0
Merhaba değerli, webmasfb.blogspot.com üyeleri bugün sizlere linux sunucumuza mod security kurulumunu gösterecegim..



Evet hemen putty ile root bilgilerimizi girerek server ile bağlantımızı kuruyoruz.



Öncellikle alttaki linkten mod security dosyalarını indirelim

1-) wget http://www.modsecurity.org/download/...y-1.8.7.tar.gz



Daha sonra sıkıştırılmış olan dosyayi yükleme bittikten sonra açiyoruz

tar zxvf modsecurity-1.8.7.tar.gz

2.) Web sunucusu olarak Apache 1.x kullanıyorsanız Apache1 klasörüne giriyorsunuz.

cd modsecurity-1.8.7/apache1
3.) Web sunucusu olarak Apache 2.x kullanıyorsanız Apache2 klasörüne giriyorsunuz.
cd modsecurity-1.8.7/apache1
4.) Mod_security’ yi bir modül olarak derliyoruz.
/etc/httpd/bin/apxs -cia mod_security.c
5.) httpd.conf dosyamızı olabilecek aksaklıklara karşı yedekliyoruz.
cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf-yedek
6.) Apache ayar dosyasını açıyoruz
pico -w /usr/local/apache/conf/httpd.conf
7.) Apache 1.x için AddModule mod_security.c yazan kısımı httpd.conf dosyası içinde buluyoruz altına aşağıdaki kural zincirini ekliyoruz

