혹시 개인서버에 사용하시는 mod_security룰 파일을 살짝 엿볼수 있을까요??
이거이 밥줄이 되시는 분들이 많아서 이곳저곳 글 올리기 민망합니다 하하;;;
혹시 개인서버에 사용하시는 mod_security룰 파일을 살짝 엿볼수 있을까요??
이거이 밥줄이 되시는 분들이 많아서 이곳저곳 글 올리기 민망합니다 하하;;;
[quote="ksd3971":wlmnpc9n]혹시 개인서버에 사용하시는 mod_security룰 파일을 살짝 엿볼수 있을까요??
이거이 밥줄이 되시는 분들이 많아서 이곳저곳 글 올리기 민망합니다 하하;;;[/quote:wlmnpc9n] 2007년 겨울에 쓰던 룰인데…
아직 8.04 LTS 개인서버에서 사용중입니다.
요즘 서버는 그냥 수호신 패치된 우분투 패키지 씁니다.
주석도 있으니 공부에 활용 바랍니다.
[code:wlmnpc9n]<IfModule mod_security2.c>
#############################
SecRuleEngine On
#############################
SecDefaultAction "deny,log,phase:2,status:406"
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^[45]"
SecAuditLogType Serial
SecAuditLog logs/mod-sec/modsec_audit.log
SecAuditLogParts "ABIFHZ"
#SecServerSignature "Microsoft-IIS/10.0"
#SecServerSignature "Microsoft Windows 98 Se"
#SecServerSignature "Sun-Java-System-Web-Server / 9.0"
#SecServerSignature "http://shworks.com On CentOS 4.7 (Final)"
SecServerSignature "MicroSoft MS-DOS 3.3 Server 0.1 On SamSung Green PC 286 1991ㅁ"
SecArgumentSeparator "&"
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
#############################
#SecRule REQUEST_URI "http:/" "msg:‘PHP Injection Attacks’"
#SecRule REQUEST_URI "/include/write.php?dir=(ftp|http):" "msg:‘PHP Injection Attacks’"
#SecRule REQUEST_URI "/include/print_category.php?setup=1&dir=(ftp|http):" "msg:‘PHP Injection Attacks’"
#SecRule REQUEST_URI "/zero_vote/error.php?dir=(ftp|http):" "msg:‘PHP Injection Attacks’"
#SecRule REQUEST_URI "/outlogin.php?_zb_path=(ftp|http):" "msg:‘PHP Injection Attacks’"
#SecRule REQUEST_URI "filename=|" "msg:‘PHP Injection Attacks’"
#SecRule REQUEST_URI "check_user_id.php?user_id=<script>alert(document.cookie)" "msg:‘PHP Injection Attacks’"
#############################
SecRule REQUEST_URI ";[[:space:]]*(ls|id|pwd|wget|cd)" "msg:‘Command execution attack’"
#############################
#SecRule ARGS "alert[[:space:]](" "msg:‘XSS attack’"
#SecRule ARGS "&#[[0-9a-fA-F]]{2}" "msg:‘XSS attack’"
#SecRule ARGS "eval[[:space:]](" "msg:‘XSS attack’"
#SecRule ARGS "onKeyUp" "msg:‘XSS attack’"
#SecRule ARGS "\x5cx[0-9a-fA-F]{2}" "msg:‘XSS attack’"
#SecRule ARGS "fromCharCode" "msg:‘XSS attack’"
#SecRule ARGS "&{.+}" "msg:‘XSS attack’"
#SecRule ARGS "<.+>" "msg:‘XSS attack’"
#SecRule ARGS "vbscript:" "msg:‘XSS attack’"
#SecRule ARGS "http-equiv" "msg:‘XSS attack’"
#SecRule ARGS "–>" "msg:‘XSS attack’"
#SecRule ARGS "expression[[:space:]](" "msg:‘XSS attack’"
#SecRule ARGS "url[[:space:]](" "msg:‘XSS attack’"
#SecRule ARGS "innerHTML" "msg:‘XSS attack’"
#SecRule ARGS "document.body" "msg:‘XSS attack’"
#SecRule ARGS "document.cookie" "msg:‘XSS attack’"
#SecRule ARGS "document.location" "msg:‘XSS attack’"
#SecRule ARGS "document.write" "msg:‘XSS attack’"
#SecRule ARGS "style[[:space:]]*=" "msg:‘XSS attack’"
#SecRule ARGS "dynsrc" "msg:‘XSS attack’"
#SecRule ARGS "jsessionid" "msg:‘XSS attack’"
#SecRule ARGS "phpsessid" "msg:‘XSS attack’"
#############################
SecRule ARGS "<!–[[:space:]]*#[[:space:]]exec" "msg:‘SSI injection attack’"
SecRule ARGS "<!–[[:space:]]#[[:space:]]cmd" "msg:‘SSI injection attack’"
SecRule ARGS "<!–[[:space:]]#[[:space:]]echo" "msg:‘SSI injection attack’"
SecRule ARGS "<!–[[:space:]]#[[:space:]]include" "msg:‘SSI injection attack’"
SecRule ARGS "<!–[[:space:]]#[[:space:]]*printenv" "msg:‘SSI injection attack’"
#############################
SecRule HTTP_USER_AGENT "WebBandit" "msg:‘Robot attack’"
SecRule HTTP_USER_AGENT "WEBMOLE" "msg:‘Robot attack’"
SecRule HTTP_USER_AGENT "Telesoft*" "msg:‘Robot attack’"
SecRule HTTP_USER_AGENT "WebEMailExtractor" "msg:‘Robot attack’"
SecRule HTTP_USER_AGENT "CherryPicker*" "msg:‘Robot attack’"
SecRule HTTP_USER_AGENT "NICErsPRO" "msg:‘Robot attack’"
SecRule HTTP_USER_AGENT "Advanced Email Extractor*" "msg:‘Robot attack’"
SecRule HTTP_USER_AGENT "EmailSiphon" "msg:‘Robot attack’"
SecRule HTTP_USER_AGENT "Extractorpro" "msg:‘Robot attack’"
SecRule HTTP_USER_AGENT "webbandit" "msg:‘Robot attack’"
SecRule HTTP_USER_AGENT "EmailCollector" "msg:‘Robot attack’"
SecRule HTTP_USER_AGENT "WebEMailExtrac*" "msg:‘Robot attack’"
SecRule HTTP_USER_AGENT "EmailWolf" "msg:‘Robot attack’"
SecRule HTTP_USER_AGENT "Microsoft URL Control" "msg:‘Robot attack’"
SecRule HTTP_USER_AGENT "^Microsoft URL" "msg:‘Robot attack’"
