Apache ModSecurity 基础介绍

最新推荐文章于 2023-08-22 11:37:22 发布
最新推荐文章于 2023-08-22 11:37:22 发布
阅读量1.3k 收藏
点赞数
分类专栏: 运维 文章标签: apache
原文链接:https://javascript.net.cn/article?id=449
版权

转自:https://javascript.net.cn/article?id=449

一,主要功能:

SQL Injection (SQLi):阻止SQL注入

Cross Site Scripting (XSS):阻止跨站脚本攻击

Local File Inclusion (LFI):阻止利用本地文件包含漏洞进行攻击

Remote File Inclusione(RFI):阻止利用远程文件包含漏洞进行攻击

Remote Code Execution (RCE):阻止利用远程命令执行漏洞进行攻击

PHP Code Injectiod:阻止PHP代码注入

HTTP Protocol Violations:阻止违反HTTP协议的恶意访问

HTTPoxy:阻止利用远程代理感染漏洞进行攻击

Sshllshock:阻止利用Shellshock漏洞进行攻击

Session Fixation:阻止利用Session会话ID不变的漏洞进行攻击

Scanner Detection:阻止黑客扫描网站

Metadata/Error Leakages:阻止源代码/错误信息泄露

Project Honey Pot Blacklist:蜜罐项目黑名单

GeoIP Country Blocking:根据判断IP地址归属地来进行IP阻断

二,阶段处理分为 5 个阶段:

Request Header(phase:1):处理 requesst line 和 request headers

Request Body(phase:2):处理 request body

Response Header(phase:3):处理 response headers

Response Body(phase:4):处理 response body

Logging(phase:5):日志记录,添加header

三,添加例外:

修改modsecurity.conf配置

a、通过规则id: 添加SecRuleRemoveById id

b、SecRuleRemoveByMsg指令:通过Rule Msg禁用指定规则

c、url加白 :对指定路径关闭WAF检测/或只记录不拦截

SecRuleEngine DetectionOnly (On或者Off)

四,规则新规则:

黑名单

#SecRule REMOTE_ADDR “@pmFromFile host.deny.data” “id:10087,phase:1,log,auditlog,deny,status:403,msg:‘jinzhifangwen’”

#SecRule REMOTE_ADDR “@pmFromFile host.deny.data” “id:10088,phase:2,log,auditlog,deny,status:403,msg:‘jinzhifangwen’”

白名单

SecRule REMOTE_ADDR “@pmFromFile host.allow.data” “id:10085,phase:1,nolog,pass,ctl:ruleEngine=off”

SecRule REMOTE_ADDR “@pmFromFile host.allow.data” “id:10086,phase:2,nolog,pass,ctl:ruleEngine=off”

五,审计日志文件 SecAuditLogParts

定义主审计日志文件(串行日志记录格式)或并发日志记录索引文件(并发日志记录格式)的路径。 当与mlogc结合使用时(仅适用于并发日志记录),该指令定义mlogc位置和命令行。

如果您打算使用并发审计日志记录并想将审计日志数据发送到远程服务器,则需要部署ModSecurity日志收集器(mlogc),如下所示:

SecAuditLog “|/path/to/mlogc /path/to/mlogc.conf”

A:审计日志头(必须配置)

B:请求头

C:请求体(仅在请求体存在并且ModSecurity配置为拦截它时才存在。 这需要将SecRequestBodyAccess设置为On)

D:该值是为中间响应头保留,尚未有任何实际作用

E:中间响应体(仅当ModSecurity配置为拦截响应体并且审计日志引擎配置为记录时才存在。 拦截响应体需要将SecResponseBodyAccess设置为On)。 除非ModSecurity拦截中间响应体,否则中间响应体与实际响应体相同,在这种情况下,实际响应体将包含错误消息(Apache默认错误消息或ErrorDocument页面))

F:最终响应头(不包括日期和服务器标题,Apache始终在内容交付的后期阶段添加)

G:该值是为实际响应体保留,尚未有任何实际作用

H:审计日志追踪内容;

