Category Archives: 해킹보안

krcert에서 제공하는 mod_security 예시

Leave a reply

krcert에서 내놓은 mod_security rule 예제입니다. 왠만한 인젝션과 XSS해킹 기법의 차단을 하도록 되어있습니다.

[CODE]##### Configuration #####
SecFilterEngine On
SecFilterScanPost On
SecFilterScanOutput Off
SecFilterOutputMimeTypes “(null) text/html text/plain”

##### Validation #####
SecFilterCheckURLEncoding On
SecUploadDir /tmp
SecUploadKeepFiles Off
SecFilterCheckUnicodeEncoding Off
SecFilterForceByteRange 1 255
SecFilterDefaultAction “log,deny,status:403”

##### Logging #####
SecFilterDebugLog logs/modsec_debug.log
SecFilterDebugLevel 1
SecAuditEngine RelevantOnly
SecAuditLog logs/modsec_audit.log

##### Hardening #####
# Body를 가진 GET 또는 HEAD 요청 차단(공격 가능성 높음)
SecFilterSelective REQUEST_METHOD “^(GET|HEAD)$” chain
SecFilterSelective HTTP_Content-Length “!^$”
SecFilterSelective SERVER_PROTOCOL “!^HTTP/(0\.9|1\.0|1\.1)$”
# Content-Length가 없는 POST 요청 차단
SecFilterSelective REQUEST_METHOD “^POST$” chain
SecFilterSelective HTTP_Content-Length “^$”
SecFilterSelective HTTP_Transfer-Encoding “!^$”

##### General #####
SecFilterSelective HTTP_Host|HTTP_User-Agent|HTTP_Accept “^$”
SecFilterSelective HTTP_User-Agent “(libwhisker|paros|wget|libwww|perl|curl|java)”

##### SQL Injection Attacks #####
SecFilterSignatureAction “log,deny,msg:’SQL Injection attack'”
SecFilterSelective ARGS “delete[[:space:]]+from”
SecFilterSelective ARGS “drop[[:space:]]+database”
SecFilterSelective ARGS “drop[[:space:]]+table”
SecFilterSelective ARGS “drop[[:space:]]+column”
SecFilterSelective ARGS “drop[[:space:]]+procedure”
SecFilterSelective ARGS “create[[:space:]]+table”
SecFilterSelective ARGS “update.+set.+=”
SecFilterSelective ARGS “insert[[:space:]]+into.+values”
SecFilterSelective ARGS “select.+from”
SecFilterSelective ARGS “bulk[[:space:]]+insert”
SecFilterSelective ARGS “union.+select”
SecFilterSelective ARGS “or.+1[[:space:]]*=[[:space:]]1”
SecFilterSelective ARGS “alter[[:space:]]+table”
SecFilterSelective ARGS “or 1=1–‘”
SecFilterSelective ARGS “‘.+–“
SecFilterSelective ARGS “into[[:space:]]+outfile”
SecFilterSelective ARGS “load[[:space:]]+data”
SecFilterSelective ARGS “/\*.+\*/”

##### XSS Attacks #####
SecFilterSignatureAction “log,deny,msg:’XSS attack'”
SecFilterSelective ARGS “<script”
SecFilterSelective ARGS “”
SecFilterSelective ARGS “vbscript:”
SecFilterSelective ARGS “document\.cookie”
SecFilterSelective ARGS “document\.location”
SecFilterSelective ARGS “document\.write”

##### Command Execution #####
SecFilterSignatureAction “log,deny,msg:’Command execution attack'”
SecFilterSelective ARGS_VALUES “;[[:space:]]*(ls|id|pwd|wget)”

##### PHP Attacks #####
SecFilterSignatureAction “log,deny,msg:’PHP Injection Attacks'”
SecFilterSelective ARGS_VALUES “^http:/”
SecFilterSelective ARGS_NAMES “(^globals\[|^globals$)”[/HTML][/CODE]

다음은 관련 문서입니다.
1035310335.pdf

PHP 보안관련 설정 권고사항

1 Reply

해외 사이트를 다니다가 발견한 내용입니다.
보안을 위해 다음과 같이 설정하여 봅시다.

[CODE]
disable_functions = php_uname, putenv, getmyuid, getmypid, passthru, leak, listen, diskfreespace, tmpfile, link, ignore_user_abord, shell_exec, popen, dl, set_time_limit, exec, system, highlight_file, source, show_source, fpaththru, virtual, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix_getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid
, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_times, posix_ttyname, posix_uname

register_globals = Off
위의 설정은 패치안된 제로보드4의 작동을 바보 만들수 있습니다.

register_long_arrays = Off
위의 설정은 모든 제로보드4의 작동을 바보로 만듭니다.

register_argc_argv = Off

enable_dl = Off

mysql.allow_persistent = Off
MySQL의 지속접속에 관련된 내용인데 pconnect를 쓸일이 없으면 필요가 없습니다.

mysql.max_persistent = 0[/CODE]

개인적으로 fread와 fgets도 막고 싶었으나, 테터툴즈가 설치가 되지 않는것을 발견하였습니다.
제 생각에는 위의 두 함수도 막아야 할꺼 같은데 말이죠.