############################# # < À¥È£½ºÆà ¾÷ü¿ë > # # ÀÌ RuleÀº ´Ù¼öÀÇ À¥»çÀÌÆ®°¡ ¿î¿µµÇ´Â À¥È£½ºÆà ¼­¹ö¿¡¼­ È°¿ë°¡´ÉÇÑ ÃÖ¼Ò°ø°ÝÂ÷´Ü RuleÀÔ´Ï´Ù. # ÀÌ RuleÀ» Âü°íÇÏ¿© °¢ À¥»çÀÌÆ®¿¡ ÀûÇÕÇÑ Rule·Î Ä¿½ºÆ®¸¶ÀÌ¡ÇϽñ⠹ٶø´Ï´Ù. # Rule Ä¿½ºÆ®¸¶ÀÌ¡ ÈÄ¿¡´Â °ø°ÝŽÁö½Ã Â÷´ÜÇϵµ·Ï SecDefaultAction ¿¡¼­ # pass¸¦ deny·Î ¼öÁ¤ÇϽñ⠹ٶø´Ï´Ù. # # Update : '09. 03. 11 # - 2.x ¹öÀü¿ë »ùÇÃ·ê ¿À·ù ¼öÁ¤ # - Mass SQL Injection ½Ã±×´ÏÃÄ Ãß°¡ # - WebShell ½Ã±×´ÏÃÄ Ãß°¡ # - °ø°³ °Ô½ÃÆÇ ¼Ö·ç¼Ç ½Å±Ô Ãë¾àÁ¡ Ãß°¡ # - Tomcat, Oracle, MySQL, MSSQL ½Ã±×´ÏÃÄ Ãß°¡ # ############################# ############################# # 1. ModSecurity µ¿ÀÛ À¯/¹« # SecRuleEngine On | Off | DetectionOnly # On : ModSecurity ±â´É È°¼ºÈ­ # Off : ModSecurity ±â´É ºñÈ°¼ºÈ­ # DetectionOnly : ModSecurity ¸ð´ÏÅ͸µ ¸ðµå (SecDefaultAction º¸´Ù ¼±Çà) SecRuleEngine On ############################# # 2. ±âº» ¼³Á¤ # ±âº»ÀûÀ¸·Î ·êÀÌ ¸ÅÄ¡ µÉ °æ¿ì ÇàÀ§(Action) ÁöÁ¤ # SecDefaultAction "ÇàÀ§"` # ÇàÀ§ : deny, pass, allow, status:apache error code, redirect:/error.html # # ·ê Ä¿½ºÆ®¸¶ÀÌ¡ ¿Ï·á ÈÄ °ø°ÝŽÁö½Ã Â÷´ÜÇϵµ·Ï SecDefaultAction ¿¡¼­ # pass¸¦ deny·Î ¼öÁ¤ ÇÊ¿ä # SecDefaultAction "deny,log,phase:2,status:406,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase" SecDefaultAction "deny,log,auditlog,phase:2,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase" # ¾ÆÆÄÄ¡ÀÇ ±âº» ·Î±×º¸´Ù ÀÚ¼¼ÇÑ °ø°Ý°ü·Ã ·Î±×¸¦ ±â·Ï SecAuditEngine RelevantOnly # ·Î±×ÀÇ ¾çÀ» ÁÙÀ̱â À§ÇØ ÇÊ¿äÇÑ 4xx ¶Ç´Â 5xx °ü·Ã ¿¡·¯¸¸ ³²±ä´Ù. 404´Â ³²±âÁö ¾Ê´Â´Ù. SecAuditLogRelevantStatus "^(?:5|4\d[^4])" # ·Î±× ÆÄÀÏ ±¸Á¶ SecAuditLogType Serial SecAuditLog /home/apache_log/modsec_audit_log # ·Î±×¿¡ ³²±æ ºÎºÐ SecAuditLogParts "ABIFHZ" # À¥¼­¹öÀÇ Çì´õ Á¤º¸ º¯°æ # Apache ¼³Á¤ÀÇ ServerTokens°ªÀÌ Full·Î ¼³Á¤µÇ ÀÖ¾î¾ß ÇÔ. SecServerSignature "Microsoft-IIS/7.0" # ¾Æ±Ô¸ÕÆ® ±¸ºÐÀÚ SecArgumentSeparator "&" # ´ÙÀ½ÀÇ ¸Þ¼Òµå ÀÌ¿Ü¿¡´Â Çã¿ëÇÏÁö ¾ÊÀ½. SecRule REQUEST_METHOD "(PUT|DELETE|TRACE)" "deny, log" SecRequestBodyAccess Off SecResponseBodyAccess Off SecResponseBodyMimeType (null) text/html text/plain text/xml SecResponseBodyLimit 524288 ############################# # 3. PHP ÀÎÁ§¼Ç Ãë¾à °ø°Ý ¹æÁö(°ø°³ °Ô½ÃÆÇ ¼Ö·ç¼Ç ´ë»ó °ø°Ý Æ÷ÇÔ) SecRule REQUEST_URI "\.php" "chain, msg:'PHP Injection Attacks'" SecRule REQUEST_URI "(dir|page|)" chain SecRule REQUEST_URI "=(http|https|ftp)\:/" SecRule REQUEST_URI "shell_exec\(" "msg:'PHP Injection Attacks'" SecRule REQUEST_URI "/include/write\.php\?dir=(ftp|http):" "msg:'PHP Injection Attacks'" SecRule REQUEST_URI "/include/print_category\.php\?setup=1&dir=(ftp|http):" "msg:'PHP Injection Attacks'" SecRule REQUEST_URI "/zero_vote/error\.php\?dir=(ftp|http):" "msg:'PHP Injection Attacks'" SecRule REQUEST_URI "/outlogin\.php\?_zb_path=(ftp|http):" "msg:'PHP Injection Attacks'" SecRule REQUEST_URI "filename=\|" "msg:'PHP Injection Attacks'" SecRule REQUEST_URI "check_user_id\.php\?user_id=