On what? Installation or configuration?
That's a (undocumented) config example on mod_security
Quote:
<IfModule mod_security.c>
#Start Engine
SecFilterEngine On
SecFilterDefaultAction "deny,log,status:404"
SecFilterScanPOST On
#Valid URL-Encoding
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat On
#Unicode Encoding Check
SecFilterCheckUnicodeEncoding Off
SecFilterForceByteRange 1 255
#Logging
SecAuditEngine RelevantOnly
SecAuditLog /var/log/modsec_audit.log
SecFilterDebugLog /var/log/modesc_debug.log
SecFilterDebugLevel 0
SecServerSignature "."
#Enforce proper HTTP requests
#SecFilterSelective THE_REQUEST "!HTTP\/(0\.9|1\.0|1\.1)$"
#check for bad meta characters in User-Agent field
SecFilterSelective HTTP_USER_AGENT ".*\'"
#Require Content-Length to be provided with every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
#Don't accept chunked encodings
SecFilterSelective HTTP_Transfer-Encoding "chunked"
#must have a useragent string
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
#Again, this is better protected by removing these functions in php.ini
SecFilterSelective ARGS "(system|exec|passthru|popen|shell_exec|proc_open| fopen|fwrite)\s*\("
#Prevent path traversal (..) attacks
SecFilter "\.\./"
#generic recursion signature
SecFilterSelective THE_REQUEST "\.\./\.\./"
#generic attack sig
SecFilterSelective THE_REQUEST "cd\x20*\;(cd|\;|echo|perl|python|rpm|yum|apt-get|emerge|lynx|links|mk dir|elinks|cmd|pwd|wget|id|uname|cvs|svn|(s|r)(cp| sh)|rexec|smbclient|t?ftp|ncftp|curl|te lnet|gcc|cc|g\+\+|\./)"
#generic filter to prevent SQL injection attacks
SecFilter "[[:space:]]+(select|grant|delete|insert|drop|alter|replace|tr uncate|u pdate|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z |a-z|0-9|\*| |\,]"
#generic PHP remote file inclusion attack
SecFilter "\.php\?" chain
SecFilter "(http|https|ftp)\:/" chain
SecFilter "cmd=(cd|\;|perl|python|rpm|yum|apt-get|emerge|lynx|links|mkdir|elinks |cmd|pwd|wget|id|uname|cvs|svn|(s|r)(cp|sh)|rexec| smbclient|t?ftp|ncftp|curl|telnet|gcc |cc|g\+\+|\./)"
#generic sig for more bad PHP functions
SecFilterSelective THE_REQUEST "chr\(([0-9]{1,3})\)"
SecFilterSelective THE_REQUEST "chr\([0-9a-fA-Fx]+\)"
#SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
#SQL injection in cookies
SecFilterSelective COOKIE_sessionid ".*(select|grant|delete|insert|drop|do|alter|repla ce|truncate|update|c reate|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*||\,]+[[:space:]]+(from|into|table |database|index|view)"
</IfModule>
|
That can be placed anywhere in you apache config... under debian it makes sense to store that file to mods-available and link it into mods-enabled on usage. Under Suse I actually (and I don't mind
) don't know the hundreds of files the config is split into and where to best put that...
Also you must load the module with sth. like
Quote:
|
LoadModule security_module /usr/lib/apache2/modules/mod_security.so
|
Do disable that stuff for e.g. phpMyAdmin
Quote:
<Directory /your/path/to/phpMyAdmin/>
<IfModule mod_security.c>
SecFilterEngine Off
</IfModule>
</Directory>
|
If you're not willing to apply that rules from above to _ALL_ your sites and to a whitelist like that stuff with phpMyAdmin, it makes sense to apply that filter only on some dirs....
More on Installation and configuration can be found here:
http://www.modsecurity.org/documenta...tml-multipage/