I:该部分是C的替代品。除了使用multipart/form-data编码,否则它在所有情况下记录的数据与C相同。 在这种情况下,它将记录一个假应用程序/ x-www-form-urlencoded正文,其中包含有关参数的信息,但不包含有关文件的信息。 如果您不想在审核日志中存储(通常很大)的文件,使用I比使用C更方便。

J:该部分包含有关使用multipart/form-data编码上传的文件的信息。

K:该部分包含了本次访问中所匹配到的所有规则(按每行一个进行记录)。规则是完全合格的,因此将显示继承的操作和默认操作符。V2.5.0以上支持。

Z:结尾分界线,表示本次日志记录完毕(必须配置)

六,规则文件

REQUEST-910-IP-REPUTATION.conf(可疑IP匹配)

REQUEST-912-DOS-PROTECTION.conf(DDOS攻击)

REQUEST-913-SCANNER-DETECTION.conf(扫描器检测)

REQUEST-920-PROTOCOL-ENFORCEMENT.conf(HTTP协议规范相关规则)

REQUEST-921-PROTOCOL-ATTACK.conf(协议攻击)

REQUEST-930-APPLICATION-ATTACK-LFI.conf(应用攻击-路径遍历)

REQUEST-931-APPLICATION-ATTACK-RFI.conf(远程文件包含)

REQUEST-932-APPLICATION-ATTACK-RCE.conf(远程命令执行)

REQUEST-933-APPLICATION-ATTACK-PHP.conf(PHP注入攻击)

REQUEST-941-APPLICATION-ATTACK-XSS.conf(XSS)

REQUEST-942-APPLICATION-ATTACK-SQLI.conf(SQL注入)

REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf(会话固定)

REQUEST-949-BLOCKING-EVALUATION.conf()

RESPONSE-950-DATA-LEAKAGES.conf(信息泄露)

RESPONSE-951-DATA-LEAKAGES-SQL.conf(SQL信息泄露)

RESPONSE-952-DATA-LEAKAGES-JAVA.conf(JAVA源代码泄露)

RESPONSE-953-DATA-LEAKAGES-PHP.conf(PHP信息泄露)

RESPONSE-954-DATA-LEAKAGES-IIS.conf(IIS信息泄露)

七,常用方法举例:

方法一、SecRuleRemoveById 指令:通过Rule ID禁用指定规则
<LocationMatch .*>
SecRuleRemoveById 960017 #allow Host Header is a IP address

方法二、SecRuleRemoveByMsg指令:通过Rule Msg禁用指定规则
<LocationMatch .*>
SecRuleRemoveByMsg “Host header is a numeric IP address”

方法三、url加白 :对指定路径关闭WAF检测/或只记录不拦截
<LocationMatch /xss.php>
SecRuleEngine DetectionOnly(或者Off)

