Contoh Setting modsecurity.conf

1. <IfModule mod_security.c>
2. # Turn the filtering engine On or Off
3. SecFilterEngine On
4. # Change Server: string
5. SecServerSignature "Hacked By X-Cisadane"
6. # Make sure that URL encoding is valid
7. SecFilterCheckURLEncoding On
8. # Unicode encoding check
9. SecFilterCheckUnicodeEncoding Off
10. # Only allow bytes from this range
11. SecFilterForceByteRange 0 255
12. # Debug level set to a minimum
13. SecFilterDebugLog /var/log/httpd/modsec_debug_log
14. SecFilterDebugLevel 0
15. # Should mod_security inspect POST payloads
16. SecFilterScanPOST On
17. # By default log and deny suspicious requests
18. # with HTTP status 500
19. SecFilterDefaultAction "deny,log,status:500"
20. # Require HTTP_USER_AGENT and HTTP_HOST in all requests
21. SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
22. # Prevent path traversal (..) attacks
23. SecFilter "../"
24. # Weaker XSS protection but allows common HTML tags
25. SecFilter "<[[:space:]]*script"
26. # Prevent XSS atacks (HTML/Javascript injection)
27. SecFilter "<(.|n)+>"
28. # Very crude filters to prevent SQL injection attacks
29. SecFilter "delete[[:space:]]+from"
30. SecFilter "insert[[:space:]]+into"
31. SecFilter "select.+from"
32. SecFilter "drop[[:space:]]table"
33. # Protecting from XSS attacks through the PHP session cookie
34. SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
35. SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
36. SecUploadDir /tmp
37. SecUploadKeepFiles Off
38. SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain
39. SecFilterSelective HTTP_Content-Type \"!(^application/x-www-form-urlencoded$|^multipart/form-data;)"
40. SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain
41. SecFilterSelective HTTP_Content-Length "!^$"
42. SecFilterSelective REQUEST_METHOD "^POST$" chain
43. SecFilterSelective HTTP_Content-Length "^$"
44. SecFilterSelective HTTP_Transfer-Encoding "!^$"
45. SecResponseBodyLimit 524288
46. # -- Rule engine initialization ----------------------------------------------
47.  
48. # Enable ModSecurity, attaching it to every transaction. Use detection
49. # only to start with, because that minimises the chances of post-installation
50. # disruption.
51. #
52. SecRuleEngine DetectionOnly
53.  
54.  
55. # -- Request body handling ---------------------------------------------------
56.  
57. # Allow ModSecurity to access request bodies. If you don't, ModSecurity
58. # won't be able to see any POST parameters, which opens a large security
59. # hole for attackers to exploit.
60. #
61. SecRequestBodyAccess On
62.  
63.  
64. # Enable XML request body parser.
65. # Initiate XML Processor in case of xml content-type
66. #
67. SecRule REQUEST_HEADERS:Content-Type "text/xml" \
68. "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
69.  
70.  
71. # Maximum request body size we will accept for buffering. If you support
72. # file uploads then the value given on the first line has to be as large
73. # as the largest file you are willing to accept. The second value refers
74. # to the size of data, with files excluded. You want to keep that value as
75. # low as practical.
76. #
77. SecRequestBodyLimit 13107200
78. SecRequestBodyNoFilesLimit 131072
79.  
80. # Store up to 128 KB of request body data in memory. When the multipart
81. # parser reachers this limit, it will start using your hard disk for
82. # storage. That is slow, but unavoidable.
83. #
84. SecRequestBodyInMemoryLimit 131072
85.  
86. # What do do if the request body size is above our configured limit.
87. # Keep in mind that this setting will automatically be set to ProcessPartial
88. # when SecRuleEngine is set to DetectionOnly mode in order to minimize
89. # disruptions when initially deploying ModSecurity.
90. #
91. SecRequestBodyLimitAction Reject
92.  
93. # Verify that we've correctly processed the request body.
94. # As a rule of thumb, when failing to process a request body
95. # you should reject the request (when deployed in blocking mode)
96. # or log a high-severity alert (when deployed in detection-only mode).
97. #
98. SecRule REQBODY_ERROR "!@eq 0" \
99. "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
100.  
101. # By default be strict with what we accept in the multipart/form-data
102. # request body. If the rule below proves to be too strict for your
103. # environment consider changing it to detection-only. You are encouraged
104. # _not_ to remove it altogether.
105. #
106. SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
107. "id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \
108. failed strict validation: \
109. PE %{REQBODY_PROCESSOR_ERROR}, \
110. BQ %{MULTIPART_BOUNDARY_QUOTED}, \
111. BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
112. DB %{MULTIPART_DATA_BEFORE}, \
113. DA %{MULTIPART_DATA_AFTER}, \
114. HF %{MULTIPART_HEADER_FOLDING}, \
115. LF %{MULTIPART_LF_LINE}, \
116. SM %{MULTIPART_MISSING_SEMICOLON}, \
117. IQ %{MULTIPART_INVALID_QUOTING}, \
118. IP %{MULTIPART_INVALID_PART}, \
119. IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
120. FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
121.  
