6
Jul

apache mod_security

   Posted by: admin   in Mẹo vặt của hiếu râu

SecRule SCRIPT_BASENAME “\.php$” “id:999,chain,deny,msg:’%{TIME_YEAR}/%{TIME_MON}/%{TIME_DAY} %{TIME_HOUR}:%{TIME_MIN}:%{TIME_SEC} %{SCRIPT_FILENAME} %{REQUEST_BODY} BLOCKIP= %{REMOTE_ADDR} ‘”

SecRule SCRIPT_UID “^48$” log

SecRule REQUEST_FILENAME “^/phpadmin/” “id:990,noauditlog,allow”

SecRule ARGS “@containsWord select” “id:998,log,pass,t:lowercase”

SecRule ARGS “@containsWord union” “id:997,log,pass,t:lowercase”

SecRule ARGS “@containsWord outfile” “id:996,log,pass,t:lowercase”

SecRule ARGS “@containsWord load_file” “id:995,log,pass,t:lowercase”

#SecRule REQUEST_HEADERS:User-Agent “MJ12bot”    ”id:972,deny,log”

#SecRule REQUEST_HEADERS:User-Agent “bingbot”    ”id:973,deny,log”

SecRule ARGS “login” “id:980,pass,msg:’%{TIME_YEAR}/%{TIME_MON}/%{TIME_DAY} %{TIME_HOUR}:%{TIME_MIN}:%{TIME_SEC} %{SCRIPT_FILENAME} %{REQUEST_BODY} LOGINIP= %{REMOTE_ADDR} ‘”

[modsec-php48]

enabled  = true

filter   = modsec-php48

action   = iptables-multiport[name=modsecPHP48, port="80,443", protocol=tcp]

modsec-php48-whois[name="ModSecBackdoor", dest="xxx@yahoo.com", sender=xxx@vixxxave.vn, sendername="Fail2Ban"]

logpath  = /var/log/httpd/modsec_audit.log

maxretry = 1

findtime = 3600

bantime  = 864000

vi modsec-php48.conf
[INCLUDES]
# Read common prefixes. If any customizations available — read them from
# common.local
before = common.conf
[Definition]
failregex = BLOCKIP= <HOST> “\]
ignoreregex =
vi whois-modsec-php48
actionban = printf %%b “Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
Date: `LC_TIME=C date -u +”%%a, %%d %%h %%Y %%T +0000″`
From: <sendername> <<sender>>
To: <dest>\n
Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
Here is more information about <ip>:\n
`tail -n 1000 /var/log/httpd/modsec_audit.log | grep <ip> | grep BLOCKIP`\n
`/usr/bin/whois <ip> || echo missing whois program`\n
Regards,\n
Fail2Ban” | /usr/sbin/sendmail -f <sender> <dest>
This entry was posted on Thursday, July 6th, 2017 at 9:33 am and is filed under Mẹo vặt của hiếu râu. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed at this time.