개인서버 운영하시는 우분투포럼회원분들 계시나요?

혹시 개인서버에 사용하시는 mod_security룰 파일을 살짝 엿볼수 있을까요??

이거이 밥줄이 되시는 분들이 많아서 이곳저곳 글 올리기 민망합니다 하하;;;

[quote="ksd3971":wlmnpc9n]혹시 개인서버에 사용하시는 mod_security룰 파일을 살짝 엿볼수 있을까요??

이거이 밥줄이 되시는 분들이 많아서 이곳저곳 글 올리기 민망합니다 하하;;;[/quote:wlmnpc9n] 2007년 겨울에 쓰던 룰인데…
아직 8.04 LTS 개인서버에서 사용중입니다.
요즘 서버는 그냥 수호신 패치된 우분투 패키지 씁니다.
주석도 있으니 공부에 활용 바랍니다.

[code:wlmnpc9n]<IfModule mod_security2.c>

#############################

1. ModSecurity 동작 유/무

SecRuleEngine On | Off

On : ModSecurity 기능 활성화

Off : ModSecurity 기능 비활성화

SecRuleEngine On

#############################

2. 기본 설정

기본적으로 룰이 매치 될 경우 행위(Action) 지정

SecDefaultAction "행위"

행위 : deny, pass, allow, status:apache error code

룰 커스트마이징 완료 후 공격탐지시 차단하도록 SecDefaultAction 에서

pass를 deny로 수정 필요

SecDefaultAction "deny,log,phase:2,status:406"

SecDefaultAction "pass,log,phase:2,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"

아파치의 기본 로그보다 자세한 공격관련 로그를 기록

SecAuditEngine RelevantOnly

로그의 양을 줄이기 위해 필요한 4xx 또는 5xx 관련 에러만 남긴다.

SecAuditLogRelevantStatus "^[45]"

로그 파일 구조

SecAuditLogType Serial
SecAuditLog logs/mod-sec/modsec_audit.log

로그에 남길 부분

SecAuditLogParts "ABIFHZ"

웹서버의 헤더 정보 변경

#SecServerSignature "Microsoft-IIS/10.0"
#SecServerSignature "Microsoft Windows 98 Se"
#SecServerSignature "Sun-Java-System-Web-Server / 9.0"
#SecServerSignature "http://shworks.com On CentOS 4.7 (Final)"
SecServerSignature "MicroSoft MS-DOS 3.3 Server 0.1 On SamSung Green PC 286 1991ㅁ"

아규먼트 구분자

SecArgumentSeparator "&"
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml

#############################

3. PHP 인젝션 취약 공격 방지(제로보드 대상 공격 포함)

#SecRule REQUEST_URI "http:/" "msg:‘PHP Injection Attacks’"
#SecRule REQUEST_URI "/include/write&#46;php?dir=(ftp|http):" "msg:‘PHP Injection Attacks’"
#SecRule REQUEST_URI "/include/print_category&#46;php?setup=1&dir=(ftp|http):" "msg:‘PHP Injection Attacks’"
#SecRule REQUEST_URI "/zero_vote/error&#46;php?dir=(ftp|http):" "msg:‘PHP Injection Attacks’"
#SecRule REQUEST_URI "/outlogin&#46;php?_zb_path=(ftp|http):" "msg:‘PHP Injection Attacks’"
#SecRule REQUEST_URI "filename=|" "msg:‘PHP Injection Attacks’"
#SecRule REQUEST_URI "check_user_id&#46;php?user_id=<script>alert(document&#46;cookie)" "msg:‘PHP Injection Attacks’"

#############################

4. 명령어 실행 방지

SecRule REQUEST_URI ";[[:space:]]*(ls|id|pwd|wget|cd)" "msg:‘Command execution attack’"

