aboutsummaryrefslogtreecommitdiffstats
path: root/config/apache_mod_security/apache_mod_security.inc
diff options
context:
space:
mode:
Diffstat (limited to 'config/apache_mod_security/apache_mod_security.inc')
-rw-r--r--config/apache_mod_security/apache_mod_security.inc105
1 files changed, 29 insertions, 76 deletions
diff --git a/config/apache_mod_security/apache_mod_security.inc b/config/apache_mod_security/apache_mod_security.inc
index 55006278..c45f426d 100644
--- a/config/apache_mod_security/apache_mod_security.inc
+++ b/config/apache_mod_security/apache_mod_security.inc
@@ -27,19 +27,29 @@
POSSIBILITY OF SUCH DAMAGE.
*/
-if(!is_dir("/usr/local/apachemodsecurity")) {
+// Rules directory location
+define("rules_directory", "/usr/local/apachemodsecurity/rules");
+
+// Ensure NanoBSD can write. pkg_mgr will remount RO
+conf_mount_rw();
+
+// Needed mod_security directories
+if(!is_dir("/usr/local/apachemodsecurity"))
safe_mkdir("/usr/local/apachemodsecurity");
- conf_mount_rw();
-}
+if(!is_dir("/usr/local/apachemodsecurity"))
+ safe_mkdir("/usr/local/apachemodsecurity/rules");
+// Startup function
function apache_mod_security_start() {
exec("/usr/local/sbin/httpd -k start");
}
+// Shutdown function
function apache_mod_security_stop() {
exec("/usr/local/sbin/httpd -k stop");
}
+// Restart function
function apache_mod_security_restart() {
if(is_process_running("httpd")) {
exec("/usr/local/sbin/httpd -k graceful");
@@ -48,6 +58,7 @@ function apache_mod_security_restart() {
}
}
+// Install function
function apache_mod_security_install() {
global $config, $g;
@@ -288,6 +299,19 @@ EOF;
if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['modsecuritycustom'])
$mod_security_custom = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['modsecuritycustom'];
+ // Process and include rules
+ if(is_dir(rules_directory)) {
+ $mod_security_rules = "";
+ $files = return_dir_as_array(rules_directory);
+ foreach($files as $file) {
+ if(file_exists($file)) {
+ // XXX: TODO integrate snorts rule on / off thingie
+ $file_txt = get_file_contents($file);
+ $mod_security_rules .= $file_txt . "\n";
+ }
+ }
+ }
+
// Mod_security enabled?
if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['enablemodsecurity']) {
$enable_mod_security = true;
@@ -342,79 +366,8 @@ EOF;
# Should mod_security inspect POST payloads
SecFilterScanPOST On
- # Default action set
- SecFilterDefaultAction "deny,log,status:406"
-
- # Simple example filter
- SecFilter 111
-
- # Prevent path traversal (..) attacks
- SecFilter "\.\./"
-
- # Weaker XSS protection but allows common HTML tags
- SecFilter "<( |\n)*script"
-
- # Prevent XSS atacks (HTML/Javascript injection)
- SecFilter "<(.|\n)+>"
-
- # Very crude filters to prevent SQL injection attacks
- SecFilter "delete[[:space:]]+from"
- SecFilter "insert[[:space:]]+into"
- SecFilter "select.+from"
-
- # Require HTTP_USER_AGENT and HTTP_HOST headers
- SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
-
- # Only accept request encodings we know how to handle
- # we exclude GET requests from this because some (automated)
- # clients supply "text/html" as Content-Type
- SecFilterSelective REQUEST_METHOD "!^GET$" chain
- SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)"
-
- # Require Content-Length to be provided with
- # every POST request
- SecFilterSelective REQUEST_METHOD "^POST$" chain
- SecFilterSelective HTTP_Content-Length "^$"
-
- # Don't accept transfer encodings we know we don't handle
- # (and you don't need it anyway)
- SecFilterSelective HTTP_Transfer-Encoding "!^$"
-
- # Some common application-related rules from
- # http://modsecrules.monkeydev.org/rules.php?safety=safe
-
- #Nuke Bookmarks XSS
- SecFilterSelective THE_REQUEST "/modules\.php\?name=Bookmarks\&file=(del_cat\&catname|del_mark\&markname|edit_cat\&catname|edit_cat\&catcomment|marks\&catname|uploadbookmarks\&category)=(<[[:space:]]*script|(http|https|ftp)\:/)"
-
- #Nuke Bookmarks Marks.php SQL Injection Vulnerability
- SecFilterSelective THE_REQUEST "modules\.php\?name=Bookmarks\&file=marks\&catname=.*\&category=.*/\*\*/(union|select|delete|insert)"
-
- #PHPNuke general XSS attempt
- #/modules.php?name=News&file=article&sid=1&optionbox=
- SecFilterSelective THE_REQUEST "/modules\.php\?*name=<[[:space:]]*script"
-
- # PHPNuke SQL injection attempt
- SecFilterSelective THE_REQUEST "/modules\.php\?*name=Search*instory="
-
- #phpnuke sql insertion
- SecFilterSelective THE_REQUEST "/modules\.php*name=Forums.*file=viewtopic*/forum=.*\'/"
-
- # WEB-PHP phpbb quick-reply.php arbitrary command attempt
-
- SecFilterSelective THE_REQUEST "/quick-reply\.php" chain
- SecFilter "phpbb_root_path="
-
- #Topic Calendar Mod for phpBB Cross-Site Scripting Attack
- SecFilterSelective THE_REQUEST "/calendar_scheduler\.php\?start=(<[[:space:]]*script|(http|https|ftp)\:/)"
-
- # phpMyAdmin: Safe
-
- #phpMyAdmin Export.PHP File Disclosure Vulnerability
- SecFilterSelective SCRIPT_FILENAME "export\.php$" chain
- SecFilterSelective ARG_what "\.\."
-
- #phpMyAdmin path vln
- SecFilterSelective REQUEST_URI "/css/phpmyadmin\.css\.php\?GLOBALS\[cfg\]\[ThemePath\]=/etc"
+ # Include rules from rules/ directory
+ {$mod_security_rules}
</IfModule>
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-02 18:32:57 +0000