'yum'에 해당되는 글 1건

  1. 2009/03/06 yum update를 이용한 최신버전 apm 설치 (1)
for web2.02009/03/06 09:38

yum update를 이용한 최신버전 apm 설치

#########################################################
#
# yum update를 이용해 최신버전 APM 설치하기
#
#########################################################


#########################################################
# 1. repository 파일 생성
# - repository 생성 후 yum을 이용한 apm 최신 버전 설치 가능
#########################################################

# ytterramblings.repo 생성
> cd /etc/yum.repos.d
> vi utterramblings.repo
/*
# Enable Jason's Utter Ramblings Repo
[utterramblings]
name=Jason's Utter Ramblings Repo
baseurl=http://www.jasonlitka.com/media/EL$releasever/$basearch/
enabled=1
gpgcheck=1
gpgkey=http://www.jasonlitka.com/media/RPM-GPG-KEY-jlitka
*/

#########################################################
# 2. apache + php + mod_security 설치
#########################################################

# apache 설치
> yum install httpd

# mod_security 를 모듈로 설치하기 위해 필요한 apxs 설치
> yum install httpd-devel pcre-devel

# php 설치
> yum install php php-devel
> yum install php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc

# ModeSecurity 설치 ( 아파치 확장 모듈 만들기 )
> cd /usr/local/src/
> wget http://www.modsecurity.org/download/modsecurity-apache_2.5.6.tar.gz
> wget http://www.modsecurity.org/download/modsecurity-core-rules_2.5-1.6.1.tar.gz
> tar -xvzf modsecurity-apache_2.5.6.tar.gz
> cd /usr/local/src/modsecurity-apache_2.5.6/apache2
> ./configure --with-apxs=/usr/sbin/apxs
> make
> make test
> make install

# /etc/httpd/conf.d/security.conf 만들기
# http://www.securenet.or.kr/main.jsp?menuSeq=501 에서 security.conf 예제파일 다운로드 가능
# ModSecurity_2x_SMB_080929.conf - 2.1.x 버전 중소기업용
> cd /etc/httpd/conf.d/
> vi security.conf
# 아래의 코드를 붙여 넣는다.
# 아래의 코드를 붙여 넣고, Apache restart 시 에러나는 부분은 주석 처리한다.

#
# security.conf
# Start ~
#

LoadFile /usr/lib/libxml2.so
LoadModule unique_id_module modules/mod_unique_id.so
LoadModule security2_module modules/mod_security2.so

#############################
# < 중소기업용 >
#
# 이 Rule은 1대의 서버에 소수의 웹사이트가 운영되는 중소기업의 웹사이트를 위한 최소공격 차단 Rule입니다.
# 이 Rule을 참고하여 각 웹사이트에 적합한 Rule로 커스트마이징하시기 바랍니다.
# Rule 커스트마이징 후에는 공격탐지시 차단하도록 SecDefaultAction 에서 
# pass를 deny로 수정하시기 바랍니다.
#
#############################


#############################
# 1. ModSecurity 동작 유/무
# SecRuleEngine On | Off | DetectionOnly
# On : ModSecurity 기능 활성화
# Off : ModSecurity 기능 비활성화
# DetectionOnly : ModSecurity 모니터링 모드 (SecDefaultAction 보다 선행)

SecRuleEngine On


#############################
# 2. 기본 설정
# 기본적으로 룰이 매치 될 경우 행위(Action) 지정
# SecDefaultAction "행위"`
# 행위 : deny, pass, allow, status:apache error code, redirect:/error.html
#
# 룰 커스트마이징 완료 후 공격탐지시 차단하도록 SecDefaultAction 에서
# pass를 deny로 수정 필요

SecDefaultAction "deny,log,phase:2,status:406,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
#SecDefaultAction "pass,log,auditlog,phase:2,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"

# 아파치의 기본 로그보다 자세한 공격관련 로그를 기록
SecAuditEngine RelevantOnly

# 로그의 양을 줄이기 위해 필요한 4xx 또는 5xx 관련 에러만 남긴다. 404는 남기지 않는다.
SecAuditLogRelevantStatus "^(?:5|4\d[^4])"

# 로그 파일 구조
SecAuditLogType Serial
SecAuditLog logs/modsec_audit.log

# 로그에 남길 부분
SecAuditLogParts "ABIFHZ"

# 웹서버의 헤더 정보 변경
SecServerSignature "Microsoft-IIS/5.0"

# 아규먼트 구분자
SecArgumentSeparator "&"

# 다음의 메소드는 허용하지 않음
SecRule REQUEST_METHOD "(PUT|DELETE|TRACE)" "deny, log"

SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml 
SecResponseBodyLimit 524288

