Apache2: Unterschied zwischen den Versionen
(added heise-link) |
K (syntaxhighlight) |
||
(68 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
Zeile 1: | Zeile 1: | ||
als Webserver verwenden wir Apache2 mit | als Webserver verwenden wir Apache2 mit PHP, mod_security, mod_auth_pam, mod_deflate. Desweiteren lassen wir die Logfiles nach einem Tag rotieren. | ||
== | === conf.d/myconfig === | ||
<syntaxhighlight lang="apache"> | |||
LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" vcombined | |||
LogFormat "%{Host}i %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined | |||
# global access log | |||
CustomLog "|| /usr/sbin/vlogger -s access.log -t access.log.%Y.%m -u ${APACHE_RUN_USER} -g ${APACHE_RUN_GROUP} ${APACHE_LOG_DIR}/vlogger" vcombined | |||
# | |||
UseCanonicalName Off | |||
</syntaxhighlight> | |||
<br> | |||
=== conf.d/z_security === | |||
<syntaxhighlight lang="apache"><Directory /> | |||
< | AllowOverride None | ||
<IfVersion >= 2.4> | |||
Require all denied | |||
</IfVersion> | |||
<IfVersion < 2.4> | |||
Order Deny,Allow | |||
Deny from all | |||
</IfVersion> | |||
</Directory> | |||
ServerTokens Prod | |||
ServerSignature Off | |||
TraceEnable Off | |||
#SSL | |||
#against BEAST | |||
SSLHonorCipherOrder On | |||
SSLCipherSuite "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS:!LOW:!MEDIUM" | |||
SSLCipherSuite AES256+EECDH:AES256+EDH:AES128+EECDH:AES128+EDH:!DES:!NULL:!RC2:!RC4:!3DES:!MD5:!ADH:!AECDH:!EXP:!SHA1 | |||
# enable only secure protocols: TLSv1.2, but not SSLv2 | |||
SSLProtocol -ALL -TLSv1 -TLSv1.1 +TLSv1.2 | |||
</syntaxhighlight> | |||
== | === conf-avaiable/joomla-admin-block.conf === | ||
/ | Blocks access to /administrator, eg. from joomla | ||
and to sample files | |||
But if you have a special cookie you are allowd to access | |||
Für bestimmte Verzeichnisse kann man den Filter auch ausstellen: | Just type /admin-mega-hidden | ||
<syntaxhighlight lang="apache"> | |||
#this is global | |||
RewriteEngine On | |||
#the rules from the current scope are applied before rules specified in any child's scope | |||
#works only if child has 'RewriteEngine On' | |||
RewriteOptions InheritDownBefore | |||
RewriteCond %{REQUEST_URI} ^/administrator | |||
RewriteCond %{REQUEST_URI} ^/wp-login.php [or] | |||
RewriteCond %{REQUEST_URI} ^/README.txt [OR] | |||
RewriteCond %{REQUEST_URI} ^/LICENSE.txt [OR] | |||
RewriteCond %{REQUEST_URI} ^/htaccess.txt [OR] | |||
RewriteCond %{REQUEST_URI} ^/robots.txt.dist [OR] | |||
RewriteCond %{REQUEST_URI} ^/web.config.txt | |||
RewriteCond %{HTTP_COOKIE} !JoomlaAdminSession=19283ddfgdfgdfgdfgdgdgdg65 | |||
#send error 404, so it will not be logged in audit.log | |||
RewriteRule .* - [L,F,R=404] | |||
#this php file creates a cookie to access /administrator | |||
Alias /admin-mega-hidden /srv/www/_webrootauth/joomla-admin-12345 | |||
<Directory "/srv/www/_webrootauth/joomla-admin-12345/"> | |||
Require all granted | |||
</Directory> | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="php"> | |||
#/srv/www/_webrootauth/joomla-admin-12345/index.php | |||
<?php | |||
$admin_cookie_code="19283ddfgdfgdfgdfgdgdgdg65"; | |||
setcookie("JoomlaAdminSession",$admin_cookie_code,0,"/"); | |||
header("Location: /administrator/index.php"); | |||
?> | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="bash"> | |||
#enable module | |||
a2enconf joomla-admin-block | |||
</syntaxhighlight> | |||
== Module == | |||
=== Verzeichnisschutz === | |||
==== authnz_external (pwauth) ==== | |||
replaces mod_auth_pam | |||
<syntaxhighlight lang="bash"> | |||
apt-get install libapache2-mod-authnz-external pwauth | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="apache"> | |||