八,规则 ID 参考

Rule ID Paranoia
Level Severity Description (msg)
901001 PL1 none Check if crs-set.conf was loaded
901450 PL1 none Sampling: Disable the rule engine based on sampling_percentage
905100 PL1 none Common Exeptions example rule
905110 PL1 none Common Exeptions example rule
910000 PL1 critical Request from Known Malicious Client (Based on previous traffic violations).
910100 PL1 critical Client IP is from a HIGH Risk Country Location.
910150 PL1 critical HTTP Blacklist match for search engine IP,
910160 PL1 critical HTTP Blacklist match for spammer IP
910170 PL1 critical HTTP Blacklist match for suspicious IP
910180 PL1 critical HTTP Blacklist match for harvester IP
911100 PL1 critical Method is not allowed by policy
912120 PL1 none Denial of Service (DoS) attack identified from %{tx.real_ip} (%{tx.dos_block_counter} hits since last alert)"
912170 PL1 none Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter}
912171 PL2 none Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter}
913100 PL1 critical Found User-Agent associated with security scanner
913101 PL2 critical Found User-Agent associated with scripting/generic HTTP client
913102 PL2 critical Found User-Agent associated with web crawler/bot
913110 PL1 critical Found request header associated with security scanner
913120 PL1 critical Found request filename/argument associated with security scanner
920100 PL1 notice Invalid HTTP Request Line
920120 PL1 critical Attempted multipart/form-data bypass
920130 PL1 critical Failed to parse request body.
920140 PL1 critical Multipart request body failed strict validation:
920160 PL1 critical Content-Length HTTP header is not numeric.
920170 PL1 critical GET or HEAD Request with Body Content.
920180 PL1 notice POST request missing Content-Length Header.
920190 PL1 warning Range: Invalid Last Byte Value.
920200 PL2 warning Range: Too many fields (6 or more)
920201 PL2 warning Range: Too many fields for pdf request (35 or more)
920202 PL4 warning Range: Too many fields for pdf request (6 or more)
920210 PL1 warning Multiple/Conflicting Connection Header Data Found.
920220 PL1 warning URL Encoding Abuse Attack Attempt
920230 PL2 warning Multiple URL Encoding Detected
920240 PL1 warning URL Encoding Abuse Attack Attempt
920250 PL1 warning UTF8 Encoding Abuse Attack Attempt
920260 PL1 warning Unicode Full/Half Width Abuse Attack Attempt
920270 PL1 error Invalid character in request (null character)
920271 PL2 critical Invalid character in request (non printable characters)
920272 PL3 critical Invalid character in request (outside of printable chars below ascii 127)
920273 PL4 critical Invalid character in request (outside of very strict set)
920274 PL4 critical Invalid character in request headers (outside of very strict set)
920280 PL1 warning Request Missing a Host Header
920290 PL1 warning Empty Host Header
920300 PL2 notice Request Missing an Accept Header
920310 PL1 notice Request Has an Empty Accept Header
920311 PL1 notice Request Has an Empty Accept Header
920320 PL2 notice Missing User Agent Header
920330 PL1 notice Empty User Agent Header
920340 PL1 notice Request Containing Content, but Missing Content-Type header
920350 PL1 warning Host header is a numeric IP address
920360 PL1 critical Argument name too long
920370 PL1 critical Argument value too long
920380 PL1 critical Too many arguments in request
920390 PL1 critical Total arguments size exceeded
920400 PL1 critical Uploaded file size too large
920410 PL1 critical Total uploaded files size too large
920420 PL1 critical Request content type is not allowed by policy
920430 PL1 critical HTTP protocol version is not allowed by policy
920440 PL1 critical URL file extension is restricted by policy
920450 PL1 critical HTTP header is restricted by policy (%{MATCHED_VAR})
920460 PL4 critical Abnormal character escape detected
921100 PL1 critical HTTP Request Smuggling Attack.
921110 PL1 critical HTTP Request Smuggling Attack
921120 PL1 critical HTTP Response Splitting Attack
921130 PL1 critical HTTP Response Splitting Attack
921140 PL1 critical HTTP Header Injection Attack via headers
921150 PL1 critical HTTP Header Injection Attack via payload (CR/LF detected)
921151 PL2 critical HTTP Header Injection Attack via payload (CR/LF detected)
921160 PL1 critical HTTP Header Injection Attack via payload (CR/LF and header-name detected)
