4. mod-security filter examples
Suppose for instance you want to prevent attackers injecting shell command execution through your scripts. You could use this query in order to block anything containing /bin/:
As mod-security filter by default filters every fields activated, this will also though a 500 error and block access to some available to the public binaries you’ve made, such as http://example.com/my_project/bin/latest-release.tar.gz .
To counter this, We could use SecFilterSelective combine with a regular expression as a location and tell it to only look into
SecFilterSelective "POST_PAYLOAD|QUERY_STRING" /bin/
or even, by looking further down mod-security documentation, we could give a go to
SecFilterSelective ARGS /bin/
as well, if you simply want to filter arguments value, you could actually do it using ARGS_VALUES instead.
If finally, you decide that only the parameter file should not contain a value with /bin/ in it, you could decide to restrict only that parameter with:
SecFilterSelective ARGS_file /bin/
Now, let’s play with another example. Let say you want to prevent access to your web server content from outside your local network which is 192.168.1.0/24.
SecFilterSelective REMOTE_ADDR !^192.168.1.
but this will restrict also local access, playing with regular expression, you could use this one instead:
SecFilterSelective "REMOTE_ADDR" !(^192.168.1.|^127.0.0.1$)
Finally, you setted up a virtual server www.my-virtual-server.com which should be available worldwide. chain is what you need. We are going to set up a rule which will only be applied if the hostname is not www.my-virtual-server.com:
SecFilterSelective SERVER_NAME !www.my-virtual-server.com chain SecFilterSelective "REMOTE_ADDR" !(^192.168.1.|^127.0.0.1$)
or you could redirect the user to some other place:
SecFilterSelective SERVER_NAME !www.my-virtual-server.com chain SecFilterSelective "REMOTE_ADDR" !(^192.168.1.|^127.0.0.1$) "log,redirect:http://www.foo.com/not-authorized.html"
while detecting intrusion/attacks, it could be nice to get notified when an intrusion occurs. Let’s use the exec action:
SecFilterSelective SERVER_NAME !www.my-virtual-server.com chain SecFilterSelective "REMOTE_ADDR" !(^192.168.1.|^127.0.0.1$) "exec:/path/to/report-intrusion.pl"