# # $Id: modsecurity-2.5.12.conf,v 1.3 2010/04/16 14:57:39 raptor Exp $ # # modsecurity-2.5.12.conf - ModSecurity configuration file # Copyright (c) 2010 Marco Ivaldi # # ModSecurity is an open source web application firewall. Working embedded in # the web server, or standalone as a network appliance, it detects and prevents # attacks against web applications. # # This sample configuration file has been tested on Red Hat Enterprise and SUSE # Linux with ModSecurity v2.5.12 and Core Ruleset v2.0.5. Modify it to fit your # needs. # # See also http://www.modsecurity.org/documentation/. # ########## Base Configuration ########## # Basic configuration options SecRuleEngine DetectionOnly #SecRuleEngine On SecRequestBodyAccess On #SecResponseBodyAccess Off SecResponseBodyAccess On SecResponseBodyMimeType (null) text/html text/plain text/xml # Handling of file uploads SecUploadDir /srv/www/modsec #SecUploadKeepFiles Off SecUploadKeepFiles RelevantOnly SecUploadFileLimit 10 # Private temporary directory SecTmpDir /srv/www/modsec SecDataDir /srv/www/modsec # Debug log #SecDebugLog /var/log/apache2/modsec_debug.log #SecDebugLogLevel 0 # Audit log SecAuditEngine RelevantOnly #SecAuditLogRelevantStatus "^(?:5|4\d[^4])" SecAuditLogRelevantStatus ^5 #SecAuditLogParts ABIFHZ SecAuditLogParts ABIDEFGHZ #SecAuditLogType Serial SecAuditLog /var/log/apache2/modsec_audit.log SecAuditLogType Concurrent SecAuditLog "|/usr/bin/mlogc /etc/mlogc.conf" SecAuditLog2 /var/log/apache2/modsec_audit.log SecAuditLogStorageDir /srv/www/modsec/audit # Maximum request body size we will # accept for buffering #SecRequestBodyLimit 131072 SecRequestBodyLimit 33554432 # Store up to 128 KB in memory SecRequestBodyInMemoryLimit 131072 # Buffer response bodies of up to # 512 KB in length SecResponseBodyLimit 524288 SecResponseBodyLimitAction ProcessPartial # PCRE SecPcreMatchLimit 5000 SecPcreMatchLimitRecursion 5000 ########## Ruleset Configuration ########## # Create collections SecAction "phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}" # Paranoid mode SecAction "phase:1,t:none,nolog,pass,setvar:tx.paranoid_mode=0" # Anomaly scoring threshold levels SecAction "phase:1,t:none,nolog,pass,setvar:tx.inbound_anomaly_score_level=20" SecAction "phase:1,t:none,nolog,pass,setvar:tx.outbound_anomaly_score_level=15" # Anomaly scoring severity levels SecAction "phase:1,t:none,nolog,pass, \ setvar:tx.critical_anomaly_score=20, \ setvar:tx.error_anomaly_score=15, \ setvar:tx.warning_anomaly_score=10, \ setvar:tx.notice_anomaly_score=5" # HTTP policy settings SecAction "phase:1,t:none,nolog,pass,setvar:tx.max_num_args=255" #SecAction "phase:1,t:none,nolog,pass,setvar:tx.arg_name_length=100" #SecAction "phase:1,t:none,nolog,pass,setvar:tx.arg_length=400" #SecAction "phase:1,t:none,nolog,pass,setvar:tx.total_arg_length=64000" #SecAction "phase:1,t:none,nolog,pass,setvar:tx.max_file_size=1048576" #SecAction "phase:1,t:none,nolog,pass,setvar:tx.combined_file_sizes=1048576" SecAction "phase:1,t:none,nolog,pass, \ setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \ setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded multipart/form-data text/xml application/xml', \ setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \ setvar:'tx.restricted_extensions=.asa .asax .ascx .axd .backup .bak .bat .cdx .cer .cfg .cmd .com .config .conf .cs .csproj .csr .dat .db .dbf .dll .dos .htr .htw .ida .idc .idq .inc .ini .key .licx .lnk .log .mdb .old .pass .pdb .pol .printer .pwd .resources .resx .sql .sys .vb .vbs .vbproj .vsdisco .webinfo .xsd .xsx', \ setvar:'tx.restricted_headers=Proxy-Connection Lock-Token Content-Range Translate via if'" # Default action SecDefaultAction "phase:2,pass" # Core ruleset SecComponentSignature "core ruleset/2.0.5" Include /etc/apache2/modsecurity/base_rules/*.conf #Include /etc/apache2/modsecurity/optional_rules/*.conf ########## Global Exceptions ########## # 21_protocol_anomalies # Request Missing a Host Header SecRuleRemoveById 960008 # Request Missing a User Agent Header SecRuleRemoveById 960009 # Request Missing an Accept Header SecRuleRemoveById 960015 # Host header is a numeric IP address SecRuleRemoveById 960017 # 30_http_policy # Request content type is not allowed by policy SecRuleRemoveById 960010 # HTTP header is restricted by policy SecRuleRemoveById 960038 # 35_bad_robots # Rogue web site crawler SecRuleRemoveById 990012 ########## Application Exceptions ########## # Admin SecRuleEngine Off # WordPress Admin SecRuleEngine Off ########## Virtual Hosts Exceptions ########## SecRuleEngine Off # URL file extension is restricted by policy SecRuleRemoveById 960035 ########## Tests ##########