921180 PL3 critical HTTP Parameter Pollution (%{TX.1})
930100 PL1 critical Path Traversal Attack (/…/)
930110 PL1 critical Path Traversal Attack (/…/)
930120 PL1 critical OS File Access Attempt
930130 PL1 critical Restricted File Access Attempt
931100 PL1 critical Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address
931110 PL1 critical Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload
931120 PL1 critical Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?)
931130 PL2 critical Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link
932100 PL1 critical Remote Command Execution: Unix Command Injection
932105 PL1 critical Remote Command Execution: Unix Command Injection
932110 PL1 critical Remote Command Execution: Windows Command Injection
932115 PL1 critical Remote Command Execution: Windows Command Injection
932120 PL1 critical Remote Command Execution: Windows PowerShell Command Found
932130 PL1 critical Remote Command Execution: Unix Shell Expression Found
932140 PL1 critical Remote Command Execution: Windows FOR/IF Command Found
932150 PL1 critical Remote Command Execution: Direct Unix Command Execution
932160 PL1 critical Remote Command Execution: Unix Shell Code Found
932170 PL1 critical Remote Command Execution: Shellshock (CVE-2014-6271)
932171 PL1 critical Remote Command Execution: Shellshock (CVE-2014-6271)
933100 PL1 critical PHP Injection Attack: Opening/Closing Tag Found
933110 PL1 critical PHP Injection Attack: PHP Script File Upload Found
933111 PL3 critical PHP Injection Attack: PHP Script File Upload Found
933120 PL1 critical PHP Injection Attack: Configuration Directive Found
933130 PL1 critical PHP Injection Attack: Variables Found
933131 PL3 critical PHP Injection Attack: Variables Found
933140 PL1 critical PHP Injection Attack: I/O Stream Found
933150 PL1 critical PHP Injection Attack: High-Risk PHP Function Name Found
933151 PL2 critical PHP Injection Attack: Medium-Risk PHP Function Name Found
933160 PL1 critical PHP Injection Attack: High-Risk PHP Function Call Found
933161 PL3 critical PHP Injection Attack: Low-Value PHP Function Call Found
933170 PL1 critical PHP Injection Attack: Serialized Object Injection
933180 PL1 critical PHP Injection Attack: Variable Function Call Found
941100 PL1 critical XSS Attack Detected via libinjection
941110 PL1 critical XSS Filter - Category 1: Script Tag Vector
941120 PL1 critical XSS Filter - Category 2: Event Handler Vector
941130 PL1 critical XSS Filter - Category 3: Attribute Vector
941140 PL1 critical XSS Filter - Category 4: Javascript URI Vector
941150 PL1 critical XSS Filter - Category 5: Disallowed HTML Attributes
941160 PL1 critical NoScript XSS InjectionChecker: HTML Injection
941170 PL1 critical NoScript XSS InjectionChecker: Attribute Injection
941180 PL1 critical Node-Validator Blacklist Keywords
941190 PL1 critical IE XSS Filters - Attack Detected.
941200 PL1 critical IE XSS Filters - Attack Detected.
941210 PL1 critical IE XSS Filters - Attack Detected.
941220 PL1 critical IE XSS Filters - Attack Detected.
941230 PL1 critical IE XSS Filters - Attack Detected.
941240 PL1 critical IE XSS Filters - Attack Detected.
941250 PL1 critical IE XSS Filters - Attack Detected.
941260 PL1 critical IE XSS Filters - Attack Detected.
941270 PL1 critical IE XSS Filters - Attack Detected.
941280 PL1 critical IE XSS Filters - Attack Detected.
941290 PL1 critical IE XSS Filters - Attack Detected.
941300 PL1 critical IE XSS Filters - Attack Detected.
941310 PL1 critical US-ASCII Malformed Encoding XSS Filter - Attack Detected.
941320 PL2 critical Possible XSS Attack Detected - HTML Tag Handler
941330 PL2 critical IE XSS Filters - Attack Detected.
941340 PL2 critical IE XSS Filters - Attack Detected.
941350 PL1 critical UTF-7 Encoding IE XSS - Attack Detected.
942100 PL1 critical SQL Injection Attack Detected via libinjection
942110 PL2 warning SQL Injection Attack: Common Injection Testing Detected
942120 PL2 critical SQL Injection Attack: SQL Operator Detected
942130 PL2 critical SQL Injection Attack: SQL Tautology Detected.
942140 PL1 critical SQL Injection Attack: Common DB Names Detected
942150 PL2 critical SQL Injection Attack
942160 PL1 critical Detects blind sqli tests using sleep() or benchmark().
942170 PL1 critical Detects SQL benchmark and sleep injection attempts including conditional queries
