Apache の セキュリティ

security_modの導入

モジュールをゲット

wget で ~/tmp/ あたりにダウンロードしてくる。

• ~/tmp/# wget http://www.modsecurity.org/download/mod_security-1.8.3.tar.gz

解凍

• ~/tmp$ tar zxvf mod_security-1.8.3.tar.gz

mod_security パッチを当てる

1. 解凍したディレクトリ(~/tmp)にできたディレクトリ("./mod_security-1.8.3") に移動
2. さらに自分のアパッチのバージョンのディレクトリ("./apache2")に移動
3. 2.のディレクトリにあるパッチ・"mod_security.c"を /usr/local/apache2/bin/apxs -ciaで当てる

• $ cd ./mod_security-1.8.3/apache2
• # /usr/local/apache2/bin/apxs -cia mod_security.c

パッチが当たったかの確認は、"/usr/local/apache2/conf/httpd.conf"でできる。

設定

    # Turn the filtering engine On or Off
    SecFilterEngine On

    # Make sure that URL encoding is valid
    SecFilterCheckURLEncoding On

    # Unicode encoding validation
    SecFilterCheckUnicodeEncoding On

    # Only allow bytes from this range
    SecFilterForceByteRange 0 255

    # The audit engine works independently and
    # can be turned On of Off on the per-server or
    # on the per-directory basis
    SecAuditEngine On

    # The name of the audit log file
    SecAuditLog logs/audit_log

    SecFilterDebugLog logs/modsec_debug_log
    SecFilterDebugLevel 0

    # Should mod_security inspect POST payloads
    SecFilterScanPOST On

    # Action to take by default
    SecFilterDefaultAction "deny,log,status:406"

    # Prevent path traversal (..) attacks
    SecFilter "\.\./"

    # Prevent OS specific keywords
    SecFilter "/etc/passwd"
    SecFilter "/bin/sh"
    SecFilterSelective QUERY_STRING "/etc/passwd"
    SecFilterSelective QUERY_STRING "/bin/sh"
    SecFilter "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    SecFilter "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
    SecFilter "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"
    SecFilter "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"

    # Weaker XSS protection but allows common HTML tags
    SecFilter "<( |\n)*script"

    # Prevent XSS atacks (HTML/Javascript injection)
    SecFilter "<(.|\n)+>"

    # Very crude filters to prevent SQL injection attacks
    SecFilter "delete( |\n)+from"
    SecFilter "insert( |\n)+into"
    SecFilter "select( |\n)+from"
    SecFilter "grant( |\n)+to"
    SecFilter "create( |\n)+table"
    SecFilter "drop( |\n)+table"
    SecFilter "alter( |\n)+table"

    # require HTTP_USER_AGENT and HTTP_HOST headers
    #SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

    # forbid file upload
    SecFilterSelective "HTTP_CONTENT_TYPE" multipart/form-data

    # Allow Verbs
    SecFilterSelective REQUEST_METHOD "!(GET|POST|HEAD)"

    # Deny Headers
    SecFilterSelective HTTP_HEADER "Translate:"
    SecFilterSelective HTTP_HEADER "If:"
    SecFilterSelective HTTP_HEADER "Lock-Token:"
    SecFilterSelective HTTP_HEADER "DAV:"
    SecFilterSelective HTTP_HEADER "Depth:"
    SecFilterSelective HTTP_HEADER "Destination:"
    SecFilterSelective HTTP_HEADER "Label:"
    SecFilterSelective HTTP_HEADER "Overwrite:"
    SecFilterSelective HTTP_HEADER "TimeOut:"
    SecFilterSelective HTTP_HEADER "TimeType:"
    SecFilterSelective HTTP_HEADER "DAVTimeOutVal:"
    SecFilterSelective HTTP_HEADER "Other:"

    # Anti Windows WORM
    SecFilter "(\.com|\.exe|\.cmd|\.bat|\.htw|\.ida|\.idq|
\.htr|\.idc|\.printer|\.ini|\.pol|\.dat|\.cfg|\.idx)"
    SecFilter "c\:"
    SecFilter "/_vti_bin/"
    SecFilter "/_vti_cnf/"
    SecFilter "/_vti_pvt/"
    SecFilter "/_mem_bin/"
    SecFilter "/IISSAMPLES/"
    SecFilter "/MSOffice/"
    SecFilter "/scripts/"
    SecFilter "/msadc/"
    SecFilter "/help/"
    SecFilter "/webpub/"
    SecFilter "/inetpub/"
    SecFilter "/c/winnt/"
    SecFilter "/d/winnt/"

最後にchownで所有者をチェックしておく。

• # chown root:staff httpd.conf

最後にアパッチを再起動すれば、完成

• # /usr/local/apache2/bin/apachectrl stop
• # /usr/local/apache2/bin/apachectrl start