#############################
# 3. PHP 인젝션 취약 공격 방지(제로보드 대상 공격 포함)
SecRule REQUEST_URI "\.php" "chain, msg:'PHP Injection Attacks'"
SecRule REQUEST_URI "(dir|page|)" chain
SecRule REQUEST_URI "=(http|https|ftp)\:/"
SecRule REQUEST_URI "/include/write\.php\?dir=(ftp|http):" "msg:'PHP Injection Attacks'"
SecRule REQUEST_URI "/include/print_category\.php\?setup=1&dir=(ftp|http):" "msg:'PHP Injection Attacks'"
SecRule REQUEST_URI "/zero_vote/error\.php\?dir=(ftp|http):" "msg:'PHP Injection Attacks'"
SecRule REQUEST_URI "/outlogin\.php\?_zb_path=(ftp|http):" "msg:'PHP Injection Attacks'"
SecRule REQUEST_URI "filename=\|" "msg:'PHP Injection Attacks'"
SecRule REQUEST_URI "check_user_id\.php\?user_id=<script>alert(document\.cookie)" "msg:'PHP Injection Attacks'"
SecRule REQUEST_URI "/zero_vote/login\.php\?dir=(ftp|http):" "msg:'PHP Injection Attacks'"
SecRule REQUEST_URI "/zero_vote/setup\.php\?dir=(ftp|http):" "msg:'PHP Injection Attacks'"
SecRule REQUEST_URI "/zero_vote/ask_password\.php\?dir=(ftp|http):" "msg:'PHP Injection Attacks'"

#############################
# 4. 명령어 실행 방지
SecRule ARGS ";[[:space:]]*(ls|pwd|wget|cd)" "msg:'Command execution attack'"
SecRule REQUEST_URI "(perl|lynx|mkdir|cmd|lwp-(download|request|mirror|rget))" "msg:'Command execution attack'"
SecRule REQUEST_URI "(uname|net(stat|cat)|curl|telnet|gcc|cc|rm\-[a-z|A-Z])" "msg:'Command execution attack'"

#############################
# 5. XSS 공격 방지
SecRule ARGS "alert[[:space:]]*\(" "msg:'XSS attack'"
SecRule ARGS "&#[[0-9a-fA-F]]{2}" "msg:'XSS attack'"
SecRule ARGS "eval[[:space:]]*\(" "msg:'XSS attack'"
SecRule ARGS "onKeyUp" "msg:'XSS attack'"
SecRule ARGS "\x5cx[0-9a-fA-F]{2}" "msg:'XSS attack'"
SecRule ARGS "fromCharCode" "msg:'XSS attack'"
SecRule ARGS "&\{.+\}" "msg:'XSS attack'"
SecRule ARGS "<script" "msg:'XSS attack'"
SecRule ARGS "vbscript:" "msg:'XSS attack'"
SecRule ARGS "expression[[:space:]]*\(" "msg:'XSS attack'"
SecRule ARGS "url[[:space:]]*\(" "msg:'XSS attack'"
SecRule ARGS "innerHTML" "msg:'XSS attack'"
SecRule ARGS "document\.body" "msg:'XSS attack'"
SecRule ARGS "document\.cookie" "msg:'XSS attack'"
SecRule ARGS "document\.location" "msg:'XSS attack'"
SecRule ARGS "document\.write" "msg:'XSS attack'"
SecRule ARGS "style[[:space:]]*=" "msg:'XSS attack'"
SecRule ARGS "dynsrc" "msg:'XSS attack'"
SecRule ARGS "jsessionid" "msg:'XSS attack'"
SecRule ARGS "phpsessid" "msg:'XSS attack'"


#############################
# 6. SSI 인젝션 관련 공격 차단
SecRule ARGS "<!--[[:space:]]*#[[:space:]]*(exec|cmd|echo|include|printenv)" "msg:'SSI injection attack'"