Kod:
<IFMODULE mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On
# Change Server: string
SecServerSignature “Apache”
# This setting should be set to On only if the Web site is
# using the Unicode encoding. Otherwise it may interfere with
# the normal Web site operation.
SecFilterCheckUnicodeEncoding Off
# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis. “On” will log everything,
# “DynamicOrRelevant” will log dynamic requests or violations,
# and “RelevantOnly” will only log policy violations
SecAuditEngine RelevantOnly
# The name of the audit log file
SecAuditLog logs/audit_log
# Should mod_security inspect POST payloads
SecFilterScanPOST On
# Action to take by default
SecFilterDefaultAction “deny,log,status:406″
# Require HTTP_USER_AGENT and HTTP_HOST in all requests
# SecFilterSelective “HTTP_USER_AGENT|HTTP_HOST” “^$”
# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD “^POST$” chain
SecFilterSelective HTTP_Content-Length “^$”
# Only allow bytes from this range
SecFilterForceByteRange 1 255
# Prevent path traversal (..) attacks
SecFilter “\.\./”
# Weaker XSS protection but allows common HTML tags
SecFilter “<[[:space:]]*script”
# Phpmyadmin de insert yapılırken 406 veriyor sunucuda phpmyadmin varsa kapatın
SecFilter “delete[[:space:]]+from”
SecFilter “insert[[:space:]]+into”
SecFilter “select.+from”
#Dizin Erisim Engelleme
SecFilter /boot/
# SecFilter /bin/
SecFilter /dev/
SecFilter /etc/
SecFilter /initrd/
SecFilter /lib/
SecFilter /lost+found/
# SecFilter /misc/ vbulletinin bir dizini o yüzden bütün vbulletin kullanıcılarına 406 veriyor
SecFilter /mnt/
SecFilter /proc/
SecFilter /root/
SecFilter /sbin/
# SecFilter /scripts/
# SecFilter /tmp/
# SecFilter /usr/
SecFilter /usr/local/apache/
SecFilter /usr/local/cpanel/
SecFilter /usr/local/mysql/
SecFilter /var/
SecFilter /bin/cc
SecFilter /bin/gcc
# WEB-ATTACKS ps command attempt
SecFilterSelective THE_REQUEST “/bin/ps”
# WEB-ATTACKS /bin/ps command attempt
SecFilterSelective THE_REQUEST “ps\x20″
# WEB-ATTACKS wget command attempt
SecFilter “wget”
# WEB-ATTACKS uname -a command attempt
SecFilter “uname\x20-a”
# WEB-ATTACKS /usr/bin/id command attempt
SecFilterSelective THE_REQUEST “/usr/bin/id”
# WEB-ATTACKS id command attempt
SecFilter “\;id”
# WEB-ATTACKS kill command attempt
SecFilterSelective THE_REQUEST “/bin/kill”
# WEB-ATTACKS chsh command attempt
SecFilterSelective THE_REQUEST “/usr/bin/chsh”
# WEB-ATTACKS tftp command attempt
SecFilter “tftp\x20″
# WEB-ATTACKS /usr/bin/gcc command attempt
SecFilterSelective THE_REQUEST “/usr/bin/gcc”
# WEB-ATTACKS gcc command attempt
SecFilter “gcc\x20-o”
# WEB-ATTACKS bin/tclsh execution attempt
SecFilter “bin/tclsh”
# WEB-ATTACKS tclsh execution attempt
SecFilter “tclsh8\x20″
# WEB-ATTACKS bin/nasm command attempt
SecFilterSelective THE_REQUEST “bin/nasm”
# WEB-ATTACKS nasm command attempt
SecFilter “nasm\x20″
# WEB-ATTACKS perl execution attempt
SecFilter “perl\x20″
# WEB-ATTACKS traceroute command attempt
SecFilter “traceroute\x20″
# WEB-ATTACKS ping command attempt
SecFilterSelective THE_REQUEST “/bin/ping”
# WEB-ATTACKS netcat command attempt
SecFilter “nc\x20″
# WEB-ATTACKS nmap command attempt
SecFilter “nmap\x20″
# WEB-ATTACKS xterm command attempt
SecFilterSelective THE_REQUEST “/usr/X11R6/bin/xterm”
# WEB-ATTACKS X application to remote host attempt
SecFilter “\x20-display\x20″
# WEB-ATTACKS lsof command attempt
SecFilter “lsof\x20″
# WEB-ATTACKS rm command attempt
SecFilter “rm\x20″
# WEB-ATTACKS /bin/ls command attempt
SecFilterSelective THE_REQUEST “/bin/ls”
# WEB-ATTACKS /etc/shadow access
SecFilter “/etc/shadow”
# WEB-ATTACKS .htgroup access
SecFilterSelective THE_REQUEST “\.htgroup”
# WEB-CGI rksh access
SecFilterSelective THE_REQUEST “/rksh”
# WEB-CGI bash access
SecFilterSelective THE_REQUEST “/bash” log,pass
# WEB-CGI zsh access
SecFilterSelective THE_REQUEST “/zsh”
# WEB-CGI csh access
SecFilterSelective THE_REQUEST “/csh”
# WEB-CGI tcsh access
SecFilterSelective THE_REQUEST “/tcsh”
# WEB-CGI rsh access
SecFilterSelective THE_REQUEST “/rsh”
# WEB-CGI ksh access
SecFilterSelective THE_REQUEST “/ksh”
# WEB-MISC .history access
SecFilterSelective THE_REQUEST “/\.history”
# WEB-MISC .bash_history access
SecFilterSelective THE_REQUEST “/\.bash_history”
# Don’t accept transfer encodings we know we don’t handle
# (and you don’t need it anyway)
SecFilterSelective HTTP_Transfer-Encoding “!^$”
# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID “!^[0-9a-z]*$”
SecFilterSelective COOKIE_PHPSESSID “!^[0-9a-z]*$”
SecFilter “viewtopic\.php\?” chain
SecFilter “chr\(([0-9]{1,3})\)” “deny,log”
# Block various methods of downloading files to a server
SecFilterSelective THE_REQUEST “wget ”
SecFilterSelective THE_REQUEST “lynx ”
SecFilterSelective THE_REQUEST “scp ”
SecFilterSelective THE_REQUEST “ftp ”
SecFilterSelective THE_REQUEST “cvs ”
SecFilterSelective THE_REQUEST “rcp ”
SecFilterSelective THE_REQUEST “curl ”
SecFilterSelective THE_REQUEST “telnet ”
SecFilterSelective THE_REQUEST “ssh ”
SecFilterSelective THE_REQUEST “echo ”
SecFilterSelective THE_REQUEST “links -dump ”
SecFilterSelective THE_REQUEST “links -dump-charset ”
SecFilterSelective THE_REQUEST “links -dump-width ”
SecFilterSelective THE_REQUEST “links http:// ”
SecFilterSelective THE_REQUEST “links ftp:// ”
SecFilterSelective THE_REQUEST “links -source ”
SecFilterSelective THE_REQUEST “mkdir ”
SecFilterSelective THE_REQUEST “cd /tmp ”
SecFilterSelective THE_REQUEST “cd /var/tmp ”
SecFilterSelective THE_REQUEST “cd /etc/httpd/proxy ”
</IFMODULE>
7.) Apache 2.x için LoadModule security_module modules/mod_security.so yazan kıısmı bulup Apache 1.x için eklediğimiz yukarıdaki kural serisini ekliyoruz.
8.) Http sunucumuzu yeniden başlatıyoruz herhangi bir sorunla karşılaşırsanız yukarıdkai adımları kontrol etmelisiniz.
service httpd restart
9.) Eklediğiniz kuralların hehrangi bir soruna yol açıp açmadığını log dosyasına bakarak anlayabilirsiniz
cat /etc/httpd/logs/audit_log
10.) Mod_security yi kapatmak isterseniz Apache 1.x için AddModule mod_security.c yazan kıısmın başına bir # işareti koyun ; Apache 2.x için LoadModule security_module modules/mod_security.so yazan kısımın başına # koyun.

Bir makalemin daha sonuna geldik bir sonraki makalemizde görüşmek dileğiyle..

Yorum Gönder

 
Yukarı