122. # Did we see anything that might be a boundary?
123. #
124. SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
125. "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
126.  
127. # PCRE Tuning
128. # We want to avoid a potential RegEx DoS condition
129. #
130. SecPcreMatchLimit 1000
131. SecPcreMatchLimitRecursion 1000
132.  
133. # Some internal errors will set flags in TX and we will need to look for these.
134. # All of these are prefixed with "MSC_". The following flags currently exist:
135. #
136. # MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
137. #
138. SecRule TX:/^MSC_/ "!@streq 0" \
139. "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
140.  
141.  
142. # -- Response body handling --------------------------------------------------
143.  
144. # Allow ModSecurity to access response bodies.
145. # You should have this directive enabled in order to identify errors
146. # and data leakage issues.
147. #
148. # Do keep in mind that enabling this directive does increases both
149. # memory consumption and response latency.
150. #
151. SecResponseBodyAccess On
152.  
153. # Which response MIME types do you want to inspect? You should adjust the
154. # configuration below to catch documents but avoid static files
155. # (e.g., images and archives).
156. #
157. SecResponseBodyMimeType text/plain text/html text/xml
158.  
159. # Buffer response bodies of up to 512 KB in length.
160. SecResponseBodyLimit 524288
161.  
162. # What happens when we encounter a response body larger than the configured
163. # limit? By default, we process what we have and let the rest through.
164. # That's somewhat less secure, but does not break any legitimate pages.
165. #
166. SecResponseBodyLimitAction ProcessPartial
167.  
168.  
169. # -- Filesystem configuration ------------------------------------------------
170.  
171. # The location where ModSecurity stores temporary files (for example, when
172. # it needs to handle a file upload that is larger than the configured limit).
173. #
174. # This default setting is chosen due to all systems have /tmp available however,
175. # this is less than ideal. It is recommended that you specify a location that's private.
176. #
177. SecTmpDir /tmp/
178.  
179. # The location where ModSecurity will keep its persistent data. This default setting
180. # is chosen due to all systems have /tmp available however, it
181. # too should be updated to a place that other users can't access.
182. #
183. SecDataDir /tmp/
184.  
185.  
186. # -- File uploads handling configuration -------------------------------------
187.  
188. # The location where ModSecurity stores intercepted uploaded files. This
189. # location must be private to ModSecurity. You don't want other users on
190. # the server to access the files, do you?
191. #
192. #SecUploadDir /opt/modsecurity/var/upload/
193.  
194. # By default, only keep the files that were determined to be unusual
195. # in some way (by an external inspection script). For this to work you
196. # will also need at least one file inspection rule.
197. #
198. #SecUploadKeepFiles RelevantOnly
199.  
200. # Uploaded files are by default created with permissions that do not allow
201. # any other user to access them. You may need to relax that if you want to
202. # interface ModSecurity to an external program (e.g., an anti-virus).
203. #
204. #SecUploadFileMode 0600
205.  
206.  
207. # -- Debug log configuration -------------------------------------------------
208.  
209. # The default debug log configuration is to duplicate the error, warning
210. # and notice messages from the error log.
211. #
212. #SecDebugLog /opt/modsecurity/var/log/debug.log
213. #SecDebugLogLevel 3
214.  
215.  
216. # -- Audit log configuration -------------------------------------------------
217.  
218. # Log the transactions that are marked by a rule, as well as those that
219. # trigger a server error (determined by a 5xx or 4xx, excluding 404,
220. # level response status codes).
221. #
222. SecAuditEngine RelevantOnly
223. SecAuditLogRelevantStatus "^(?:5|4(?!04))"
224.  
225. # Log everything we know about a transaction.
226. SecAuditLogParts ABIJDEFHZ
227.  
228. # Use a single file for logging. This is much easier to look at, but
229. # assumes that you will use the audit log only ocassionally.
230. #
231. SecAuditLogType Serial
232. SecAuditLog /var/log/httpd/audit_log
233.  
234. # Specify the path for concurrent audit logging.
235. #SecAuditLogStorageDir /opt/modsecurity/var/audit/
236.  
237.  
238. # -- Miscellaneous -----------------------------------------------------------
239.  
240. # Use the most commonly used application/x-www-form-urlencoded parameter
241. # separator. There's probably only one application somewhere that uses
242. # something else so don't expect to change this value.
243. #
244. SecArgumentSeparator &
245.  
246. # Settle on version 0 (zero) cookies, as that is what most applications
247. # use. Using an incorrect cookie version may open your installation to
248. # evasion attacks (against the rules that examine named cookies).
249. #
250. SecCookieFormat 0
251.  
252. # Specify your Unicode Code Point.
253. # This mapping is used by the t:urlDecodeUni transformation function
254. # to properly map encoded data to your language. Properly setting
255. # these directives helps to reduce false positives and negatives.
256. #
257. #SecUnicodeCodePage 20127
258. #SecUnicodeMapFile unicode.mapping
259. </IfModule>