11522a4b90
git-svn-id: http://svn.us.apache.org/repos/asf/tuscany@1361915 13f79535-47bb-0310-9956-ffa450edef68
184 lines
8.8 KiB
Bash
Executable file
184 lines
8.8 KiB
Bash
Executable file
#!/bin/sh
|
|
|
|
# Licensed to the Apache Software Foundation (ASF) under one
|
|
# or more contributor license agreements. See the NOTICE file
|
|
# distributed with this work for additional information
|
|
# regarding copyright ownership. The ASF licenses this file
|
|
# to you under the Apache License, Version 2.0 (the
|
|
# "License"); you may not use this file except in compliance
|
|
# with the License. You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing,
|
|
# software distributed under the License is distributed on an
|
|
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
# KIND, either express or implied. See the License for the
|
|
# specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
# Generate a minimal mod-security configuration.
|
|
here=`echo "import os; print os.path.realpath('$0')" | python`; here=`dirname $here`
|
|
mkdir -p $1
|
|
root=`echo "import os; print os.path.realpath('$1')" | python`
|
|
|
|
modules_prefix=`cat $here/httpd-modules.prefix`
|
|
modsecurity_prefix=`cat $here/modsecurity.prefix`
|
|
|
|
mkdir -p $root/tmp
|
|
|
|
cat >>$root/conf/modules.conf <<EOF
|
|
# Generated by: mod-security-conf $*
|
|
# Load support for mod-security
|
|
LoadModule unique_id_module ${modules_prefix}/modules/mod_unique_id.so
|
|
LoadModule security2_module $modsecurity_prefix/lib/mod_security2.so
|
|
|
|
EOF
|
|
|
|
cat >>$root/conf/httpd.conf <<EOF
|
|
# Generated by: mod-security-conf $*
|
|
# Enable mod-security
|
|
Include conf/mod-security.conf
|
|
|
|
EOF
|
|
|
|
cat >$root/conf/mod-security.conf <<EOF
|
|
# Generated by: mod-security-conf $*
|
|
# Enable mod-security rules
|
|
SecRuleEngine On
|
|
SecDefaultAction "phase:2,pass,nolog,auditlog"
|
|
|
|
#SecDebugLog $root/logs//modsec_debug_log
|
|
#SecDebugLogLevel 3
|
|
|
|
# Process request bodies
|
|
SecRequestBodyAccess Off
|
|
SecRule REQUEST_HEADERS:Content-Type "text/xml" "phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
|
|
SecRule REQUEST_HEADERS:Content-Type "application/xml" "phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
|
|
SecRequestBodyLimit 13107200
|
|
SecRequestBodyNoFilesLimit 131072
|
|
SecRequestBodyInMemoryLimit 131072
|
|
SecRequestBodyLimitAction Reject
|
|
|
|
# Verify that we've correctly processed the request body
|
|
SecRule REQBODY_ERROR "!@eq 0" "phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
|
|
|
|
# By default be strict with what we accept in multipart/form-data request body
|
|
SecRule MULTIPART_STRICT_ERROR "!@eq 0" "phase:2,t:none,log,deny,status:44,msg:'Multipart request body failed strict validation: \
|
|
PE %{REQBODY_PROCESSOR_ERROR}, \
|
|
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
|
|
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
|
|
DB %{MULTIPART_DATA_BEFORE}, \
|
|
DA %{MULTIPART_DATA_AFTER}, \
|
|
HF %{MULTIPART_HEADER_FOLDING}, \
|
|
LF %{MULTIPART_LF_LINE}, \
|
|
SM %{MULTIPART_SEMICOLON_MISSING}, \
|
|
IQ %{MULTIPART_INVALID_QUOTING}, \
|
|
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
|
|
IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
|
|
|
|
# Did we see anything that might be a boundary?
|
|
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" "phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
|
|
|
|
# Avoid a potential RegEx DoS condition
|
|
SecPcreMatchLimit 50000
|
|
SecPcreMatchLimitRecursion 50000
|
|
SecRule TX:/^MSC_/ "!@streq 0" "phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
|
|
|
|
# Detect slow DoS attacks
|
|
SecRule RESPONSE_STATUS "@streq 408" "phase:5,t:none,nolog,pass, setvar:ip.slow_dos_counter=+1,expirevar:ip.slow_dos_counter=60"
|
|
SecRule IP:SLOW_DOS_COUNTER "@gt 5" "phase:1,t:none,log,drop, msg:'Client Connection Dropped due to high # of slow DoS alerts'"
