Apache模块mod_security 和 Nginx过滤配置

1.安装mod_security
yum install mod_security

2.安装mod_security_crs
yum install mod_security_crs

3.在/etc/httpd/modsecurity.d建立exclude.conf文件用来排除无需检查的文件
<IfModule mod_security2.c>
  <Location /PATH/>
    SecRuleEngine off
  </Location>
</IfModule>

白名单:

编辑modsecurity.conf 
 #vi /etc/modsecurity/modsecurity.conf
增加一行 
SecRule REMOTE_ADDR "@ipMatch 192.168.30.0/24" "phase:1,nolog,allow"

忽略某个站的安全检测:

在VirtualHost 段内加入

SecRuleInheritance Off

SecRule通常规则的格式如下：

SecRule VARIABLES OPERATOR [ACTIONS]

第一部分，VARIABLES描述哪个变量被检查,取值通常有
REQUEST_COOKIES,REQUEST_COOKIES_NAMES,REQUEST_FILENAME,ARGS_NAMES,ARGS,XML,REQUEST_URI

第二部分，OPERATOR描述如何进行检查

第三部分可选的，ACTIONS，描述当操作进行成功的匹配一,个变量时具体怎么做。

// 示例
#如果cookie名称中有sg,通过
SecRule REQUEST_COOKIES_NAMES sg "phase:1,nolog,allow"
#匹配ip,直接通过
SecRule REQUEST_URI "@ipMatch 192.168.30.0/24" "phase:1,nolog,allow"
#可以使用rx来使用正则表达式,参数中含有dirty的通过
SecRule ARGS "@rx dirty" "phase:1,nolog,allow"

mod_security中文手册

httpd-guardian.pl脚本

配置

# http guardian
SecGuardianLog |/etc/httpd/httpd-guardian

=======================================================================

Nginx的防注入配置:

建立drop_sql.conf文件,复制以下内容:

## Block SQL injections

set $block_sql_injections 0;

if ($query_string ~ "union.*select.*\(") {

set $block_sql_injections 1;

}

if ($query_string ~ "union.*all.*select.*") {

set $block_sql_injections 1;

}

if ($query_string ~ "concat.*\(") {

set $block_sql_injections 1;

}

if ($block_sql_injections = 1) {

return 403;

}

## Block file injections

set $block_file_injections 0;

if ($query_string ~ "[a-zA-Z0-9_]=http://") {

set $block_file_injections 1;

}

if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {

set $block_file_injections 1;

}

if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {

set $block_file_injections 1;

}

if ($block_file_injections = 1) {

return 403;

}

## Block common exploits

set $block_common_exploits 0;

if ($query_string ~ "(<|<).*script.*(>|>)") {

set $block_common_exploits 1;

}

if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {

set $block_common_exploits 1;

}

if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {

set $block_common_exploits 1;

}

if ($query_string ~ "proc/self/environ") {

set $block_common_exploits 1;

}

if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\=)") {

set $block_common_exploits 1;

}

if ($query_string ~ "base64_(en|de)code\(.*\)") {

set $block_common_exploits 1;

}

if ($block_common_exploits = 1) {

return 403;

}

## Block spam

set $block_spam 0;

if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") {

set $block_spam 1;

}

if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") {

set $block_spam 1;

}

if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") {

set $block_spam 1;

}

if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") {

set $block_spam 1;

}

if ($block_spam = 1) {

return 403;

}

## Block user agents

set $block_user_agents 0;

# Don't disable wget if you need it to run cron jobs!

#if ($http_user_agent ~ "Wget") {

# set $block_user_agents 1;

#}

# Disable Akeeba Remote Control 2.5 and earlier

if ($http_user_agent ~ "Indy Library") {

set $block_user_agents 1;

}

# Common bandwidth hoggers and hacking tools.

if ($http_user_agent ~ "libwww-perl") {

set $block_user_agents 1;

}

if ($http_user_agent ~ "GetRight") {

set $block_user_agents 1;

}

if ($http_user_agent ~ "GetWeb!") {

set $block_user_agents 1;

}

if ($http_user_agent ~ "Go!Zilla") {

set $block_user_agents 1;

}

if ($http_user_agent ~ "Download Demon") {

set $block_user_agents 1;

}

if ($http_user_agent ~ "Go-Ahead-Got-It") {

set $block_user_agents 1;

}

if ($http_user_agent ~ "TurnitinBot") {

set $block_user_agents 1;

}

if ($http_user_agent ~ "GrabNet") {

set $block_user_agents 1;

}

if ($block_user_agents = 1) {

return 403;

}

***********

在server段中包含该配置,

include drop_sql.conf;