#/etc/apache2/conf-available/auth_external.conf | |||
AddExternalAuth pwauth /usr/sbin/pwauth | |||
SetExternalAuthMethod pwauth pipe | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="apache"> | |||
AuthBasicProvider external | |||
AuthExternal pwauth | |||
Require user user | |||
</syntaxhighlight> | |||
see http://icephoenix.us/linuxunix/apache-and-http-authentication-with-pam/ | |||
==== authnz_external (imap) ==== | |||
replaces mod_auth_imap | |||
[http://www.namazustudios.com/files/checkpasswd-imap.tar.bz2 Download] | |||
<syntaxhighlight lang="ini"> | |||
#/etc/checkpasswd-imap.ini | |||
[localhost] | |||
host = localhost | |||
port = 1143 | |||
cache-dir = /srv/www/_tmp | |||
allow-everybody = .* | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="apache"> | |||
#/etc/apache2/conf-available/auth_external.conf | |||
AddExternalAuth imapauth /usr/bin/checkpasswd-imap-pipe.py | |||
SetExternalAuthMethod imapauth pipe | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="apache"> | |||
#virtual host | |||
AuthType Basic | |||
AuthName "Authentication Required" | |||
AuthBasicProvider external | |||
AuthExternal imapauth | |||
require valid-user | |||
</syntaxhighlight> | |||
=== mod_security === | |||
ModSecurity is an open source, free web application firewall (WAF) Apache module. With over 70% of all attacks now carried out over the web application level, organizations need all the help they can get in making their systems secure. WAFs are deployed to establish an external security layer that increases security, detects and prevents attacks before they reach web applications. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring and real-time analysis with little or no changes to existing infrastructure.<br> | |||
Installation http://www.thefanclub.co.za/how-to/how-install-apache2-modsecurity-and-modevasive-ubuntu-1204-lts-server<br> | |||
==== Links ==== | |||
*http://www.atomicorp.com/wiki/index.php/Mod_security | |||
*https://blog.art-of-coding.eu/implementing-a-web-application-firewall/ | |||
====Install==== | |||
<syntaxhighlight lang="apache"> | |||
#/etc/modsecurity/modsecurity.conf | |||
SecRuleEngine On | |||
SecRequestBodyLimit 16384000 | |||
SecRequestBodyInMemoryLimit 16384000 | |||
SecTmpDir /var/cache/modsecurity/ | |||
SecDataDir /var/cache/modsecurity/ | |||
SecUploadDir /var/cache/modsecurity/upload/ | |||
#don't log credentials to logfile | |||
SecDefaultAction "phase:1,deny,log,sanitiseRequestHeader:Authorization" | |||
SecDefaultAction "phase:2,deny,log,sanitiseRequestHeader:Authorization" | |||
</syntaxhighlight> | |||
<br> <br> <syntaxhighlight lang="bash"> | |||
cd /etc/modsecurity | |||
mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf | |||
mkdir activated_rules activated_optional_rules | |||
ln -s /usr/share/modsecurity-crs/base_rules base_rules | |||
ln -s /usr/share/modsecurity-crs/optional_rules/ optional_rules | |||
cd base_rules | |||
for f in `ls *` ; do ln -s /etc/modsecurity/base_rules/$f /etc/modsecurity/activated_rules/$f ; done | |||
cd .. | |||
cd optional_rules | |||
for f in `ls *` ; do ln -s /etc/modsecurity/optional_rules/$f /etc/modsecurity/activated_optional_rules/$f ; done | |||
cd .. | |||
ln -s /usr/share/modsecurity-crs/modsecurity_crs_10_config.conf | |||
</syntaxhighlight> | |||
====Enable module in apache==== | |||
<syntaxhighlight lang="apache"> | |||
#/etc/apache2/mods-available/mod-security.conf | |||
... | |||
Include "/etc/modsecurity/*.conf" | |||
Include "/etc/modsecurity/activated_rules/*.conf" | |||
Include "/etc/modsecurity/activated_optional_rules/*.conf" | |||
... | |||
</syntaxhighlight> | |||
