Secure your Apache2 with mod-security — page 3

1 minute read

4. mod-security filter examples

Suppose for instance you want to prevent attackers injecting shell command execution through your scripts. You could use this query in order to block anything containing /bin/:

SecFilter /bin/

As mod-security filter by default filters every fields activated, this will also though a 500 error and block access to some available to the public binaries you’ve made, such as http://example.com/my_project/bin/latest-release.tar.gz .

To counter this, We could use SecFilterSelective combine with a regular expression as a location and tell it to only look into GET and POST datas:

SecFilterSelective "POST_PAYLOAD|QUERY_STRING" /bin/

or even, by looking further down mod-security documentation, we could give a go to ARGS location:

SecFilterSelective ARGS /bin/

as well, if you simply want to filter arguments value, you could actually do it using ARGS_VALUES instead.

If finally, you decide that only the parameter file should not contain a value with /bin/ in it, you could decide to restrict only that parameter with:

SecFilterSelective ARGS_file /bin/

Now, let’s play with another example. Let say you want to prevent access to your web server content from outside your local network which is 192.168.1.0/24.

SecFilterSelective REMOTE_ADDR !^192.168.1.

but this will restrict also local access, playing with regular expression, you could use this one instead:

SecFilterSelective "REMOTE_ADDR" !(^192.168.1.|^127.0.0.1$)

Finally, you setted up a virtual server www.my-virtual-server.com which should be available worldwide. chain is what you need. We are going to set up a rule which will only be applied if the hostname is not www.my-virtual-server.com:

SecFilterSelective SERVER_NAME !www.my-virtual-server.com chain
SecFilterSelective "REMOTE_ADDR" !(^192.168.1.|^127.0.0.1$)

or you could redirect the user to some other place:

SecFilterSelective SERVER_NAME !www.my-virtual-server.com chain
SecFilterSelective "REMOTE_ADDR" !(^192.168.1.|^127.0.0.1$) "log,redirect:http://www.foo.com/not-authorized.html"

while detecting intrusion/attacks, it could be nice to get notified when an intrusion occurs. Let’s use the exec action:

SecFilterSelective SERVER_NAME !www.my-virtual-server.com chain
SecFilterSelective "REMOTE_ADDR" !(^192.168.1.|^127.0.0.1$) "exec:/path/to/report-intrusion.pl"