###########################################
SecRule HTTP_Referer "Powered by Gravity Board" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "Powered by SilverNews" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "Powered.*PHPBB.2.0.\ inurl:" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "PHPFreeNews inurl:Admin.php" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "inurl./cgi-bin/query" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "inurl.*tiki-edit_submission.php" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "inurl.*wps_shop.cgi" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "inurl.*edit_blog.php.*filetype:php" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "inurl.*passwd.txt.*wwwboard.*webadmin" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "inurl.*admin.mdb" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "filetype:sql \x28\x22passwd values.*password values.*pass values" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "filetype.*blt.*buddylist" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "File Upload Manager v1.3.*rename to" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "filetype\x3Aphp HAXPLORER .*Server Files Browser" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "inurl.*passlist.txt" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "wwwboard WebAdmininurl\x3Apasswd.txt wwwboard\x7Cwebadmin" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "Enter ip.*inurl\x3A\x22php-ping.php\x22" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "intitle.*PHP Shell.*Enable stderr.*filetype.php" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "inurl.*install.*install.php" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "Powered by PHPFM.*filetype.php -username" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "inurl.*phpSysInfo.*created by phpsysinfo" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "SquirrelMail version 1.4.4.*inurl:src ext.php" "msg:‘Recon/Google attack’"
SecRule HTTP_Referer "inurl.*webutil.pl" "msg:‘Recon/Google attack’"
#############################
SecRule REQUEST_URI "/libraries/grab_globals.lib.php" chain
SecRule REQUEST_URI "(/|..|(http|https|ftp):/)"
SecRule REQUEST_URI "/libraries/grab_globals.lib.php" chain
SecRule REQUEST_URI "usesubform.=.&usesubform.=.&subform.*(/|..|(http|https|ftp):/)"
SecRule REQUEST_URI "/css/phpmyadmin.css.php?GLOBALS[cfg][ThemePath]=/etc"
SecRule REQUEST_URI "/phpMyAdmin/css/phpmyadmin.css.php?GLOBALS[cfg][ThemePath]=(/|.*../)"
SecRule REQUEST_URI "/phpmyadmin/index.php?pma_username=&pma_password=&server=.&lang=.&convcharset=.((javascript|script|about|applet|activex|chrome)>|(http|https|ftp):/)"
SecRule SCRIPT_FILENAME "export.php$" chain
SecRule REQUEST_URI ".."
#SecRule REQUEST_URI "(<[[:space:]](script|about|applet|activex|chrome)>.(script|about|applet|activex|chrome)[[:space:]]>|onmouseover=|javascript:)"
#SecRule REQUEST_URI "libraries/auth/cookie.auth.lib.php" chain
#SecRule REQUEST_URI "<[[:space:]](script|about|applet|activex|chrome)>.(script|about|applet|activex|chrome)[[:space:]]>
#SecRule REQUEST_URI "/error.php" chain
#SecRule REQUEST_URI "<[[:space:]](script|about|applet|activex|chrome)>.(script|about|applet|activex|chrome)[[:space:]]>
SecRule REQUEST_URI "/grab_globals.php" chain
SecRule REQUEST_URI "(<[[:space:]](script|about|applet|activex|chrome)>.(script|about|applet|activex|chrome)[[:space:]]>|(http|https|ftp):/)"
#############################
#SecRule SERVER_PROTOCOL "!^HTTP/(0.9|1.0|1.1)$" "msg:‘Not allowed HTTP Protocol’"
SecRule REQUEST_URI "../"
#############################
#SecRule ARGS "delete[[:space:]]+from"
#SecRule ARGS "drop[[:space:]]+database"
#SecRule ARGS "drop[[:space:]]+table"
#SecRule ARGS "drop[[:space:]]+column"
#SecRule ARGS "drop[[:space:]]+procedure"
#SecRule ARGS "create[[:space:]]+table"
#SecRule ARGS "update.+set.+="
#SecRule ARGS "insert[[:space:]]+into.+values"
#SecRule ARGS "select.+from"
#SecRule ARGS "bulk[[:space:]]+insert"
#SecRule ARGS "union.+select"
#SecRule ARGS "or.+1[[:space:]]*=[[:space:]]1"
#SecRule ARGS "alter[[:space:]]+table"
#SecRule ARGS "or 1=1–‘"
#SecRule ARGS "’.±-"
#SecRule ARGS "load[[:space:]]+data"
#SecRule ARGS "/*.+*/"
</IfModule>
[/code:wlmnpc9n]
강분도님 감사합니다.