#############################

5. XSS 공격 방지

#SecRule ARGS "alert[[:space:]](" "msg:‘XSS attack’"
#SecRule ARGS "&#[[0-9a-fA-F]]{2}" "msg:‘XSS attack’"
#SecRule ARGS "eval[[:space:]]
(" "msg:‘XSS attack’"
#SecRule ARGS "onKeyUp" "msg:‘XSS attack’"
#SecRule ARGS "\x5cx[0-9a-fA-F]{2}" "msg:‘XSS attack’"
#SecRule ARGS "fromCharCode" "msg:‘XSS attack’"
#SecRule ARGS "&{.+}" "msg:‘XSS attack’"
#SecRule ARGS "<.+>" "msg:‘XSS attack’"
#SecRule ARGS "vbscript:" "msg:‘XSS attack’"
#SecRule ARGS "http-equiv" "msg:‘XSS attack’"
#SecRule ARGS "–>" "msg:‘XSS attack’"
#SecRule ARGS "expression[[:space:]](" "msg:‘XSS attack’"
#SecRule ARGS "url[[:space:]]
(" "msg:‘XSS attack’"
#SecRule ARGS "innerHTML" "msg:‘XSS attack’"
#SecRule ARGS "document&#46;body" "msg:‘XSS attack’"
#SecRule ARGS "document&#46;cookie" "msg:‘XSS attack’"
#SecRule ARGS "document&#46;location" "msg:‘XSS attack’"
#SecRule ARGS "document&#46;write" "msg:‘XSS attack’"
#SecRule ARGS "style[[:space:]]*=" "msg:‘XSS attack’"
#SecRule ARGS "dynsrc" "msg:‘XSS attack’"
#SecRule ARGS "jsessionid" "msg:‘XSS attack’"
#SecRule ARGS "phpsessid" "msg:‘XSS attack’"

#############################

6. SSI 인젝션 관련 공격 차단

SecRule ARGS "<!–[[:space:]]*#[[:space:]]exec" "msg:‘SSI injection attack’"
SecRule ARGS "<!–[[:space:]]
#[[:space:]]cmd" "msg:‘SSI injection attack’"
SecRule ARGS "<!–[[:space:]]
#[[:space:]]echo" "msg:‘SSI injection attack’"
SecRule ARGS "<!–[[:space:]]
#[[:space:]]include" "msg:‘SSI injection attack’"
SecRule ARGS "<!–[[:space:]]
#[[:space:]]*printenv" "msg:‘SSI injection attack’"

#############################

7. 스패머 프로그램 봇

SecRule HTTP_USER_AGENT "WebBandit" "msg:‘Robot attack’"
SecRule HTTP_USER_AGENT "WEBMOLE" "msg:‘Robot attack’"
SecRule HTTP_USER_AGENT "Telesoft*" "msg:‘Robot attack’"
SecRule HTTP_USER_AGENT "WebEMailExtractor" "msg:‘Robot attack’"
SecRule HTTP_USER_AGENT "CherryPicker*" "msg:‘Robot attack’"
SecRule HTTP_USER_AGENT "NICErsPRO" "msg:‘Robot attack’"
SecRule HTTP_USER_AGENT "Advanced Email Extractor*" "msg:‘Robot attack’"
SecRule HTTP_USER_AGENT "EmailSiphon" "msg:‘Robot attack’"
SecRule HTTP_USER_AGENT "Extractorpro" "msg:‘Robot attack’"
SecRule HTTP_USER_AGENT "webbandit" "msg:‘Robot attack’"
SecRule HTTP_USER_AGENT "EmailCollector" "msg:‘Robot attack’"
SecRule HTTP_USER_AGENT "WebEMailExtrac*" "msg:‘Robot attack’"
SecRule HTTP_USER_AGENT "EmailWolf" "msg:‘Robot attack’"
SecRule HTTP_USER_AGENT "Microsoft URL Control" "msg:‘Robot attack’"
SecRule HTTP_USER_AGENT "^Microsoft URL" "msg:‘Robot attack’"

###########################################

8. 검색엔진 Recon/Google 이용한 해킹 방지

SecRule HTTP_Referer "Powered by Gravity Board" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "Powered by SilverNews" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "Powered.*PHPBB.2&#46;0&#46;\ inurl&#58;" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "PHPFreeNews inurl&#58;Admin&#46;php" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "inurl.
/cgi-bin/query" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "inurl.*tiki-edit_submission&#46;php" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "inurl.*wps_shop&#46;cgi" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "inurl.*edit_blog&#46;php.*filetype&#58;php" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "inurl.*passwd.txt.*wwwboard.*webadmin" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "inurl.*admin&#46;mdb" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "filetype:sql \x28\x22passwd values.*password values.*pass values" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "filetype.*blt.*buddylist" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "File Upload Manager v1&#46;3.*rename to" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "filetype\x3Aphp HAXPLORER .*Server Files Browser" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "inurl.*passlist&#46;txt" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "wwwboard WebAdmininurl\x3Apasswd&#46;txt wwwboard\x7Cwebadmin" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "Enter ip.*inurl\x3A\x22php-ping&#46;php\x22" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "intitle&#46;*PHP Shell.*Enable stderr.*filetype&#46;php" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "inurl&#46;*install.*install&#46;php" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "Powered by PHPFM.*filetype&#46;php -username" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "inurl&#46;*phpSysInfo.*created by phpsysinfo" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "SquirrelMail version 1&#46;4&#46;4.*inurl:src ext&#46;php" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "inurl&#46;*webutil&#46;pl" "msg:‘Recon/Google attack’"

