一. 介紹
mod_security是一個集入侵檢測和防禦引擎功能的開源web應用安全程序(或web應用程式防火牆).
它以Apache Web伺服器的模塊方式運行, 目標是增強web應用程式的安全性, 防止web應用程式
受到已知或未知的攻擊.
本文使用的系統是Redhat linux高級伺服器版3, 推薦大家使用modsecurity的最新穩定發行版,
現在是1.8.7, 安裝方式是通過DSO(動態共享對象)把mod_security集成到Apache Web Server.
(提示, 本文的步驟在其它linux發行版上也是適用的.)
二. 準備
1. 需要的軟件包
1). apache的原始碼包
下載地址:
http://apache.justdn.org/httpd/apache_1.3.33.tar.gz
2). mod_security的原始碼包
下載地址:
http://www.modsecurity.org/download/...y-1.8.7.tar.gz
3). mod_security基本規則
http://fedoranews.org/jorge/mod_secu..._security.conf
2. 下載和解壓縮Apache HTTP軟件包.
建議從apache的官方網站獲得可靠的apache HTTP軟件包.
下載網址: http://apache.justdn.org/httpd/apache_1.3.33.tar.gz
1) 創建apache軟件包存放的目錄.
#mkdir -p /usr/local/src/webserver
2) 使用wget命令獲得原始碼包.
#wget http://apache.tarchive.com/httpd/apache_1.3.33.tar.gz
(如不能下載, 可直接通過瀏覽器保存或ftp上傳到webserver目錄)
3) 確認下載軟件的完整性.
首先, 我們下載和檢查分離的簽名文件apache_1.3.33.tar.gz.md5, 然後進行
比較軟件包和軟件包md5簽名文件的md5 checksum.
檢查apache_1.3.33.tar.gz.md5內容
# cat apache_1.3.33.tar.gz.md5
MD5 (apache_1.3.33.tar.gz) = 3dfd2c3778f37a2dfc22b97417a61407
檢查apache_1.3.33.tar.gz的md5 checksum
# md5sum apache_1.3.33.tar.gz
3dfd2c3778f37a2dfc22b97417a61407 apache_1.3.33.tar.gz
比較上面兩個步驟的md5 checksum內容是一致的, 從而可以確認apache軟件包
的完整性.
4) 解壓縮原始碼包, 在webserver目錄下會生成一個新的目錄apache_1.3.33
#tar zpxf apache_1.3.33.tar.gz
3. 下載和解壓縮modsecurity軟件包.
建議從modsecurity官方網站獲得可靠的軟件包.
下載網址: http://www.modsecurity.org/download/index.html
1) 使用wget命令獲得原始碼包.
#wget http://www.modsecurity.org/download/...y-1.8.7.tar.gz
(如不能下載, 可直接通過瀏覽器保存或ftp上傳到webserver目錄)
# ls -al modsecurity-1.8.7.tar.gz
-rw-r--r-- 1 root root 313004 Mar 5 23:47 modsecurity-1.8.7.tar.gz
# pwd
/usr/local/src/webserver
2) 確認下載軟件的完整性.
首先, 我們下載和檢查分離的簽名文件modsecurity-1.8.7.tar.gz.md5, 然後進行
比較軟件包和軟件包md5簽名文件的md5 checksum.
下載modsecurity的簽名文件
#wget http://www.modsecurity.org/download/...8.7.tar.gz.md5
檢查modsecurity-1.8.7.tar.gz.md5內容
#cat modsecurity-1.8.7.tar.gz.md5
0dd48656e451c711358c097dc80e0369 modsecurity-1.8.7.tar.gz
檢查modsecurity-1.8.7.tar.gz的md5 checksum
# md5sum modsecurity-1.8.7.tar.gz
0dd48656e451c711358c097dc80e0369 modsecurity-1.8.7.tar.gz
比較上面兩個步驟的md5 checksum內容是一致的, 從而可以確認modsecurity軟件包
的完整性.
3) 解壓縮原始碼包, 在webserver目錄下會生成一個新的目錄modsecurity-1.8.7
#tar zpxf modsecurity-1.8.7.tar.gz
4. 下載modsecurity規則文件
#cd /usr/local/src/webserver
#wget http://fedoranews.org/jorge/mod_secu..._security.conf

三. 安裝Apache和Modsecurity
1. 安裝Apache
請參考文章:
在Redhat Linux 9上通過DSO方式搭建Apache HTTP伺服器
http://bbs.islab.org/showthread.php?t=370
注: 在Red Hat 9上安裝Apache的步驟亦可用其它系統上.
2. 安裝Modsecurity
到modsecurity的apache 1.X 模塊目錄運行apxs(你必須要root權限才能運行下面命令).