#############################
# 7. 스패머 프로그램 봇
SecRule REQUEST_HEADERS:User-agent "[Ww]eb[Bb]andit" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "WEBMOLE" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "Telesoft*" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "WebEMailExtractor" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "CherryPicker*" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "NICErsPRO" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "Advanced Email Extractor*" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "EmailSiphon" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "Extractorpro" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "EmailCollector" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "WebEMailExtrac*" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "EmailWolf" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "Microsoft URL Control" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "^Microsoft URL" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "SmartDownload" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "Offline Explorer" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "Ninja" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "NetZIP" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "HTTrack" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "Googlebot-Image" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "Download" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "Downloader" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "BackDoorBot" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "ah-ha" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "Alexibot" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "Atomz" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "Microsoft-WebDAV-MiniRedir" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "Microsoft-WebDAV-MiniRedir/5\.1\.2600" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "Googlebot/2\.1" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "PlantyNet_WebRobot_V1\.9" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "LWP::" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "lwp-trivial" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "Mozilla/2\.0" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "WebZIP" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "Teleport" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "GetRight" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "FlashGet" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "JetCar" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "Go!Zilla" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "NamoWebEditor" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "Namo" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "MSFrontPage" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "WebTrack-HTTPP" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "WebSymmetrix" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "AD2000" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "WebSpy" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "WebStripper" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "WebSnatcher" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "WebGet" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "HSlide" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "WebCopier" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "Website eXtractor" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "Internet Ninja" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "fortuna" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "SuperHTTP" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "WISEbot/1\.0" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "NaverBot-1\.0" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "Talkro Web-Shot/1\.0" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "Talkro" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "Web-Shot/1\.0" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "Arachmo" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "WinHTTrack Website Copier" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "BlackWidow" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "SuperBot" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "MM3-WebAssistant" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "Offline Explorer Pro" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "GetBot" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "SBWcc Website Capture" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "Leech" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "HTTP Weazel" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "WebGainer" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "Offline Explorer Enterprise" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "PageSucker" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "QuadSucker/Web" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "BackStreet Browser" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "Offline Navigator" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "Aaron's WebVacuum" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "JOC Web Spider" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "Grab-a-Site" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "PicScour" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "RafaBot" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "Cli-Mate" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "eNotebook" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "WebSlinky" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "Pictures Grabber" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "Web Dumper" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "WebCatcher" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "SurfOffline" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "NetGrabber" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "Power Siphon" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "Rip Clip" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "WebWhacker" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "Offline CHM" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "webpictureboss" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "Visual Web Task" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "Web Shutter" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "NavRoad" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "7 Download Services" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "WebCloner Standard" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "EZ Save MHT" "msg:'Robot attack'"
SecRule REQUEST_HEADERS:User-agent "Yahoo! Slurp" "msg:'Robot attack'"


