42 lines
1.8 KiB
Plaintext
42 lines
1.8 KiB
Plaintext
SecRuleEngine On
|
|
SecRequestBodyAccess On
|
|
SecResponseBodyAccess On
|
|
SecDebugLog /var/log/modsecurity/debug.log
|
|
SecDebugLogLevel 0
|
|
SecAuditLogParts ABIJ
|
|
SecAuditLogType Serial
|
|
SecAuditLog /var/log/modsecurity/audit.log
|
|
|
|
# sql injection
|
|
SecRule REQUEST_URI|ARGS "(?i:(?:select|insert|update|delete|drop|union|create|alter|truncate)\s+.+\s+from|'[^']*'|--|;|\b(or|and)\b\s+\d+\s*=\s*\d+)" \
|
|
"id:950001,phase:1,deny,status:403,msg:'SQL INJECTION ATTACK DETECTED!!!',log,t:urlDecode,t:sqlHexDecode,t:lowercase"
|
|
|
|
# sql injection parte 2
|
|
SecRule REQUEST_URI|ARGS "['\"](?:\s+or\s+\d+\s*=\s*\d+\s*--|\s+or\s+'.+?'\s*=\s*'.+?'\s*--|.*?--)" \
|
|
"id:950002,phase:1,deny,status:403,msg:'SQL INJECTION ATTACK DETECTED!1!',log,t:urlDecode,t:lowercase,t:compressWhitespace"
|
|
|
|
# xss / html injection
|
|
SecRule REQUEST_URI|ARGS "(<.*>)|(%3C.*%3E)" \
|
|
"id:950003,phase:1,deny,status:403,msg:'XSS/HTML INJECTION DETECTED!!!',log"
|
|
|
|
# command injection
|
|
SecRule ARGS "(\"role\".*:.*\"admin\")|exec|cat|more|ls|dir|/etc/passwd" \
|
|
"id:950006,phase:2,deny,status:403,msg:'COMMAND INJECTION DETECTED!!!',log"
|
|
|
|
# path traversal
|
|
SecRule REQUEST_URI|ARGS "\%00|\%2500|\.\./|ftp|metrics|api-docs" \
|
|
"id:950007,phase:2,deny,status:403,msg:'PATH TRAVERSAL ATTEMPT!!!',log"
|
|
|
|
# exposed stuff (redundante ?)
|
|
SecRule REQUEST_URI|ARGS "\%00|\%2500|ftp|metrics|api-docs" \
|
|
"id:950008,phase:2,deny,status:500,msg:'ATTEMPT TO ACCESS FTP, METRICS, API-DOCS!!!',log"
|
|
|
|
# rate limiting on login endpoint
|
|
# (max 5 requests per 30s per IP)
|
|
SecAction \
|
|
"id:950009,phase:1,initcol:ip=%{REMOTE_ADDR},pass,nolog"
|
|
SecRule REQUEST_URI "@streq /rest/user/login" \
|
|
"id:950010,phase:2,pass,nolog,setvar:ip.login_count=+1,expirevar:ip.login_count=30"
|
|
SecRule IP:LOGIN_COUNT "@gt 5" \
|
|
"id:950011,phase:2,deny,status:429,msg:'Rate Limit Exceeded on Login',log"
|