Debian/Ubuntu Tips and Tricks


Debian/Ubuntu Tips and Tricks

Secure your Apache2 with mod-security — page 3

Posted by chantra on August 13th, 2006

This entry is part 3 of 3 in the series Secure your Apache2 with mod-security

4. mod-security filter examples:

Suppose for instance you want to prevent attackers injecting shell command execution through your scripts. You could use this query in order to block anything containing /bin/:

SecFilter /bin/

As mod-security filter by default filters every fields activated, this will also though a 500 error and block access to some available to the public binaries you've made, such as .

To counter this, We could use SecFilterSelective combine with a regular expression as a location and tell it to only look into GET and POST datas:

 SecFilterSelective "POST_PAYLOAD|QUERY_STRING" /bin/

 or even, by looking further down mod-security documentation, we could give a go to ARGS location:

SecFilterSelective ARGS /bin/

as well, if you simply want to filter arguments value, you could actually do it using ARGS_VALUES instead.

 If finally, you decide that only the parameter file should not contain a value with /bin/ in it, you could decide to restrict only that parameter with:

SecFilterSelective ARGS_file /bin/

Now, let's play with another example. Let say you want to prevent access to your web server content from outside your local network which is

SecFilterSelective REMOTE_ADDR !^192.168.1.

but this will restrict also local access, playing with regular expression, you could use this one instead:

 SecFilterSelective "REMOTE_ADDR" !(^192.168.1.|^$)

Finally, you setted up a virtual server which should be available worldwide. chain is what you need. We are going to set up a rule which will only be applied if the hostname is not

  SecFilterSelective SERVER_NAME ! chain
  SecFilterSelective "REMOTE_ADDR" !(^192.168.1.|^$)

or you could redirect the user to some other place:

 SecFilterSelective SERVER_NAME ! chain
 SecFilterSelective "REMOTE_ADDR" !(^192.168.1.|^$) "log,redirect:"

while detecting intrusion/attacks, it could be nice to get notified when an intrusion occurs. Let's use the exec action:

SecFilterSelective SERVER_NAME ! chain
 SecFilterSelective "REMOTE_ADDR" !(^192.168.1.|^$) "exec:/path/to/"

Series Navigation<< Secure your Apache2 with mod-security — page 2

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>