942180 PL2 critical Detects basic SQL authentication bypass attempts 1/3
942190 PL1 critical Detects MSSQL code execution and information gathering attempts
942200 PL2 critical Detects MySQL comment-/space-obfuscated injections and backtick termination
942210 PL2 critical Detects chained SQL injection attempts 1/2
942220 PL1 critical Looking for intiger overflow attacks, these are taken from skipfish, except 3.0.00738585072007e-308 is the “magic number” crash
942230 PL1 critical Detects conditional SQL injection attempts
942240 PL1 critical Detects MySQL charset switch and MSSQL DoS attempts
942250 PL1 critical Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections
942251 PL3 critical Detects HAVING injections
942260 PL2 critical Detects basic SQL authentication bypass attempts 2/3
942270 PL1 critical Looking for basic sql injection. Common attack string for mysql, oracle and others.
942280 PL1 critical Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts
942290 PL1 critical Finds basic MongoDB SQL injection attempts
942300 PL2 critical Detects MySQL comments, conditions and ch(a)r injections
942310 PL2 critical Detects chained SQL injection attempts 2/2
942320 PL1 critical Detects MySQL and PostgreSQL stored procedure/function injections
942330 PL2 critical Detects classic SQL injection probings 1/2
942340 PL2 critical Detects basic SQL authentication bypass attempts 3/3
942350 PL1 critical Detects MySQL UDF injection and other data/structure manipulation attempts
942360 PL1 critical Detects concatenated basic SQL injection and SQLLFI attempts
942370 PL2 critical Detects classic SQL injection probings 2/2
942380 PL2 critical SQL Injection Attack
942390 PL2 critical SQL Injection Attack
942400 PL2 critical SQL Injection Attack
942410 PL2 critical SQL Injection Attack
942420 PL3 warning Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8)
942421 PL4 warning Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3)
942430 PL2 warning Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
942431 PL3 warning Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)
942432 PL4 warning Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)
942440 PL2 critical SQL Comment Sequence Detected.
942450 PL2 critical SQL Hex Encoding Identified
942460 PL3 warning Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters
943100 PL1 critical Possible Session Fixation Attack: Setting Cookie Values in HTML
943110 PL1 critical Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer
943120 PL1 critical Possible Session Fixation Attack: SessionID Parameter Name with No Referer
949100 PL1 none Request Denied by IP Reputation Enforcement.
949110 PL1 none Check of inbound anomaly score
950100 PL2 error The Application Returned a 500-Level Status Code
950130 PL1 error Directory Listing
951110 PL1 critical Microsoft Access SQL Information Leakage
951120 PL1 critical Oracle SQL Information Leakage
951130 PL1 critical DB2 SQL Information Leakage
951140 PL1 critical EMC SQL Information Leakage
951150 PL1 critical firebird SQL Information Leakage
951160 PL1 critical Frontbase SQL Information Leakage
951170 PL1 critical hsqldb SQL Information Leakage
951180 PL1 critical informix SQL Information Leakage
951190 PL1 critical ingres SQL Information Leakage
951200 PL1 critical interbase SQL Information Leakage
951210 PL1 critical maxDB SQL Information Leakage
951220 PL1 critical mssql SQL Information Leakage
951230 PL1 critical mysql SQL Information Leakage
951240 PL1 critical postgres SQL Information Leakage
951250 PL1 critical sqlite SQL Information Leakage
951260 PL1 critical Sybase SQL Information Leakage
952100 PL1 error Java Source Code Leakage
952110 PL1 error Java Errors
953100 PL1 error PHP Information Leakage
953110 PL1 error PHP source code leakage
953120 PL1 error PHP source code leakage
954100 PL1 error Disclosure of IIS install location
954110 PL1 error Application Availability Error
954120 PL1 error IIS Information Leakage
954130 PL1 error IIS Information Leakage
959100 PL1 none Check of outbound anomaly score
980100 PL1 none Anomaly score correlation rule
980110 PL1 none Anomaly score correlation rule
980120 PL1 none Anomaly score correlation rule
980130 PL1 none Anomaly score correlation rule
980140 PL1 none Anomaly score correlation rule
9001*** PL1 none Drupal rule exception
9002*** PL1 none WordPress rule exception