====optional disable filter==== | |||
Für bestimmte Verzeichnisse kann man den Filter auch ausstellen: <syntaxhighlight lang="apache"> | |||
<LocationMatch "/ajaxplorer/"> | |||
SecRuleRemoveById 200003 960024 960915 | |||
</LocationMatch> | |||
OR | |||
<Location /upload.php> | |||
# Do not inherit filters from the parent folder | # Do not inherit filters from the parent folder | ||
SecFilterInheritance Off | SecFilterInheritance Off | ||
</Location> | |||
</syntaxhighlight> | |||
====Virus-Scanner for uploaded files ==== | |||
<syntaxhighlight lang="apache"> | |||
#in modsecurity_crs_46_av_scanning.conf | |||
# | |||
# Modify the operator to use the correct AV scanning script/tool | |||
# Example tools are in the util directory. | |||
# | |||
SecRule FILES_TMPNAMES "@inspectFile /usr/bin/runAV.pl" \ | |||
"phase:2,t:none,block,msg:'Virus found in uploaded file',id:'950115',tag:'MALICIOUS_SOFTWARE/VIRUS',tag:'PCI/5.1',severity:'2',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-MALICIOUS_SOFTWARE/VIRUS-%{matched_var_name}=%{tx.0}" | |||
</syntaxhighlight> | |||
==== Global Blacklist ==== | |||
<syntaxhighlight lang="apache"> | |||
#/etc/apache2/conf.d/modsecurity-blacklist | |||
#disable rule for all domains | |||
#missing_request_header | |||
SecRuleRemoveById 960015 | |||
#Request Missing a User Agent Header | |||
SecRuleRemoveById 960009 | |||
</syntaxhighlight> | |||
==== bad robot data ==== | |||
/etc/modsecurity/activated_rules/modsecurity_35_bad_robots.data | |||
e.g. to remove surveybot | |||
====Links==== | |||
*[http://youresuchageek.blogspot.de/2012/11/howto-apache2-modsecurity-enhance-your.html Howto - Apache2 ModSecurity - Enhance your Web Server and Applications security with an Opensource Web Application Firewall (WAF)] | |||
*[https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual Reference Manual] | |||
*[http://www.infosecwriters.com/texts.php?op=display&id=255Defending Web Services using Mod Security (Apache) Methodology and Filtering Techniques by Shreeraj Shah on 19/01/05] | |||
*http://www.gotroot.com/mod_security+rules | |||
*[http://www.heise.de/security/artikel/69070/0 Die Apache-Firewall: Web-Server mit mod_security absichern] | |||
=== mod_php === | |||
[ | see [[PHP|PHP]] | ||
== | === mod_dav === | ||
[http://httpd.apache.org/docs/2.0/mod/mod_dav.html WEBDAV-Modul] für Apache. Damit ist es möglich Dateien über https zu manipulieren (ändern, löschen, erstellen usw.). installieren: a2enmod dav | |||
[http://httpd.apache.org/docs/2.0/mod/mod_dav.html WEBDAV-Modul] für Apache. Damit ist es möglich Dateien über https zu manipulieren (ändern, löschen, erstellen usw.). | |||
<syntaxhighlight lang="apache"> | |||
#httpd.conf | |||
Alias /phparea /home/gstein/php_files | Alias /phparea /home/gstein/php_files | ||
Alias /php-source /home/gstein/php_files | Alias /php-source /home/gstein/php_files | ||
Zeile 160: | Zeile 283: | ||
php_flag engine off # oder ForceType text/plain | php_flag engine off # oder ForceType text/plain | ||
</Location> | </Location> | ||
</syntaxhighlight> | |||
=== mod_evasive === | |||
mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_evasive presently reports abuses via email and syslog facilities. | |||
Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denying any single IP address from any of the following: | |||
*Requesting the same page more than a few times per second | |||
*Making more than 50 concurrent requests on the same child per second | |||
*Making any requests while temporarily blacklisted (on a blocking list) | |||
<syntaxhighlight lang="apache"> | |||
<IfModule mod_evasive.c> | |||
#DOSHashTableSize gibt die Größe der Hashtabelle in Bytes an | |||
