Archive for July, 2017

6
Jul

apache mod_security

   Posted by: admin    in Mẹo vặt của hiếu râu

SecRule SCRIPT_BASENAME “\.php$” “id:999,chain,deny,msg:’%{TIME_YEAR}/%{TIME_MON}/%{TIME_DAY} %{TIME_HOUR}:%{TIME_MIN}:%{TIME_SEC} %{SCRIPT_FILENAME} %{REQUEST_BODY} BLOCKIP= %{REMOTE_ADDR} ‘”

SecRule SCRIPT_UID “^48$” log

SecRule REQUEST_FILENAME “^/phpadmin/” “id:990,noauditlog,allow”

SecRule ARGS “@containsWord select” “id:998,log,pass,t:lowercase”

SecRule ARGS “@containsWord union” “id:997,log,pass,t:lowercase”

SecRule ARGS “@containsWord outfile” “id:996,log,pass,t:lowercase”

SecRule ARGS “@containsWord load_file” “id:995,log,pass,t:lowercase”

#SecRule REQUEST_HEADERS:User-Agent “MJ12bot”    ”id:972,deny,log”

#SecRule REQUEST_HEADERS:User-Agent “bingbot”    ”id:973,deny,log”

SecRule ARGS “login” “id:980,pass,msg:’%{TIME_YEAR}/%{TIME_MON}/%{TIME_DAY} %{TIME_HOUR}:%{TIME_MIN}:%{TIME_SEC} %{SCRIPT_FILENAME} %{REQUEST_BODY} LOGINIP= %{REMOTE_ADDR} ‘”

[modsec-php48]

enabled  = true

filter   = modsec-php48

action   = iptables-multiport[name=modsecPHP48, port="80,443", protocol=tcp]

modsec-php48-whois[name="ModSecBackdoor", dest="xxx@yahoo.com", sender=xxx@vixxxave.vn, sendername="Fail2Ban"]

logpath  = /var/log/httpd/modsec_audit.log

maxretry = 1

findtime = 3600

bantime  = 864000

vi modsec-php48.conf
[INCLUDES]
# Read common prefixes. If any customizations available — read them from
# common.local
before = common.conf
[Definition]
failregex = BLOCKIP= <HOST> “\]
ignoreregex =
vi whois-modsec-php48
actionban = printf %%b “Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
Date: `LC_TIME=C date -u +”%%a, %%d %%h %%Y %%T +0000″`
From: <sendername> <<sender>>
To: <dest>\n
Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
Here is more information about <ip>:\n
`tail -n 1000 /var/log/httpd/modsec_audit.log | grep <ip> | grep BLOCKIP`\n
`/usr/bin/whois <ip> || echo missing whois program`\n
Regards,\n
Fail2Ban” | /usr/sbin/sendmail -f <sender> <dest>