#cd /usr/local/src/webserver/modsecurity-1.8.7/apache1
[root@reakosys apache1]# /www/bin/apxs -cia mod_security.c
gcc -DLINUX=22 -DHAVE_SET_DUMPABLE -I/usr/include/gdbm -DUSE_HSREGEX -fpic
-DSHARED_MODULE -I/www/include -c mod_security.c
gcc -shared -o mod_security.so mod_security.o
[activating module `security' in /www/conf/httpd.conf]
cp mod_security.so /www/libexec/mod_security.so
chmod 755 /www/libexec/mod_security.so
cp /www/conf/httpd.conf /www/conf/httpd.conf.bak
cp /www/conf/httpd.conf.new /www/conf/httpd.conf
rm /www/conf/httpd.conf.new
複製modsecurity規則文件到apache的conf目錄
#cd /usr/local/src/webserver
#cp mod_security.conf /www/conf/
創建日誌目錄
#mkdir - /var/log/httpd
修改apache配置文件
#vi /www/conf/httpd.conf
在文件末尾添加
Include conf/mod_security.conf
注: 到此為止, httpd.conf文件已包含下面三行代碼(1,2條為自動, 3條手動添加)
LoadModule security_module libexec/mod_security.so
AddModule mod_security.c
Include conf/mod_security.conf
然後重啟你的Apache Web Server..
# apachectl restart
/usr/sbin/apachectl restart: httpd not running, trying to start
/usr/sbin/apachectl restart: httpd started
檢查一下是否生成日誌文件
# ls -al
total 8
drwxr-xr-x 2 root root 4096 May 22 21:29 .
drwxr-xr-x 10 root root 4096 May 22 21:02 ..
-rw------- 1 root root 0 May 22 21:18 audit_log
-rw------- 1 root root 0 May 22 21:18 modsec_debug_log modsecurity的配置文件mod_security.conf位於apache的配置目錄conf中, 日誌文件
是/var/log/httpd/audit_log.
modsecurity配置文件包含了一些非常基礎的規則設置, 這對於一般的站點而言是足夠了.
如果你有什麼特殊的需求, 更多可以參考下面的網址:
http://www.modsecurity.org/documentation/index.html
下面將介紹mod_security.conf配置文件.

四. Modsecurity配置文件
<IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On
分析每一個http請求
# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On
URL編碼確認
# Only allow bytes from this range
SecFilterForceByteRange 32 126
字節範圍檢查, 以有效防止stack overflow attacks(棧溢出攻擊).
# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis
SecAuditEngine RelevantOnly
有效解決apache日誌對某個用戶或攻擊者信息記錄的不足. 如果要
對某一個用戶或攻擊者發出的一個請求的詳細記錄, 可以訪問
/var/log/httpd/audit_log文件.
# The name of the audit log file
SecAuditLog /var/log/httpd/audit_log
SecFilterDebugLog /var/log/httpd/modsec_debug_log
SecFilterDebugLevel 0
設置調試模式下的輸出文件.
# Should mod_security inspect POST payloads
#SecFilterScanPOST On
# Action to take by default
SecFilterDefaultAction "deny,log,status:406"
設置特別的行動, 406為行動名稱, 前面的三個為行動參數.
# Redirect user on filter match
#SecFilter xxx redirect:http://www.webkreator.com
# Execute the external script on filter match
#SecFilter yyy log,exec:/home/ivanr/apache/bin/report-attack.pl
# Simple filter
#SecFilter 111
# Only check the QUERY_STRING variable
#SecFilterSelective QUERY_STRING 222
# Only check the body of the POST request
#SecFilterSelective POST_PAYLOAD 333
# Only check arguments (will work for GET and POST)
#SecFilterSelective ARGS 444
# Test filter
#SecFilter "/cgi-bin/keyword"
# Another test filter, will be denied with 404 but not logged
# action supplied as a parameter overrides the default action
#SecFilter 999 "deny,nolog,status:404"
# Prevent OS specific keywords
#SecFilter /etc/password
# Prevent path traversal (..) attacks
SecFilter "\.\./"
阻止目錄週遊攻擊.
# Weaker XSS protection but allows common HTML tags
SecFilter "<( |\n)*script"
對不安全的(跨站點腳本)XSS進行保護, 但允許普通的HTML標識.
# Prevent XSS atacks (HTML/Javascript injection)
SecFilter "<(.|\n)+>"
防止XSS攻擊 (HTML/Javascript注射)
# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
防止SQL注射攻擊
# Require HTTP_USER_AGENT and HTTP_HOST headers
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
需要 HTTP_USER_AGENT和HTTP_HOST頭.
# Forbid file upload
#SecFilterSelective "HTTP_CONTENT_TYPE" multipart/form-data
# Only watch argument p1
#SecFilterSelective "ARG_p1" 555
# Watch all arguments except p1
#SecFilterSelective "ARGS|!ARG_p2" 666
# Only allow our own test utility to send requests (or Mozilla)
#SecFilterSelective HTTP_USER_AGENT "!(mod_security|mozilla)"
# Do not allow variables with this name
#SecFilterSelective ARGS_NAMES 777
# Do now allow this variable value (names are ok)
#SecFilterSelective ARGS_VALUES 888
# Stop spamming through FormMail
# note the exclamation mark at the beginning
# of the filter - only requests that match this regex will
# be allowed
#<Location /cgi-bin/FormMail>
#SecFilterSelective "ARG_recipient" "!@webkreator.com$"
#</Location>
# when allowing upload, only allow images
# note that this is not foolproof, a determined attacker
# could get around this
#<Location /fileupload.php>
#SecFilterInheritance Off
#SecFilterSelective POST_PAYLOAD "!image/(jpeg|bmp|gif)"
#</Location>
</IfModule>