#############################

9. PHPMyAdmin 관련 공격 취약점 적용

"subform" 로컬 파일 포함 취약점

SecRule REQUEST_URI "/libraries/grab_globals&#46;lib&#46;php" chain
SecRule REQUEST_URI "(/|&#46;&#46;|(http|https|ftp)&#58;/)"
SecRule REQUEST_URI "/libraries/grab_globals&#46;lib&#46;php" chain
SecRule REQUEST_URI "usesubform.=.&usesubform.=.&subform.*(/|&#46;&#46;|(http|https|ftp)&#58;/)"

경로 취약점

SecRule REQUEST_URI "/css/phpmyadmin&#46;css&#46;php?GLOBALS&#91;cfg&#93;&#91;ThemePath&#93;=/etc"
SecRule REQUEST_URI "/phpMyAdmin/css/phpmyadmin&#46;css&#46;php?GLOBALS&#91;cfg&#93;&#91;ThemePath&#93;=(/|.*&#46;&#46;/)"

문자열변환 파라미터 크로스사이트 스크립팅 취약점

SecRule REQUEST_URI "/phpmyadmin/index&#46;php?pma_username=&pma_password=&server=.&lang=.&convcharset=.((javascript|script|about|applet|activex|chrome)&gt;|(http|https|ftp)&#58;/)"

Export.PHP 파일 공개 취약점

SecRule SCRIPT_FILENAME "export&#46;php$" chain
SecRule REQUEST_URI "&#46;&#46;"

XSS 취약점

#SecRule REQUEST_URI "(<[[:space:]](script|about|applet|activex|chrome)>.(script|about|applet|activex|chrome)[[:space:]]>|onmouseover=|javascript&#58;)"
#SecRule REQUEST_URI "libraries/auth/cookie&#46;auth&#46;lib&#46;php" chain
#SecRule REQUEST_URI "<[[:space:]](script|about|applet|activex|chrome)>.(script|about|applet|activex|chrome)[[:space:]]>
#SecRule REQUEST_URI "/error&#46;php" chain
#SecRule REQUEST_URI "<[[:space:]](script|about|applet|activex|chrome)>.(script|about|applet|activex|chrome)[[:space:]]>

register_globals Emulation "import_blacklist" 조작 취약점

SecRule REQUEST_URI "/grab_globals&#46;php" chain
SecRule REQUEST_URI "(<[[:space:]](script|about|applet|activex|chrome)>.(script|about|applet|activex|chrome)[[:space:]]>|(http|https|ftp)&#58;/)"

#############################

10. 기타 공격 방지

허용하는 HTTP 리퀘스트 타입 (HTTP 0.9, 1.0 혹은 1.1) 이외 차단

#SecRule SERVER_PROTOCOL "!^HTTP/(0&#46;9|1&#46;0|1&#46;1)$" "msg:‘Not allowed HTTP Protocol’"

/etc/passwd 파일 접근 차단

SecRule REQUEST_URI "/etc/passwd"

웹을 이용한 SMTP redirect 금지

SecRule REQUEST_URI ^(http|https)&#58;/.+:25

Directory Traversal 공격 차단

SecRule REQUEST_URI "&#46;&#46;/"

#############################

11. SQL Injection 공격 차단

PHPMyAdmin을 통한 정상적인 접속요청이 SQL Injection 공격으로 오탐될 수 있음

PHPMyAdmin을 사용하고 있지 않을 경우 아래의 코맨트(#)를 제거하고 사용 권고

#SecRule ARGS "delete[[:space:]]+from"
#SecRule ARGS "drop[[:space:]]+database"
#SecRule ARGS "drop[[:space:]]+table"
#SecRule ARGS "drop[[:space:]]+column"
#SecRule ARGS "drop[[:space:]]+procedure"
#SecRule ARGS "create[[:space:]]+table"
#SecRule ARGS "update.+set.+="
#SecRule ARGS "insert[[:space:]]+into.+values"
#SecRule ARGS "select.+from"
#SecRule ARGS "bulk[[:space:]]+insert"
#SecRule ARGS "union.+select"
#SecRule ARGS "or.+1[[:space:]]*=[[:space:]]1"
#SecRule ARGS "alter[[:space:]]+table"
#SecRule ARGS "or 1=1–‘"
#SecRule ARGS "’.±-"
#SecRule ARGS "load[[:space:]]+data"
#SecRule ARGS "/*.+*/"

</IfModule>
[/code:wlmnpc9n]

강분도님 감사합니다.