ModSecurity
Home Projects Documentation Download Contact

Quick examples

These quick examples are actually the contents of the example httpd.conf addition distributed with mod_security:

<IfModule mod_security.c>

    # Turn the filtering engine On or Off
    SecFilterEngine On

    # Make sure that URL encoding is valid
    SecFilterCheckURLEncoding On

    # Only allow bytes from this range
    SecFilterForceByteRange 32 126

    # The audit engine works independently and
    # can be turned On of Off on the per-server or
    # on the per-directory basis
    SecAuditEngine RelevantOnly

    # The name of the audit log file
    SecAuditLog logs/audit_log

    SecFilterDebugLog logs/modsec_debug_log
    SecFilterDebugLevel 0

    # Should mod_security inspect POST payloads
    SecFilterScanPOST On

    # Action to take by default
    SecFilterDefaultAction "deny,log,status:406"

    # Redirect user on filter match
    SecFilter xxx redirect:http://www.webkreator.com

    # Execute the external script on filter match
    SecFilter yyy log,exec:/home/ivanr/apache/bin/report-attack.pl

    # Simple filter
    SecFilter 111
    
    # Only check the QUERY_STRING variable
    SecFilterSelective QUERY_STRING 222

    # Only check the body of the POST request
    SecFilterSelective POST_PAYLOAD 333

    # Only check arguments (will work for GET and POST)
    SecFilterSelective ARGS 444

    # Test filter
    SecFilter "/cgi-bin/keyword"

    # Another test filter, will be denied with 404 but not logged
    # action supplied as a parameter overrides the default action
    SecFilter 999 "deny,nolog,status:404"

    # Prevent OS specific keywords
    SecFilter /etc/password

    # Prevent path traversal (..) attacks
    SecFilter "\.\./"

    # Weaker XSS protection but allows common HTML tags
    SecFilter "<( |\n)*script"

    # Prevent XSS atacks (HTML/Javascript injection)
    SecFilter "<(.|\n)+>"

    # Very crude filters to prevent SQL injection attacks
    SecFilter "delete[[:space:]]+from"
    SecFilter "insert[[:space:]]+into"
    SecFilter "select.+from"

    # Require HTTP_USER_AGENT and HTTP_HOST headers
    SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

    # Forbid file upload
    SecFilterSelective "HTTP_CONTENT_TYPE" multipart/form-data

    # Only watch argument p1
    SecFilterSelective "ARG_p1" 555

    # Watch all arguments except p1
    SecFilterSelective "ARGS|!ARG_p2" 666

    # Only allow our own test utility to send requests (or Mozilla)
    SecFilterSelective HTTP_USER_AGENT "!(mod_security|mozilla)"

    # Do not allow variables with this name
    SecFilterSelective ARGS_NAMES 777

    # Do now allow this variable value (names are ok)
    SecFilterSelective ARGS_VALUES 888

    # Stop spamming through FormMail
    # note the exclamation mark at the beginning
    # of the filter - only requests that match this regex will
    # be allowed
    <Location /cgi-bin/FormMail>
        SecFilterSelective "ARG_recipient" "!@webkreator.com$"
    </Location>

    # when allowing upload, only allow images
    # note that this is not foolproof, a determined attacker
    # could get around this 
    <Location /fileupload.php>
        SecFilterInheritance Off
        SecFilterSelective POST_PAYLOAD "!image/(jpeg|bmp|gif)"
    </Location>

</IfModule>

 
Copyright 2002-2005 Ivan Ristic
Thinking Stone