mod-security.conf (8503B)
1 2 # OpenRat content managegement system - mod-security 3 # .................................................. 4 # 5 # This is a configuration file for mod-security users. 6 # If you do not use mod-security, you do not need this file :) 7 # 8 # Status: In Arbeit. 9 # 10 # THIS CONFIGURATION IS IN WORK - DO NOT USE IT 11 # 12 # $Id$ 13 14 <IfModule mod_security.c> 15 16 # Filter anschalten - kann per VHost (de-)aktiviert werden 17 SecFilterEngine On 18 #SecFilterEngine DynamicOnly 19 # 20 21 # Pruefung von URL-Encoding aktivieren 22 SecFilterCheckURLEncoding On 23 24 # Unicode-Validierung aktivieren 25 #SecFilterCheckUnicodeEncoding On 26 27 # HTTP-POST-Daten verarbeiten 28 SecFilterScanPOST On 29 #SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data;)" 30 SecFilterSelective HTTP_Content-Type "!(^$|^text/xml.*|^application/x-www-form-urlencoded$|^multipart/form-data;)" 31 32 # Require Content-Length to be provided with 33 # every POST request 34 SecFilterSelective REQUEST_METHOD "^POST$" chain 35 SecFilterSelective HTTP_Content-Length "^$" 36 37 # Deaktivieren von "Chunked Transfer Encoding 38 SecFilterSelective HTTP_Transfer-Encoding "!^$" 39 40 #SecFilterForceByteRange 32 126 41 #SecFilterForceByteRange 32 160 42 SecFilterForceByteRange 10 255 43 44 # Standard-Aktion für zutreffende Filterregeln 45 SecFilterDefaultAction "deny,log,status:403" 46 #SecFilterDefaultAction "deny,log,status:'Aktuelle sicherheitseinstellungen verbieten einen Zugriff auf diese Seite'" 47 48 # Filterregeln aus mod-security.d einbinden 49 # Include /etc/mod-security.d/[^.#]* 50 51 SecAuditEngine RelevantOnly 52 53 # don't forget to rotate the logfile. 54 SecAuditLog /tmp/security-audit.log 55 56 # ServerSignature fälschen - erfordert ServerTokens Full 57 #SecServerSignature "OpenRat Server" 58 59 SecFilter /bin/sh 60 61 62 # Bilder und andere statische Dateien 63 SecFilterSelective REQUEST_FILENAME "^.*\.(png|jpe?g|gif|css|js)$" allow 64 65 # Startseite 66 SecFilterSelective REQUEST_URI "^.*/$" allow 67 #SecFilterSelective SCRIPT_FILENAME "!^do\.php[3-5]?$" 68 69 70 71 # Parameter Whitelist (to be done, need a good way) 72 #SecFilterSelective ARGS_NAMES "!^(targetSubAction|subaction|action|oi|id)$" chain 73 #SecFilterSelective ARGS_NAMES "!^(login_name|login_password)$" chain 74 #SecFilterSelective ARGS_NAMES "!^(elementid|dbid|ok|screenwidth|src|text)$" chain 75 #SecFilterSelective ARGS_NAMES "!^(obj[0-9]+|type|valueid|release|objectid1|objectid2|commit|ids)$" chain 76 #SecFilterSelective ARGS_NAMES "!^(groupid|username|name|fullname|desc|description|templateid)$" chain 77 #SecFilterSelective ARGS_NAMES "!^(tel|ldap_dn|style|is_admin|ok|act_password|password1?|password2|e?mail|random|timeout|code|confirm)$" chain 78 #SecFilterSelective ARGS_NAMES "!^(addelement|addicon|addifempty|addifnotempty|elementid|iconid|ifemptyid|ifnotemptyid|with_icon|all_languages|writable|wiki|html|default_longtext|subtypes|subtype)$" chain 79 #SecFilterSelective ARGS_NAMES "!^(target_dir|ftp_url|ftp_passive|cmd_after_publish|content_negotiation|cut_index)$" 80 81 SecFilterSelective ARGS_NAMES "!^[a-z][a-z0-9_]*[0-9]*$" 82 83 # Einzelne Parameter 84 SecFilterSelective ARG_id "!^[0-9-]*$" 85 86 # Session-Id (ggf. anzupassen) 87 SecFilterSelective ARG_oi "!^[a-f0-9]*$" 88 SecFilterSelective ARG_PHPSESSID "!^[a-f0-9]*$" 89 SecFilterSelective ARG_sessionid "!^[a-f0-9]*$" 90 SecFilterSelective ARG_sid "!^[a-f0-9]*$" 91 92 SecFilterSelective ARG_login_name "!^[A-Za-z0-9_-]*$" 93 SecFilterSelective ARG_login_password "!^[A-Za-z0-9_-]*$" 94 SecFilterSelective ARG_password1 "!^[A-Za-z0-9_-]*$" 95 SecFilterSelective ARG_password2 "!^[A-Za-z0-9_-]*$" 96 SecFilterSelective ARG_password "!^[A-Za-z0-9_-]*$" 97 98 SecFilterSelective ARG_action "!