DOSHashTableSize 3097 | |||
#DOSPageCount gibt die Anzahl der Seitenaufrufe eines Clients pro DOSPageInterval-Zeitintervall | |||
DOSPageCount 2 | |||
#DOSSiteCount gibt die Anzahl der Seitenaufrufe auf einen Child-Prozess pro DOSSiteInterval-Zeitintervall | |||
DOSSiteCount 50 | |||
#DOSPageInterval und DOSSiteInterval werden in Sekunden angegeben | |||
DOSPageInterval 1 | |||
DOSSiteInterval 1 | |||
#DOSBlockingPeriod gibt die Sperrzeit in Seknunden an | |||
DOSBlockingPeriod 60 | |||
#DOSEmailNotify gibts die eMail Adresse an, an welche eine Warnmail geschickt wird | |||
DOSEmailNotify admin@mydomain.net | |||
#DOSSystemCommand führt bei einem Angriff weitere Programme/Scripte aus wenn gewünscht | |||
#DOSSystemCommand "su - someuser -c '/sbin/... %s ...'" | |||
#DOSLogDir gibt das Verzeichnis an in dem das Modul seine Logfiles schreibt | |||
DOSLogDir /srv/www/vlogger/_mod_evasive | |||
#DOSWhitelist beinhaltet eine Aufzählung aller IP-Adressen für die mod_evasive NICHT gilt | |||
DOSWhitelist 127.0.0.1 | |||
</IfModule> | |||
</syntaxhighlight> | |||
=== mod_cband === | |||
Bandbreiten-Beschränkung http://nodomain.cc/archives/2007/01/05/684-Apache2-Zugriffskontrolle-mit-mod_cband.html | |||
=== mod_ssl === | |||
config see above (z_security) | |||
SSL-Test: https://www.ssllabs.com/ssltest/ or https://observatory.mozilla.org/ | |||
== Logging POST requests with Apache == | |||
found on https://www.technovelty.org/web/logging-post-requests-with-apache.html | |||
<syntaxhighlight lang="apache"> | |||
SecRuleEngine On | |||
SecAuditEngine on | |||
SecAuditLog /var/log/apache2/website-audit.log | |||
SecRequestBodyAccess on | |||
SecAuditLogParts ABIFHZ | |||
SecDefaultAction "nolog,noauditlog,allow,phase:2" | |||
SecRule REQUEST_METHOD "^POST$" "chain,allow,phase:2" | |||
SecRule REQUEST_URI ".*" "auditlog" | |||
</syntaxhighlight> | |||
== Links == | |||
* http://www.modsecurity.org/ | |||
http:// | * http://www.nuclearelephant.com/projects/mod_evasive/ | ||
http://www. | * [https://www.askapache.com/htaccess/speed-up-sites-with-htaccess-caching/ Speed Up Sites with htaccess Caching] | ||
[[ | [[Kategorie:WWW]] | ||
[[Kategorie:Apache]] |
Aktuelle Version vom 13. September 2024, 12:21 Uhr
als Webserver verwenden wir Apache2 mit PHP, mod_security, mod_auth_pam, mod_deflate. Desweiteren lassen wir die Logfiles nach einem Tag rotieren.
conf.d/myconfig
LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" vcombined
LogFormat "%{Host}i %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
# global access log
CustomLog "|| /usr/sbin/vlogger -s access.log -t access.log.%Y.%m -u ${APACHE_RUN_USER} -g ${APACHE_RUN_GROUP} ${APACHE_LOG_DIR}/vlogger" vcombined
UseCanonicalName Off
conf.d/z_security
<Directory />
AllowOverride None
<IfVersion >= 2.4>
Require all denied
</IfVersion>
<IfVersion < 2.4>
Order Deny,Allow
Deny from all
</IfVersion>
</Directory>
ServerTokens Prod
ServerSignature Off
TraceEnable Off
#SSL
#against BEAST
SSLHonorCipherOrder On
SSLCipherSuite "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS:!LOW:!MEDIUM"
SSLCipherSuite AES256+EECDH:AES256+EDH:AES128+EECDH:AES128+EDH:!DES:!NULL:!RC2:!RC4:!3DES:!MD5:!ADH:!AECDH:!EXP:!SHA1
# enable only secure protocols: TLSv1.2, but not SSLv2
SSLProtocol -ALL -TLSv1 -TLSv1.1 +TLSv1.2
conf-avaiable/joomla-admin-block.conf
Blocks access to /administrator, eg. from joomla and to sample files
But if you have a special cookie you are allowd to access
Just type /admin-mega-hidden
#this is global
RewriteEngine On
#the rules from the current scope are applied before rules specified in any child's scope
#works only if child has 'RewriteEngine On'
