 발생했다는 말이니 주석처리해가면서 좁혀보면 쉽게 알 수 있습니다. |
|
|
 |
제다이님 감사합니다..
modsec_audit.log 에 에러 나는게 남더군요...
하나 하나 해결해서 사이트 잘 나옵니다..
감사합니다 ^^* |
|
|
 |
희어로한이님!! 웬만하면 수정한 정보도 공유하시죠^^; 다른분들께도 많은 도움이 될듯 한데요~~ |
|
|
 |
저와 비슷하게 어려움을 겪으시는 분들이 역시나.. 우선 제다이님이 제시해주신 modsecurity.conf 파일을 적용하시면 제로보드 설치 보는데는 문제가 없습니다. 대신 저는 zb5로 사이트를 만들었는데 수정이라든지 이미지 본문에 추가하는데 문제가 쫌 있더라구요 그래서 수정하는데 어떤게 필터 되어서 걸리는지 몰라서 해메다가 /usr/local/apache/logs/modsec_audit.log <-- 이경로에 로그가 쌓입니다(제경우)
대략 아래와 같이...
POST /zb5/server.php HTTP/1.1 Accept: */* Accept-Language: ko Referer: http://love.apm.unix.ne.kr/zb5/?sid=68&article_srl=309&action=modify UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) Host: love.apm.unix.ne.kr Content-Length: 2136 Connection: Keep-Alive Cache-Control: no-cache Cookie: ZAN=bf7182e48833572eef7c401fed0cf6ca; PHPSESSID=0ca0cbc80be3682efc35e248e3557cbb mod_security-action: 403 mod_security-message: Access denied with code 403. Pattern match "style[[:space:]]*=" at POST_PAYLOAD [msg "XSS attack2"] [severity "EMERGENCY"]
....
이런식에 메시지가 남는데요...
여기서 봐야 할 부분은 아래 ==================================================== mod_security-message: Access denied with code 403. Pattern match "style[[:space:]]*=" at POST_PAYLOAD [msg "XSS attack2"] [severity "EMERGENCY"] ====================================================
우선 modsecurity.conf 열어서 SecFilterSignatureAction "log,deny,msg:''msg "XSS attack2'' 이부분을 찾아서 제다이님 말씀처럼 Pattern match 으로 된 곳을 하나 하나 막으면서 문제점을 좁혀 나가시면 될 것같습니다.
저두 이것 저것 걸려서 여러군데 막었습니다 ^^;; |
|
 |
저는 태터툴즈 사용하는데 글쓰는 곳에서 화일 업로드와 스킨에서 사이드바 기능이 작동을 안해서 아래와 같이 설정을 바꾸었습니다. # Configuration의 SecFilterScanPost On 을 off로 바꾸면 바로 설정 됩니다. | |
|