参考:

http://www.modsecurity.cn/chm/phase.html

https://www.jianshu.com/p/f9c636eb0d4c

http://tanjiti.lofter.com/post/1cc6c85b_10c4e155

https://www.netnea.com/cms/core-rule-set-inventory/

修改时间 2018-05-06

liu_yaoyang
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
全网多种方法解决Invalid Host header(无效的主机头)服务器域名访问出现的错误
念兮为美
02-26 1万+
全网多种方法解决Invalid Host header(无效的主机头)服务器域名访问出现的错误。Invalid Host header是一个常见的错误信息,通常发生在`Web`应用程序中。它表示HTTP请求中的Host header(主机头)与实际请求的主机不匹配,这可能是由于代理服务器或负载均衡器等网络设备引起的。通过检查你的应用程序配置并确保正确的主机名,你应该能够解决此问题。无论你采取哪种解决方案,请务必小心。确保你理解你所做的更改,并在测试之前备份所有配置文件和代码。
基于 NGINX 的 WAF 配置方法之ModSecurity
markvivv随笔
03-15 2895
我们都希望自己创建的应用程序是安全的,不会轻易被破坏。但是,忽然而至的黑客攻击新闻,突然收到的安全通报,都在提醒我们安全无小事,挑战随时随地发生。随着扫描器、rootkit 和其他恶意工具的盛行,只需有一点点技术知识的人就可以很容易地开始入侵网站。虽然被入侵可能是不可避免的,但我们仍然应该采取一切预防措施,保护我们的应用程序和数据,降低被入侵的风险,减少被通报的次数。ModSecurity 是一个确保应用程序安全的WAF开源工具,全世界有超过一百万个网站在使用。
sql注入总结(转载)
xiaobainiang的博客
02-17 124
SQL注入总结()转载
常见modesecurity WAF拦截规则
qq_42890862的博客
04-27 1106
1、指定禁用某个ID号的规则(例:拦截ID为942100) SecRuleRemoveById 942100 2、禁用多个规则ID SecRuleRemoveById 942100 942101 ...... 3、禁用ID在941000-942000区间(包含前后ID)的所有规则 SecRuleRemoveById 941000-942000 4、禁用ID为942100、942100,以及ID在941000-942000区间(包含前后ID)的所有规则 SecRuleRemoveById 942100
Apache HTTP 过滤器filter、开源WAF(ModSecurity)、Apache 模块开发
西京刀客
03-08 2400
在编写Apache模块时,需要具备C或C++编程经验和对Apache Web服务器的基本了解。另外,需要参考Apache的文档和API参考手册来编写代码和构建模块。
Web 应用防火墙:Modsecurity 和核心规则集
allway2的博客
08-29 3479
通过将其集成到您的 Web 服务器中,您可以确保在潜在危险请求到达您的 Web 应用程序或敏感数据从您的 Web 服务器泄漏之前被阻止。通过这种方式,您可以添加一个额外的防御层,从而为您的 Web 服务器或 Web 应用程序中的零日漏洞提供额外的保护。然后规则 980130 为我们提供了有关评分的更多信息:我们命中了偏执级别 1 的规则得分为 15,而其他偏执级别的规则对总分的贡献为 0。偏执程度越高,激活的规则就越多,因此核心规则集就越激进,提供更多保护,但也可能导致更多误报。(CRS) 的用武之地。..
modSecurity规则学习(三)——SecRule
weixin_30664539的博客
03-13 1396
通用格式 SecRule VARIABLES OPERATOR [TRANSFORMATION_FUNCTIONS, ACTIONS] 阶段phase (1)request headers (2)request body (3)response headers (4)response body (5) logging 一、变量variable 绿色:请求变量 蓝色:...
ApacheModSecurity的安装启用与配置
09-15
**ApacheModSecurity的安装启用与配置** **一、ModSecurity简介** ModSecurity是一个开源的Web应用程序防火墙(WAF),它可以对HTTP流量进行实时监控和保护,通过执行一套预定义的规则,防止恶意攻击,如SQL注入...
Apache v2.4.27
11-29
Apache v2.4.27是这个开源项目的特定版本,它以其稳定性和灵活性而闻名,为开发者和管理员提供了构建高性能、高可用性Web服务的基础。在这个版本中,Apache引入了多项改进和新特性,旨在提升性能、安全性和易用性。 ...
ModSecurity-开源
04-15
