mod_security 설정 관련.

rpm 설치를 하였기 때문에 Yum 으로 설치

shell> yum install mod_security

 

modsecurity_localrules.conf 설정. 

############################# # 4. 명령어 실행 방지 SecRule ARGS ";[[:space:]]*(ls|pwd|wget|cd)" "msg:'Command execution attack'" SecRule REQUEST_URI "(perl|lynx|mkdir|cmd|lwp-(download|request|mirror|rget))" "msg:'Command execution attack'" SecRule REQUEST_URI "(uname|net(stat|cat)|curl|telnet|gcc|rm\-[a-z|A-Z])" "msg:'Command execution attack'" ############################# # 5. XSS 공격 방지 SecRule ARGS "alert[[:space:]]*\(" "msg:'XSS attack'" SecRule ARGS "&#[[0-9a-fA-F]]{2}" "msg:'XSS attack'" SecRule ARGS "eval[[:space:]]*\(" "msg:'XSS attack'" SecRule ARGS onKeyUp" "msg:'XSS attack'" SecRule ARGS "\x5cx[0-9a-fA-F]{2}" "msg:'XSS attack'" SecRule ARGS "fromCharCode" "msg:'XSS attack'" SecRule ARGS "&\{.+\}" "msg:'XSS attack'" SecRule ARGS "<script" "msg:'XSS attack'" SecRule ARGS "vbscripｔ:" "msg:'XSS attack'" SecRule ARGS "ｅxpression[[:space:]]*\(" "msg:'XSS attack'" SecRule ARGS "url[[:space:]]*\(" "msg:'XSS attack'" SecRule ARGS "innerHTML" "msg:'XSS attack'" SecRule ARGS "document\.body" "msg:'XSS attack'" SecRule ARGS "document\.cookie" "msg:'XSS attack'" SecRule ARGS "document\.location" "msg:'XSS attack'" SecRule ARGS "document\.write" "msg:'XSS attack'" SecRule ARGS "style[[:space:]]*=" "msg:'XSS attack'" SecRule ARGS "dynsrc" "msg:'XSS attack'" SecRule ARGS "jsessionid" "msg:'XSS attack'" SecRule ARGS "phpsessid" "msg:'XSS attack'" SecRule ARGS|REQUEST_URI|REQUEST_BODY "\.php" "chain,msg:'XSS attack'" SecRule ARGS|REQUEST_URI|REQUEST_BODY "\+document\.cookie\+" ############################# # 6. SSI 인젝션 관련 공격 차단 SecRule ARGS "<!--[[:space:]]*#[[:space:]]*(exec|cmd|echo|include|printenv)" "msg:'SSI injection attack'" ############################# # 7. 악성 프로그램 봇, User-Agent SecRule REQUEST_HEADERS:User-agent "[Ww]eb[Bb]andit" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "WEBMOLE" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "Telesoft*" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "WebEMailExtractor" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "CherryPicker*" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "NICErsPRO" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "Advanced Email Extractor*" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "EmailSiphon" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "Extractorpro" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "EmailCollector" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "WebEMailExtrac*" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "EmailWolf" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "Microsoft URL Control" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "^Microsoft URL" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "SmartDownload" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "Offline Explorer" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "Ninja" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "NetZIP" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "HTTrack" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "Googlebot-Image" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "Download" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "Downloader" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "BackDoorBot" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "ah-ha" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "Alexibot" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "Atomz" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "Microsoft-WebDAV-MiniRedir" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "Microsoft-WebDAV-MiniRedir/5\.1\.2600" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "Googlebot/2\.1" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "PlantyNet_WebRobot_V1\.9" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "LWP::" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "lwp-trivial" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "Mozilla/2\.0" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "WebZIP" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "Teleport" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "GetRight" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "FlashGet" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "JetCar" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "Go!Zilla" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "NamoWebEditor" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "Namo" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "MSFrontPage" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "WebTrack-HTTPP" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "WebSymmetrix" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "AD2000" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "WebSpy" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "WebStripper" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "WebSnatcher" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "WebGet" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "HSlide" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "WebCopier" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "Website eXtractor" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "Internet Ninja" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "fortuna" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "SuperHTTP" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "WISEbot/1\.0" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "NaverBot-1\.0" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "Talkro Web-Shot/1\.0" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "Talkro" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "Web-Shot/1\.0" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "Arachmo" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "WinHTTrack Website