Debian/Ubuntu Tips and Tricks

Debuntu

Debian/Ubuntu Tips and Tricks

Secure your Apache2 with mod-security — page 3

Posted by chantra on August 13th, 2006

This entry is part 3 of 3 in the series Secure your Apache2 with mod-security

4. mod-security filter examples:

Suppose for instance you want to prevent attackers injecting shell command execution through your scripts. You could use this query in order to block anything containing /bin/:

SecFilter /bin/

As mod-security filter by default filters every fields activated, this will also though a 500 error and block access to some available to the public binaries you've made, such as http://example.com/my_project/bin/latest-release.tar.gz .

To counter this, We could use SecFilterSelective combine with a regular expression as a location and tell it to only look into GET and POST datas:

 SecFilterSelective "POST_PAYLOAD|QUERY_STRING" /bin/

 or even, by looking further down mod-security documentation, we could give a go to ARGS location:

SecFilterSelective ARGS /bin/

as well, if you simply want to filter arguments value, you could actually do it using ARGS_VALUES instead.

 If finally, you decide that only the parameter file should not contain a value with /bin/ in it, you could decide to restrict only that parameter with:

SecFilterSelective ARGS_file /bin/

Now, let's play with another example. Let say you want to prevent access to your web server content from outside your local network which is 192.168.1.0/24.

SecFilterSelective REMOTE_ADDR !^192.168.1.

but this will restrict also local access, playing with regular expression, you could use this one instead:

 SecFilterSelective "REMOTE_ADDR" !(^192.168.1.|^127.0.0.1$)

Finally, you setted up a virtual server www.my-virtual-server.com which should be available worldwide. chain is what you need. We are going to set up a rule which will only be applied if the hostname is not www.my-virtual-server.com:

  SecFilterSelective SERVER_NAME !www.my-virtual-server.com chain
  SecFilterSelective "REMOTE_ADDR" !(^192.168.1.|^127.0.0.1$)

or you could redirect the user to some other place:

 SecFilterSelective SERVER_NAME !www.my-virtual-server.com chain
 SecFilterSelective "REMOTE_ADDR" !(^192.168.1.|^127.0.0.1$) "log,redirect:http://www.foo.com/not-authorized.html"

while detecting intrusion/attacks, it could be nice to get notified when an intrusion occurs. Let's use the exec action:

SecFilterSelective SERVER_NAME !www.my-virtual-server.com chain
 SecFilterSelective "REMOTE_ADDR" !(^192.168.1.|^127.0.0.1$) "exec:/path/to/report-intrusion.pl"

Series Navigation<< Secure your Apache2 with mod-security — page 2

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>