Secure your Apache2 with mod-security — page 3

1 minute read

4. mod-security filter examples

Suppose for instance you want to prevent attackers injecting shell command execution through your scripts. You could use this query in order to block anything containing /bin/:

SecFilter /bin/

As mod-security filter by default filters every fields activated, this will also though a 500 error and block access to some available to the public binaries you’ve made, such as .

To counter this, We could use SecFilterSelective combine with a regular expression as a location and tell it to only look into GET and POST datas:

SecFilterSelective "POST_PAYLOAD|QUERY_STRING" /bin/

or even, by looking further down mod-security documentation, we could give a go to ARGS location:

SecFilterSelective ARGS /bin/

as well, if you simply want to filter arguments value, you could actually do it using ARGS_VALUES instead.

If finally, you decide that only the parameter file should not contain a value with /bin/ in it, you could decide to restrict only that parameter with:

SecFilterSelective ARGS_file /bin/

Now, let’s play with another example. Let say you want to prevent access to your web server content from outside your local network which is

SecFilterSelective REMOTE_ADDR !^192.168.1.

but this will restrict also local access, playing with regular expression, you could use this one instead:

SecFilterSelective "REMOTE_ADDR" !(^192.168.1.|^$)

Finally, you setted up a virtual server which should be available worldwide. chain is what you need. We are going to set up a rule which will only be applied if the hostname is not

SecFilterSelective SERVER_NAME ! chain
SecFilterSelective "REMOTE_ADDR" !(^192.168.1.|^$)

or you could redirect the user to some other place:

SecFilterSelective SERVER_NAME ! chain
SecFilterSelective "REMOTE_ADDR" !(^192.168.1.|^$) "log,redirect:"

while detecting intrusion/attacks, it could be nice to get notified when an intrusion occurs. Let’s use the exec action:

SecFilterSelective SERVER_NAME ! chain
SecFilterSelective "REMOTE_ADDR" !(^192.168.1.|^$) "exec:/path/to/"