Copier" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "BlackWidow" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "SuperBot" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "MM3-WebAssistant" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "Offline Explorer Pro" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "GetBot" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "SBWcc Website Capture" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "Leech" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "HTTP Weazel" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "WebGainer" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "Offline Explorer Enterprise" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "PageSucker" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "QuadSucker/Web" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "BackStreet Browser" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "Offline Navigator" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "Aaron's WebVacuum" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "JOC Web Spider" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "Grab-a-Site" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "PicScour" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "RafaBot" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "Cli-Mate" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "eNotebook" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "WebSlinky" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "Pictures Grabber" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "Web Dumper" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "WebCatcher" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "SurfOffline" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "NetGrabber" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "Power Siphon" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "Rip Clip" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "WebWhacker" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "Offline CHM" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "webpictureboss" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "Visual Web Task" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "Web Shutter" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "NavRoad" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "7 Download Services" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "WebCloner Standard" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "EZ Save MHT" "msg:'Robot attack'" SecRule REQUEST_HEADERS:User-agent "Yahoo! Slurp" "msg:'Robot attack'" ########################################### # 8. 검색엔진 Recon/Google 이용한 해킹 방지 SecRule REQUEST_HEADERS:Referer  "Powered by Gravity Board" "msg:'Recon/Google attack'" SecRule REQUEST_HEADERS:Referer  "Powered by SilverNews"  "msg:'Recon/Google attack'" SecRule REQUEST_HEADERS:Referer  "Powered.*PHPBB.*2\.0\.\ inurl\:"  "msg:'Recon/Google attack'" SecRule REQUEST_HEADERS:Referer  "PHPFreeNews inurl\:Admin\.php"  "msg:'Recon/Google attack'" SecRule REQUEST_HEADERS:Referer  "inurl.*/cgi-bin/query"  "msg:'Recon/Google attack'" SecRule REQUEST_HEADERS:Referer  "inurl.*tiki-edit_submission\.php"  "msg:'Recon/Google attack'" SecRule REQUEST_HEADERS:Referer  "inurl.*wps_shop\.cgi"  "msg:'Recon/Google attack'" SecRule REQUEST_HEADERS:Referer  "inurl.*edit_blog\.php.*filetype\:php"  "msg:'Recon/Google attack'" SecRule REQUEST_HEADERS:Referer  "inurl.*passwd.txt.*wwwboard.*webadmin"  "msg:'Recon/Google attack'" SecRule REQUEST_HEADERS:Referer  "inurl.*admin\.mdb"  "msg:'Recon/Google attack'" SecRule REQUEST_HEADERS:Referer  "filetype:sql \x28\x22passwd values.*password values.*pass values" "msg:'Recon/Google attack'" SecRule REQUEST_HEADERS:Referer  "filetype.*blt.*buddylist" "msg:'Recon/Google attack'" SecRule REQUEST_HEADERS:Referer  "File Upload Manager v1\.3.*rename to" "msg:'Recon/Google attack'" SecRule REQUEST_HEADERS:Referer  "filetype\x3Aphp HAXPLORER .*Server Files Browser" "msg:'Recon/Google attack'" SecRule REQUEST_HEADERS:Referer  "inurl.*passlist\.txt" "msg:'Recon/Google attack'" SecRule REQUEST_HEADERS:Referer  "wwwboard WebAdmininurl\x3Apasswd\.txt wwwboard\x7Cwebadmin" "msg:'Recon/Google attack'" SecRule REQUEST_HEADERS:Referer  "Enter ip.*inurl\x3A\x22php-ping\.php\x22" "msg:'Recon/Google attack'" SecRule REQUEST_HEADERS:Referer  "intitle\.*PHP Shell.*Enable stderr.*filetype\.php" "msg:'Recon/Google attack'" SecRule REQUEST_HEADERS:Referer  "inurl\.*install.*install\.php" "msg:'Recon/Google attack'" SecRule REQUEST_HEADERS:Referer  "Powered by PHPFM.*filetype\.php -username" "msg:'Recon/Google attack'" SecRule REQUEST_HEADERS:Referer  "inurl\.*phpSysInfo.*created by phpsysinfo" "msg:'Recon/Google attack'" SecRule REQUEST_HEADERS:Referer  "SquirrelMail version 1\.4\.4.*inurl:src ext\.php" "msg:'Recon/Google attack'" SecRule REQUEST_HEADERS:Referer  "inurl\.*webutil\.pl" "msg:'Recon/Google attack'" # Export.PHP 파일 공개 취약점 SecRule SCRIPT_FILENAME "export\.php$" chain SecRule REQUEST_URI "\.\." # XSS 취약점 SecRule REQUEST_URI "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)" SecRule REQUEST_URI "libraries/auth/cookie\.auth\.lib\.php" chain SecRule REQUEST_URI "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*> SecRule REQUEST_URI "/error\.php" chain SecRule REQUEST_URI "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*> # register_globals Emulation "import_blacklist" 조작 취약점 SecRule REQUEST_URI "/grab_globals\.php" chain SecRule REQUEST_URI "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|(http|https|ftp)\:/)" ############################# # 10. 기타 공격 방지 # 허용하는 HTTP 리퀘스트 타입 (HTTP 0.9, 1.0 혹은 1.1) 이외 차단 #SecRule SERVER_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$" "msg:'Not allowed HTTP Protocol'"

위 설정은 KISA 에 나온 샘플을 그냥 그대로 적용 시킨내용.

 

글 작성 시 외부 링크로 인해 오류가 발생할 경우 아파치에 다음과 같이 설정을 추가한다. 

<Location /upload>         SecRuleInheritance off </Location>   /upload 로 시작하는 경로에선 규칙 제외.