|
|
SecWriteStateLimit 50
|
|
|
|
# Process response bodies
|
|
SecResponseBodyAccess Off
|
|
SecResponseBodyMimeType text/plain text/html text/xml application/xml
|
|
SecResponseBodyLimit 524288
|
|
SecResponseBodyLimitAction ProcessPartial
|
|
|
|
# The location where mod-security stores temporary files
|
|
SecTmpDir $root/tmp/
|
|
SecDataDir $root/tmp/
|
|
|
|
# Use & as application/x-www-form-urlencoded parameter separator
|
|
SecArgumentSeparator &
|
|
|
|
# Settle on version 0 (zero) cookies.
|
|
SecCookieFormat 0
|
|
|
|
# Enable anomaly scoring
|
|
SecAction "phase:1,id:'981206',t:none,nolog,pass,setvar:tx.anomaly_score_blocking=on"
|
|
SecAction "phase:1,id:'981207',t:none,nolog,pass, \
|
|
setvar:tx.critical_anomaly_score=5, \
|
|
setvar:tx.error_anomaly_score=4, \
|
|
setvar:tx.warning_anomaly_score=3, \
|
|
setvar:tx.notice_anomaly_score=2"
|
|
SecAction "phase:1,id:'981208',t:none,nolog,pass,setvar:tx.inbound_anomaly_score_level=10"
|
|
SecAction "phase:1,id:'981209',t:none,nolog,pass,setvar:tx.outbound_anomaly_score_level=8"
|
|
|
|
# Paranoid mode
|
|
SecAction "phase:1,id:'981210',t:none,nolog,pass,setvar:tx.paranoid_mode=0"
|
|
|
|
# HTTP policy settings
|
|
SecAction "phase:1,id:'981211',t:none,nolog,pass,setvar:tx.max_num_args=255"
|
|
SecAction "phase:1,t:none,nolog,pass,setvar:tx.arg_name_length=100"
|
|
SecAction "phase:1,t:none,nolog,pass,setvar:tx.arg_length=400"
|
|
SecAction "phase:1,t:none,nolog,pass,setvar:tx.total_arg_length=64000"
|
|
SecAction "phase:1,t:none,nolog,pass,setvar:tx.max_file_size=1048576"
|
|
SecAction "phase:1,t:none,nolog,pass,setvar:tx.combined_file_sizes=1048576"
|
|
SecAction "phase:1,id:'981212',t:none,nolog,pass, \
|
|
setvar:'tx.allowed_methods=GET HEAD POST PUT OPTIONS DELETE CONNECT', \
|
|
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded multipart/form-data text/xml application/xml application/json application/json-rpc application/atom+xml', \
|
|
setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
|
|
setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', \
|
|
setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/'"
|
|
|
|
# Brute force protection
|
|
SecAction "phase:1,id:'981214',t:none,nolog,pass, \
|
|
setvar:'tx.brute_force_protected_urls=/login', \
|
|
setvar:'tx.brute_force_burst_time_slice=60', \
|
|
setvar:'tx.brute_force_counter_threshold=10', \
|
|
setvar:'tx.brute_force_block_timeout=300'"
|
|
|
|
# DoS protection
|
|
SecAction "phase:1,id:'981215',t:none,nolog,pass, \
|
|
setvar:'tx.dos_burst_time_slice=60', \
|
|
setvar:'tx.dos_counter_threshold=100', \
|
|
setvar:'tx.dos_block_timeout=600'"
|
|
|
|
# Check UTF-8 encoding
|
|
SecAction "phase:1,id:'981216',t:none,nolog,pass,setvar:tx.crs_validate_utf8_encoding=1"
|
|
|
|
# Global and IP collections
|
|
SecRule REQUEST_HEADERS:User-Agent "^(.*)$" "phase:1,id:'981217',t:none,pass,nolog,t:sha1,t:hexEncode,setvar:tx.ua_hash=%{matched_var}"
|
|
SecRule REQUEST_HEADERS:x-forwarded-for "^\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b" "phase:1,id:'981225',t:none,pass,nolog,capture,setvar:tx.real_ip=%{tx.1}"
|
|
SecRule &TX:REAL_IP "!@eq 0" "phase:1,id:'981226',t:none,pass,nolog,initcol:global=global,initcol:ip=%{tx.real_ip}_%{tx.ua_hash}"
|
|
SecRule &TX:REAL_IP "@eq 0" "phase:1,id:'981218',t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash}"
|
|
|
|
# Include all base mod-security CRS rules
|
|
Include ${modsecurity_prefix}/base_rules/modsecurity_crs_20_protocol_violations.conf
|
|
#Include ${modsecurity_prefix}/base_rules/modsecurity_crs_41_xss_attacks.conf
|
|
#Include ${modsecurity_prefix}/base_rules/modsecurity_crs_50_outbound.conf
|
|
Include ${modsecurity_prefix}/base_rules/modsecurity_crs_35_bad_robots.conf
|
|
Include ${modsecurity_prefix}/base_rules/modsecurity_crs_47_common_exceptions.conf
|
|
Include ${modsecurity_prefix}/base_rules/modsecurity_crs_60_correlation.conf
|
|
#Include ${modsecurity_prefix}/base_rules/modsecurity_crs_40_generic_attacks.conf
|
|
Include ${modsecurity_prefix}/base_rules/modsecurity_crs_21_protocol_anomalies.conf
|
|
Include ${modsecurity_prefix}/base_rules/modsecurity_crs_30_http_policy.conf
|
|
Include ${modsecurity_prefix}/base_rules/modsecurity_crs_49_inbound_blocking.conf
|
|
Include ${modsecurity_prefix}/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
|
|
#Include ${modsecurity_prefix}/base_rules/modsecurity_crs_45_trojans.conf
|
|
Include ${modsecurity_prefix}/base_rules/modsecurity_crs_59_outbound_blocking.conf
|
|
Include ${modsecurity_prefix}/base_rules/modsecurity_crs_23_request_limits.conf
|
|
Include ${modsecurity_prefix}/base_rules/modsecurity_crs_42_tight_security.conf
|
|
|
|
# Include some optional mod-security CRS rules
|
|
#Include ${modsecurity_prefix}/optional_rules/modsecurity_crs_10_ignore_static.conf
|
|
#Include ${modsecurity_prefix}/optional_rules/modsecurity_crs_13_xml_enabler.conf
|
|
#Include ${modsecurity_prefix}/optional_rules/modsecurity_crs_25_cc_known.conf
|
|
#Include ${modsecurity_prefix}/optional_rules/modsecurity_crs_42_comment_spam.conf
|
|
#Include ${modsecurity_prefix}/optional_rules/modsecurity_crs_47_skip_outbound_checks.conf
|
|
#Include ${modsecurity_prefix}/optional_rules/modsecurity_crs_55_application_defects.conf
|
|
|
|
EOF
|
|
|