###########################################
# 8. 검색엔진 Recon/Google 이용한 해킹 방지
SecRule REQUEST_HEADERS:Referer  "Powered by Gravity Board" "msg:'Recon/Google attack'"
SecRule REQUEST_HEADERS:Referer  "Powered by SilverNews"  "msg:'Recon/Google attack'"
SecRule REQUEST_HEADERS:Referer  "Powered.*PHPBB.*2\.0\.\ inurl\:"  "msg:'Recon/Google attack'"
SecRule REQUEST_HEADERS:Referer  "PHPFreeNews inurl\:Admin\.php"  "msg:'Recon/Google attack'"
SecRule REQUEST_HEADERS:Referer  "inurl.*/cgi-bin/query"  "msg:'Recon/Google attack'"
SecRule REQUEST_HEADERS:Referer  "inurl.*tiki-edit_submission\.php"  "msg:'Recon/Google attack'"
SecRule REQUEST_HEADERS:Referer  "inurl.*wps_shop\.cgi"  "msg:'Recon/Google attack'"
SecRule REQUEST_HEADERS:Referer  "inurl.*edit_blog\.php.*filetype\:php"  "msg:'Recon/Google attack'"
SecRule REQUEST_HEADERS:Referer  "inurl.*passwd.txt.*wwwboard.*webadmin"  "msg:'Recon/Google attack'"
SecRule REQUEST_HEADERS:Referer  "inurl.*admin\.mdb"  "msg:'Recon/Google attack'"
SecRule REQUEST_HEADERS:Referer  "filetype:sql \x28\x22passwd values.*password values.*pass values" "msg:'Recon/Google attack'"
SecRule REQUEST_HEADERS:Referer  "filetype.*blt.*buddylist" "msg:'Recon/Google attack'"
SecRule REQUEST_HEADERS:Referer  "File Upload Manager v1\.3.*rename to" "msg:'Recon/Google attack'"
SecRule REQUEST_HEADERS:Referer  "filetype\x3Aphp HAXPLORER .*Server Files Browser" "msg:'Recon/Google attack'"
SecRule REQUEST_HEADERS:Referer  "inurl.*passlist\.txt" "msg:'Recon/Google attack'"
SecRule REQUEST_HEADERS:Referer  "wwwboard WebAdmininurl\x3Apasswd\.txt wwwboard\x7Cwebadmin" "msg:'Recon/Google attack'"
SecRule REQUEST_HEADERS:Referer  "Enter ip.*inurl\x3A\x22php-ping\.php\x22" "msg:'Recon/Google attack'"
SecRule REQUEST_HEADERS:Referer  "intitle\.*PHP Shell.*Enable stderr.*filetype\.php" "msg:'Recon/Google attack'"
SecRule REQUEST_HEADERS:Referer  "inurl\.*install.*install\.php" "msg:'Recon/Google attack'"
SecRule REQUEST_HEADERS:Referer  "Powered by PHPFM.*filetype\.php -username" "msg:'Recon/Google attack'"
SecRule REQUEST_HEADERS:Referer  "inurl\.*phpSysInfo.*created by phpsysinfo" "msg:'Recon/Google attack'"
SecRule REQUEST_HEADERS:Referer  "SquirrelMail version 1\.4\.4.*inurl:src ext\.php" "msg:'Recon/Google attack'"
SecRule REQUEST_HEADERS:Referer  "inurl\.*webutil\.pl" "msg:'Recon/Google attack'"

#############################
# 9. PHPMyAdmin 관련 공격 취약점 적용
# "subform" 로컬 파일 포함 취약점
SecRule REQUEST_URI "/libraries/grab_globals\.lib\.php" chain
SecRule REQUEST_URI "(/|\.\.|(http|https|ftp)\:/)"
SecRule REQUEST_URI "/libraries/grab_globals\.lib\.php" chain
SecRule REQUEST_URI "usesubform.*=.*&usesubform.*=.*&subform.*(/|\.\.|(http|https|ftp)\:/)"

# 경로 취약점
SecRule REQUEST_URI "/css/phpmyadmin\.css\.php\?GLOBALS\[cfg\]\[ThemePath\]=/etc"
SecRule REQUEST_URI "/phpMyAdmin/css/phpmyadmin\.css\.php\?GLOBALS\[cfg\]\[ThemePath\]=(/|.*\.\./)"

# 문자열변환 파라미터 크로스사이트 스크립팅 취약점
SecRule REQUEST_URI "/phpmyadmin/index\.php\?pma_username=*&pma_password=*&server=.*&lang=.*&convcharset=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"

# Export.PHP 파일 공개 취약점
SecRule SCRIPT_FILENAME "export\.php$" chain
SecRule REQUEST_URI "\.\."    

# XSS 취약점
SecRule REQUEST_URI "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)"
SecRule REQUEST_URI "libraries/auth/cookie\.auth\.lib\.php" chain
SecRule REQUEST_URI "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>
SecRule REQUEST_URI "/error\.php" chain
SecRule REQUEST_URI "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>

# register_globals Emulation "import_blacklist" 조작 취약점
SecRule REQUEST_URI "/grab_globals\.php" chain
SecRule REQUEST_URI "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|(http|https|ftp)\:/)"

#############################
# 10. 기타 공격 방지
# 허용하는 HTTP 리퀘스트 타입 (HTTP 0.9, 1.0 혹은 1.1) 이외 차단
#SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$" "msg:'Not allowed HTTP Protocol'" 

# /etc/passwd 파일 접근 차단
SecRule REQUEST_URI "/etc/passwd"

# 웹을 이용한 SMTP redirect 금지
SecRule REQUEST_URI ^(http|https)\:/.+:25 

# Directory Traversal 공격 차단
SecRule REQUEST_URI "\.\./"   


#############################
# 11. SQL Injection 공격 차단
# PHPMyAdmin을 사용할 경우 예외처리
SecRule REQUEST_HEADERS:Host "(127.0.0.1|localhost)" "chain,skip:40"
SecRule REQUEST_URI "(/phpmyadmin|/myadmin)"

