aboutsummaryrefslogtreecommitdiffstats
path: root/config/apache_mod_security
diff options
context:
space:
mode:
authorScott Ullrich <sullrich@gmail.com>2009-06-23 13:10:28 -0400
committerScott Ullrich <sullrich@gmail.com>2009-06-23 13:10:28 -0400
commit8f5f872c05da346602fd8b7bcb7b73bc4af1726f (patch)
tree515d7a21b9d142af223451a7b0cabb4b28f8a8b7 /config/apache_mod_security
parent76779f685233402f58a8dbb1c050d508d580c2bf (diff)
downloadpfsense-packages-8f5f872c05da346602fd8b7bcb7b73bc4af1726f.tar.gz
pfsense-packages-8f5f872c05da346602fd8b7bcb7b73bc4af1726f.tar.bz2
pfsense-packages-8f5f872c05da346602fd8b7bcb7b73bc4af1726f.zip
Add more mod_security configuration items
Diffstat (limited to 'config/apache_mod_security')
-rw-r--r--config/apache_mod_security/apache_mod_security.inc94
1 files changed, 84 insertions, 10 deletions
diff --git a/config/apache_mod_security/apache_mod_security.inc b/config/apache_mod_security/apache_mod_security.inc
index 5a9ab852..4d0402be 100644
--- a/config/apache_mod_security/apache_mod_security.inc
+++ b/config/apache_mod_security/apache_mod_security.inc
@@ -165,33 +165,107 @@ EOF;
$enable_mod_security = true;
$mod_security = <<< EOF
<IfModule mod_security.c>
+
# Turn the filtering engine On or Off
SecFilterEngine On
+ # The audit engine works independently and
+ # can be turned On of Off on the per-server or
+ # on the per-directory basis
+ SecAuditEngine RelevantOnly
+
# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On
# Unicode encoding check
- SecFilterCheckUnicodeEncoding Off
+ SecFilterCheckUnicodeEncoding On
# Only allow bytes from this range
- SecFilterForceByteRange 0 255
+ SecFilterForceByteRange 1 255
- # Only log suspicious requests
- SecAuditEngine RelevantOnly
+ # Cookie format checks.
+ SecFilterCheckCookieFormat On
# The name of the audit log file
SecAuditLog logs/audit_log
- # Debug level set to a minimum
- SecFilterDebugLog logs/modsec_debug_log
- SecFilterDebugLevel 0
# Should mod_security inspect POST payloads
SecFilterScanPOST On
- # By default log and deny suspicious requests
- # with HTTP status 500
- SecFilterDefaultAction "deny,log,status:500"
+ # Default action set
+ SecFilterDefaultAction "deny,log,status:406"
+
+ # Simple example filter
+ SecFilter 111
+
+ # Prevent path traversal (..) attacks
+ SecFilter "\.\./"
+
+ # Weaker XSS protection but allows common HTML tags
+ SecFilter "<( |\n)*script"
+
+ # Prevent XSS atacks (HTML/Javascript injection)
+ SecFilter "<(.|\n)+>"
+
+ # Very crude filters to prevent SQL injection attacks
+ SecFilter "delete[[:space:]]+from"
+ SecFilter "insert[[:space:]]+into"
+ SecFilter "select.+from"
+
+ # Require HTTP_USER_AGENT and HTTP_HOST headers
+ SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
+
+ # Only accept request encodings we know how to handle
+ # we exclude GET requests from this because some (automated)
+ # clients supply "text/html" as Content-Type
+ SecFilterSelective REQUEST_METHOD "!^GET$" chain
+ SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)"
+
+ # Require Content-Length to be provided with
+ # every POST request
+ SecFilterSelective REQUEST_METHOD "^POST$" chain
+ SecFilterSelective HTTP_Content-Length "^$"
+
+ # Don't accept transfer encodings we know we don't handle
+ # (and you don't need it anyway)
+ SecFilterSelective HTTP_Transfer-Encoding "!^$"
+
+ # Some common application-related rules from
+ # http://modsecrules.monkeydev.org/rules.php?safety=safe
+
+ #Nuke Bookmarks XSS
+ SecFilterSelective THE_REQUEST "/modules\.php\?name=Bookmarks\&file=(del_cat\&catname|del_mark\&markname|edit_cat\&catname|edit_cat\&catcomment|marks\&catname|uploadbookmarks\&category)=(<[[:space:]]*script|(http|https|ftp)\:/)"
+
+ #Nuke Bookmarks Marks.php SQL Injection Vulnerability
+ SecFilterSelective THE_REQUEST "modules\.php\?name=Bookmarks\&file=marks\&catname=.*\&category=.*/\*\*/(union|select|delete|insert)"
+
+ #PHPNuke general XSS attempt
+ #/modules.php?name=News&file=article&sid=1&optionbox=
+ SecFilterSelective THE_REQUEST "/modules\.php\?*name=<[[:space:]]*script"
+
+ # PHPNuke SQL injection attempt
+ SecFilterSelective THE_REQUEST "/modules\.php\?*name=Search*instory="
+
+ #phpnuke sql insertion
+ SecFilterSelective THE_REQUEST "/modules\.php*name=Forums.*file=viewtopic*/forum=.*\'/"
+
+ # WEB-PHP phpbb quick-reply.php arbitrary command attempt
+
+ SecFilterSelective THE_REQUEST "/quick-reply\.php" chain
+ SecFilter "phpbb_root_path="
+
+ #Topic Calendar Mod for phpBB Cross-Site Scripting Attack
+ SecFilterSelective THE_REQUEST "/calendar_scheduler\.php\?start=(<[[:space:]]*script|(http|https|ftp)\:/)"
+
+ # phpMyAdmin: Safe
+
+ #phpMyAdmin Export.PHP File Disclosure Vulnerability
+ SecFilterSelective SCRIPT_FILENAME "export\.php$" chain
+ SecFilterSelective ARG_what "\.\."
+
+ #phpMyAdmin path vln
+ SecFilterSelective REQUEST_URI "/css/phpmyadmin\.css\.php\?GLOBALS\[cfg\]\[ThemePath\]=/etc"
+
</IfModule>
EOF;