RewriteOptions InheritDownBefore
RewriteCond %{REQUEST_URI} ^/administrator
RewriteCond %{REQUEST_URI} ^/wp-login.php [or]
RewriteCond %{REQUEST_URI} ^/README.txt [OR]
RewriteCond %{REQUEST_URI} ^/LICENSE.txt [OR]
RewriteCond %{REQUEST_URI} ^/htaccess.txt [OR]
RewriteCond %{REQUEST_URI} ^/robots.txt.dist [OR]
RewriteCond %{REQUEST_URI} ^/web.config.txt
RewriteCond %{HTTP_COOKIE} !JoomlaAdminSession=19283ddfgdfgdfgdfgdgdgdg65
#send error 404, so it will not be logged in audit.log
RewriteRule .* - [L,F,R=404]
#this php file creates a cookie to access /administrator
Alias /admin-mega-hidden /srv/www/_webrootauth/joomla-admin-12345
<Directory "/srv/www/_webrootauth/joomla-admin-12345/">
Require all granted
</Directory>
#/srv/www/_webrootauth/joomla-admin-12345/index.php
<?php
$admin_cookie_code="19283ddfgdfgdfgdfgdgdgdg65";
setcookie("JoomlaAdminSession",$admin_cookie_code,0,"/");
header("Location: /administrator/index.php");
?>
#enable module
a2enconf joomla-admin-block
Module
Verzeichnisschutz
authnz_external (pwauth)
replaces mod_auth_pam
apt-get install libapache2-mod-authnz-external pwauth
#/etc/apache2/conf-available/auth_external.conf
AddExternalAuth pwauth /usr/sbin/pwauth
SetExternalAuthMethod pwauth pipe
AuthBasicProvider external
AuthExternal pwauth
Require user user
see http://icephoenix.us/linuxunix/apache-and-http-authentication-with-pam/
authnz_external (imap)
replaces mod_auth_imap Download
#/etc/checkpasswd-imap.ini
[localhost]
host = localhost
port = 1143
cache-dir = /srv/www/_tmp
allow-everybody = .*
#/etc/apache2/conf-available/auth_external.conf
AddExternalAuth imapauth /usr/bin/checkpasswd-imap-pipe.py
SetExternalAuthMethod imapauth pipe
#virtual host
AuthType Basic
AuthName "Authentication Required"
AuthBasicProvider external
AuthExternal imapauth
require valid-user
mod_security
ModSecurity is an open source, free web application firewall (WAF) Apache module. With over 70% of all attacks now carried out over the web application level, organizations need all the help they can get in making their systems secure. WAFs are deployed to establish an external security layer that increases security, detects and prevents attacks before they reach web applications. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring and real-time analysis with little or no changes to existing infrastructure.
Installation http://www.thefanclub.co.za/how-to/how-install-apache2-modsecurity-and-modevasive-ubuntu-1204-lts-server
Links
- http://www.atomicorp.com/wiki/index.php/Mod_security
- https://blog.art-of-coding.eu/implementing-a-web-application-firewall/
Install
#/etc/modsecurity/modsecurity.conf
SecRuleEngine On
SecRequestBodyLimit 16384000
SecRequestBodyInMemoryLimit 16384000
SecTmpDir /var/cache/modsecurity/
SecDataDir /var/cache/modsecurity/
SecUploadDir /var/cache/modsecurity/upload/
#don't log credentials to logfile
SecDefaultAction "phase:1,deny,log,sanitiseRequestHeader:Authorization"
SecDefaultAction "phase:2,deny,log,sanitiseRequestHeader:Authorization"
cd /etc/modsecurity
mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
mkdir activated_rules activated_optional_rules
ln -s /usr/share/modsecurity-crs/base_rules base_rules
ln -s /usr/share/modsecurity-crs/optional_rules/ optional_rules
cd base_rules
for f in `ls *` ; do ln -s /etc/modsecurity/base_rules/$f /etc/modsecurity/activated_rules/$f ; done
cd ..
cd optional_rules
for f in `ls *` ; do ln -s /etc/modsecurity/optional_rules/$f /etc/modsecurity/activated_optional_rules/$f ; done
cd ..
ln -s /usr/share/modsecurity-crs/modsecurity_crs_10_config.conf
Enable module in apache
#/etc/apache2/mods-available/mod-security.conf
...
