# Turn the filtering engine On or Off SecFilterEngine On # Make sure that URL encoding is valid SecFilterCheckURLEncoding On # Only allow bytes from this range SecFilterForceByteRange 32 126 # The audit engine works independently and # can be turned On of Off on the per-server or # on the per-directory basis. "On" will log everything, # "DynamicOrRelevant" will log dynamic requests or violations, # and "RelevantOnly" will only log policy violations SecAuditEngine RelevantOnly # The name of the audit log file SecAuditLog logs/audit_log SecFilterDebugLog logs/modsec_debug_log SecFilterDebugLevel 0 # Should mod_security inspect POST payloads SecFilterScanPOST On # Action to take by default SecFilterDefaultAction "deny,log,status:500" # Redirect user on filter match SecFilter xxx redirect:http://www.webkreator.com # Execute the external script on filter match SecFilter yyy log,exec:/home/users/ivanr/apache/bin/report-attack.pl # Simple filter SecFilter 111 # Only check the QUERY_STRING variable SecFilterSelective QUERY_STRING 222 # Only check the body of the POST request SecFilterSelective POST_PAYLOAD 333 # Only check arguments (will work for GET and POST) SecFilterSelective ARGS 444 # Test filter SecFilter "/cgi-bin/modsec-test.pl/keyword" # Another test filter, will be denied with 404 but not logged # action supplied as a parameter overrides the default action SecFilter 999 "deny,nolog,status:500" # Prevent OS specific keywords SecFilter /etc/passwd # Prevent path traversal (..) attacks SecFilter "\.\./" # Weaker XSS protection but allows common HTML tags SecFilter "<[[:space:]]*script" # Prevent XSS atacks (HTML/Javascript injection) SecFilter "<(.|\n)+>" # Very crude filters to prevent SQL injection attacks SecFilter "delete[[:space:]]+from" SecFilter "insert[[:space:]]+into" SecFilter "select.+from" # Require HTTP_USER_AGENT and HTTP_HOST headers SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$" # Forbid file upload SecFilterSelective "HTTP_CONTENT_TYPE" multipart/form-data # Only watch argument p1 SecFilterSelective "ARG_p1" 555 # Watch all arguments except p1 SecFilterSelective "ARGS|!ARG_p2" 666 # Only allow our own test utility to send requests (or Mozilla) SecFilterSelective HTTP_USER_AGENT "!(mod_security|mozilla)" # Do not allow variables with this name SecFilterSelective ARGS_NAMES 777 # Do now allow this variable value (names are ok) SecFilterSelective ARGS_VALUES 888 # Test for a POST variable parsing bug, see test #41 SecFilterSelective ARG_p2 AAA # Stop spamming through FormMail # note the exclamation mark at the beginning # of the filter - only requests that match this regex will # be allowed SecFilterSelective "ARG_recipient" "!@webkreator.com$" # when allowing upload, only allow images # note that this is not foolproof, a determined attacker # could get around this SecFilterInheritance Off SecFilterSelective POST_PAYLOAD "!image/(jpeg|bmp|gif)"