## Generic
SecRule ARGS "(create|drop|delete)" "chain,msg:'SQL injection attack'"
SecRule ARGS "(database|table|column|procedure|from|where)"
SecRule ARGS "(select|alter|update|insert|declare)" "chain,msg:'SQL injection attack'"
SecRule ARGS "(database|table|procedure|from|where|into)"
SecRule ARGS "update.+set.+=" "msg:'SQL injection attack'"
SecRule ARGS "insert[[:space:]]+into.+values" "msg:'SQL injection attack'"
SecRule ARGS "bulk[[:space:]]+insert" "msg:'SQL injection attack'"
SecRule ARGS "union.+select" "msg:'SQL injection attack'"
SecRule ARGS "into[[:space:]]+outfile" "msg:'SQL injection attack'"
SecRule ARGS "load[[:space:]]+data" "msg:'SQL injection attack'"
SecRule ARGS "((order[[:space:]]|group[[:space:]])by|having)" "msg:'SQL injection attack'"
SecRule ARGS "';.+(like|and|or)" "chain,msg:'SQL injection attack'"
SecRule ARGS "'.+--"
SecRule ARGS "/\*.+\*/"  "msg:'SQL injection attack'"
SecRule ARGS "or.+1[[:space:]]*=[[:space:]]1" "msg:'SQL injection attack'"
SecRule ARGS "or 1=1--'" "msg:'SQL injection attack'"
 
## MS-SQL
SecRule ARGS "exec.+[xs]p_" "msg:'SQL injection attack'"
SecRule ARGS "exec[[:space:]]*\(" "msg:'SQL injection attack'"
SecRule ARGS "master(\.\.|\.dbo\.)" "msg:'SQL injection attack'"
#SecRule ARGS "@@[[:alnum:]]+" "msg:'SQL injection attack'"
SecRule ARGS "open(query|rowset)" "msg:'SQL injection attack'"
SecRule ARGS "(msdasql|sqloledb)" "msg:'SQL injection attack'"
SecRule ARGS "(sys(objects|columns|logins|xlogins)|xtype)" "msg:'SQL injection attack'"
SecRule ARGS "sp_(oa(create|method|setproperty)|add(extendedproc|srvrolemember)|login|password|droplogin|configure)" "msg:'SQL injection attack'"
#SecRule ARGS "xp_(cmdshell|servicecontrol|reg(read|write|enumvalues|delete(value|key)|msver|logininfo)" "msg:'SQL injection attack'"

# MySQL
SecRule ARGS "mysqladmin.+(create|drop|delete)" "msg:'SQL injection attack'"
SecRule ARGS "drop.+index" "msg:'SQL injection attack'"
SecRule ARGS "alter[[:space:]]table" "chain,msg:'SQL injection attack'"
#SecRule ARGS "(change|modify|column|)(bigint|integer|not[[:space:]]null)" "msg:'SQL injection attack'"
#SecRule ARGS "if[[:space:]]not[[:space:]]exist" "msg:'SQL injection attack'"

#
# security.conf
# ~ Start
#


#########################################################
# 3. mysql 설치
#########################################################
> cd /usr/local/src
> wget http://dev.mysql.com/get/Downloads/MySQL-5.1/mysql-5.1.32-linux-i686-icc-glibc23.tar.gz/from/http://mirror.khlug.org/mysql/
> tar xvf  mysql-5.1.32-linux-i686-icc-glibc23.tar.gz
> cd mysql-5.1.32-linux-i686-icc-glibc23
> vi INSTALL-BINARY
# vi INSTALL-BINARY 파일의 순서대로 mysql Install, 필요한 모듈은 yum install 모듈

#########################################################
# 4. cronlog 설치
#########################################################
> cd /usr/local/src
> wget http://dag.wieers.com/rpm/packages/cronolog/cronolog-1.6.2-1.el5.rf.i386.rpm
> rpm -ivh cronolog-1.6.2-1.el5.rf.i386.rpm

Posted by maketalk.net
TAG , ,
Trackback 0 Comment 1