Include "/etc/modsecurity/*.conf"
Include "/etc/modsecurity/activated_rules/*.conf"
Include "/etc/modsecurity/activated_optional_rules/*.conf"
...
optional disable filter
Für bestimmte Verzeichnisse kann man den Filter auch ausstellen:
<LocationMatch "/ajaxplorer/">
SecRuleRemoveById 200003 960024 960915
</LocationMatch>
OR
<Location /upload.php>
# Do not inherit filters from the parent folder
SecFilterInheritance Off
</Location>
Virus-Scanner for uploaded files
#in modsecurity_crs_46_av_scanning.conf
#
# Modify the operator to use the correct AV scanning script/tool
# Example tools are in the util directory.
#
SecRule FILES_TMPNAMES "@inspectFile /usr/bin/runAV.pl" \
"phase:2,t:none,block,msg:'Virus found in uploaded file',id:'950115',tag:'MALICIOUS_SOFTWARE/VIRUS',tag:'PCI/5.1',severity:'2',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-MALICIOUS_SOFTWARE/VIRUS-%{matched_var_name}=%{tx.0}"
Global Blacklist
#/etc/apache2/conf.d/modsecurity-blacklist
#disable rule for all domains
#missing_request_header
SecRuleRemoveById 960015
#Request Missing a User Agent Header
SecRuleRemoveById 960009
bad robot data
/etc/modsecurity/activated_rules/modsecurity_35_bad_robots.data e.g. to remove surveybot
Links
- Howto - Apache2 ModSecurity - Enhance your Web Server and Applications security with an Opensource Web Application Firewall (WAF)
- Reference Manual
- Web Services using Mod Security (Apache) Methodology and Filtering Techniques by Shreeraj Shah on 19/01/05
- http://www.gotroot.com/mod_security+rules
- Die Apache-Firewall: Web-Server mit mod_security absichern
mod_php
see PHP
mod_dav
WEBDAV-Modul für Apache. Damit ist es möglich Dateien über https zu manipulieren (ändern, löschen, erstellen usw.). installieren: a2enmod dav
#httpd.conf
Alias /phparea /home/gstein/php_files
Alias /php-source /home/gstein/php_files
DavLockDB /tmp/DavLock.myvhost
<Location /php-source>
Dav On
AuthType Basic
AuthName DAV
AuthPAM_Enabled on
require group staff
php_flag engine off # oder ForceType text/plain
</Location>
mod_evasive
mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_evasive presently reports abuses via email and syslog facilities.
Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denying any single IP address from any of the following:
- Requesting the same page more than a few times per second
- Making more than 50 concurrent requests on the same child per second
- Making any requests while temporarily blacklisted (on a blocking list)
<IfModule mod_evasive.c>
#DOSHashTableSize gibt die Größe der Hashtabelle in Bytes an
DOSHashTableSize 3097
#DOSPageCount gibt die Anzahl der Seitenaufrufe eines Clients pro DOSPageInterval-Zeitintervall
DOSPageCount 2
#DOSSiteCount gibt die Anzahl der Seitenaufrufe auf einen Child-Prozess pro DOSSiteInterval-Zeitintervall
DOSSiteCount 50
#DOSPageInterval und DOSSiteInterval werden in Sekunden angegeben
DOSPageInterval 1
DOSSiteInterval 1
#DOSBlockingPeriod gibt die Sperrzeit in Seknunden an
DOSBlockingPeriod 60
#DOSEmailNotify gibts die eMail Adresse an, an welche eine Warnmail geschickt wird
DOSEmailNotify admin@mydomain.net
#DOSSystemCommand führt bei einem Angriff weitere Programme/Scripte aus wenn gewünscht
#DOSSystemCommand "su - someuser -c '/sbin/... %s ...'"
#DOSLogDir gibt das Verzeichnis an in dem das Modul seine Logfiles schreibt
DOSLogDir /srv/www/vlogger/_mod_evasive
#DOSWhitelist beinhaltet eine Aufzählung aller IP-Adressen für die mod_evasive NICHT gilt
DOSWhitelist 127.0.0.1
</IfModule>
mod_cband
Bandbreiten-Beschränkung http://nodomain.cc/archives/2007/01/05/684-Apache2-Zugriffskontrolle-mit-mod_cband.html
mod_ssl
config see above (z_security)
SSL-Test: https://www.ssllabs.com/ssltest/ or https://observatory.mozilla.org/
Logging POST requests with Apache
found on https://www.technovelty.org/web/logging-post-requests-with-apache.html
SecRuleEngine On
SecAuditEngine on
SecAuditLog /var/log/apache2/website-audit.log
SecRequestBodyAccess on
SecAuditLogParts ABIFHZ
SecDefaultAction "nolog,noauditlog,allow,phase:2"
SecRule REQUEST_METHOD "^POST$" "chain,allow,phase:2"
SecRule REQUEST_URI ".*" "auditlog"