- **规则集**:默认情况下,ModSecurity可能只包含基础规则,为了更全面的防护,可以集成OWASP CRS(Open Web Application Security Project Core Rule Set)规则集,这是一套预定义的防护规则。 - **测试与调试**...
apache安装手册
11-27
Apache的安装和配置是基础运维任务,而加固Apache以防御DDS(Distributed Denial of Service)攻击则涉及到更多安全策略,如限制并发连接数、使用防火墙规则、设置访问控制列表、启用ModSecurity模块等。这些措施...
中间件基础与加固
02-28
2. **安全模块**:安装并启用必要的安全模块,如ModSecurity,它提供了一层额外的Web应用防火墙保护。 3. **权限管理**:确保中间件以非root用户身份运行,降低被攻击的风险。同时,限制对关键文件和目录的访问权限...
modsecurity配置指令学习
weixin_30819163的博客
11-21 619
事务(transactions) Console(控制台) 1 Introduction Modsecurity是保护网络应用安全的工作。不,从零开始。我常称modsecurity为WAF(网络应用防火墙),这是种被广泛接受的叫法,它指的是为保护网络应用而专门设计的产品族。也有些时候我称它为HTTP入侵检测工具,我认为这个称呼更好的描述了modsecurity做了什么。 Unders...
modSecurity规则学习(七)——防止SQL注入
weixin_30497527的博客
04-18 1255
1、数字型SQL注入 /opt/waf/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "17"] [id "942100"] 被LibInjection Check 2、字符型SQL注入 同上 3、数据库后门 match1:LibInj...
如何安装配置Apache中的mod_security和mod_evasive
claytang的博客
04-24 5770
Apache网站服务器而言,即便不是所有专家,至少也是绝大多数专家一致认为,mod_security和mod_evasive是两个非常重要的模块,可以保护Apache网站服务器远离常见的威胁。作者:布加迪编译来源:51CTO.com|2014-09-29 09:01收藏分享有奖调研 | 1TB硬盘等你拿 AI+区块链的发展趋势及应用调研网站服务器安全是个大话题;说到什么是加固某一台网站服务...
ModSecurity搭建过程(保姆级教学)
R.W.Y的博客
08-22 1041
ModSecurity 有一个默认的配置文件样本,样本路径为/etc/modsecurity/modsecurity.conf-recommended,我们将其复制到名为 modsecurity.conf 的配置文件,以启用和配置ModSecurityModSecurity在/usr/share/modsecurity-crs目录中设置了默认规则。要使新的规则对apache生效,我们使用vim编辑/etc/apache2/mods-enabled/security2.conf文件。
http 400错误的解决方法
04-21 334
http 400错误的解决方法先说说我的环境fc10+apache+postgresql;费了好长时间在网上搜到的,第一时间贴出来,供大家参考。找到规则,注释掉./etc/modsecurity/modsecurity_crs_...
如何在Apache上安装配置ModSecurity
allway2的博客
07-31 1982
介绍 ModSecurityApache的插件模块,可像防火墙一样工作。它通过规则集起作用,允许您自定义和配置服务器安全性。 ModSecurity还可以实时监视Web流量,并帮助您检测和响应入侵。它可以与Apache,Nginx和IIS一起使用,并且与Debian,Ubuntu和CentOS兼容。 本教程说明了 如何在Apache Web服务器上安装和配置ModSecurity。 先决条件 在LAMP堆栈(Linux操作系统,Apache,MySQL和PHP)安装和配置 使用sudo或root特权
ModSecurity的规则
浅笑996的博客
10-26 5251
一、ModSecurity的规则 基本格式 SecRule VARIABLES OPERATOR ACTIONS SecRule:ModSecurity主要的指令,用于创建安全规则。 VARIABLES :代表HTTP包中的标识项,规定了安全规则针对的对象。常见的变量包括:ARGS(所有请求参数)、FILES(所有文件名称)等。 OPERATOR:代表操作符,一般用来定义安全规则的匹配条件...
安全加固指导手册-Apache安全加固
最新发布
03-11
8. **安全模块**:使用安全增强模块如ModSecurity,提供额外的入侵检测和防御功能。 9. **错误页面定制**:避免在错误页面中透露过多信息,可以自定义错误页面以减少信息泄露。 10. **定期维护**:保持Apache...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值