^[a-z]*$" 99 SecFilterSelective ARG_subaction "!^[a-z]*$" 100 101 SecFilterSelective ARG_elementid "!^[0-9]*$" 102 SecFilterSelective ARG_objectid1 "!^[0-9]*$" 103 SecFilterSelective ARG_objectid2 "!^[0-9]*$" 104 SecFilterSelective ARG_dbid "!^[a-zA-Z0-9_-]*$" 105 SecFilterSelective ARG_tel "!^[a-zA-Z0-9_ -]*$" 106 SecFilterSelective ARG_desc "!^[a-zA-Z0-9_-]*$" 107 SecFilterSelective ARG_mail "!^[a-zA-Z0-9_\.@-]*$" 108 109 SecFilterSelective ARG_style "!^[a-zA-Z0-9_-]*$" 110 SecFilterSelective ARG_ldap_dn "!^[a-zA-Z0-9_=;,-]*$" 111 SecFilterSelective ARG_is_admin "!^1?$" 112 SecFilterSelective ARG_email "!^1?$" 113 SecFilterSelective ARG_random "!^1?$" 114 SecFilterSelective ARG_timeout "!^1?$" 115 SecFilterSelective ARG_cut_index "!^1?$" 116 SecFilterSelective ARG_content_negotiation "!^1?$" 117 SecFilterSelective ARG_ftp_passive "!^1?$" 118 #SecFilterSelective ARG_cmd_after_publish "!^[a-zA-Z0-9_\/]+$" 119 120 121 122 # Aktionen 123 SecFilterSelective ARG_action "^index$" chain 124 SecFilterSelective ARG_subaction "^(|project|object|projectmenu|administration|changepassword|register|registercode|registercommit|password|showlogin|login|logout|setnewpassword)$" allow 125 126 SecFilterSelective ARG_action "^folder$" chain 127 SecFilterSelective ARG_subaction "^(|show|save|create|pub|prop|saveprop|rights|createfolder|createpage|createlink|createfile|createnewfolder|createnewpage|createnewlink|createnewfile|edit|changesequence|multiple|order|settop|setbottom|select)$" allow 128 129 SecFilterSelective ARG_action "^(file|page|link|folder)$" chain 130 SecFilterSelective ARG_subaction "^(|aclform|addacl|delacl|pubnow)$" allow 131 132 SecFilterSelective ARG_action "^page$" chain 133 SecFilterSelective ARG_subaction "^(|show|save|edit|el|pub|prop|src|rights|saveprop)$" allow 134 135 SecFilterSelective ARG_action "^file$" chain 136 SecFilterSelective ARG_subaction "^(|show|save|pub|prop|rights)$" allow 137 138 SecFilterSelective ARG_action "^link$" chain 139 SecFilterSelective ARG_subaction "^(|show|edit|save|pub|prop|rights)$" allow 140 141 SecFilterSelective ARG_action "^pageelement$" chain 142 SecFilterSelective ARG_subaction "^(|save|editlink|editlist|editdate|savedate|savelist|savelink|editlongtext|archivelink|archivelongtext|diff|savelongtext)$" allow 143 144 SecFilterSelective ARG_action "^(main|mainmenu)$" chain 145 SecFilterSelective ARG_subaction "^(folder|page|pageelement|file|link|template|language|model|search|project|user|group|element)$" allow 146 147 SecFilterSelective ARG_action "^template$" chain 148 SecFilterSelective ARG_subaction "^(|prop|el|listing|show|edit|src|srcaddelement)$" allow 149 150 SecFilterSelective ARG_action "^tree$" chain 151 SecFilterSelective ARG_subaction "^(load|open|close)$" allow 152 153 SecFilterSelective ARG_action "^border$" chain 154 SecFilterSelective ARG_subaction "^(|show)$" allow 155 156 SecFilterSelective ARG_action "^background$" chain 157 SecFilterSelective ARG_subaction "^(|show)$" allow 158 159 SecFilterSelective ARG_action "^title$" chain 160 SecFilterSelective ARG_subaction "^(|show)$" allow 161 162 SecFilterSelective ARG_action "^treetitle$" chain 163 SecFilterSelective ARG_subaction "^(|show)$" allow 164 165 SecFilterSelective ARG_action "^model$" chain 166 SecFilterSelective ARG_subaction "^(|list|setdefault|save|edit|remove)$" allow 167 168 SecFilterSelective ARG_action "^language$" chain 169 SecFilterSelective ARG_subaction "^(|listing|add|edit|remove)$" allow 170 171 SecFilterSelective ARG_action "^search$" chain 172 SecFilterSelective ARG_subaction "^(|prop|content)$" allow 173 174 SecFilterSelective ARG_action "^project$" chain 175 SecFilterSelective ARG_subaction "^(|listing|edit|save|add|remove|maintanance)$" allow 176 177 SecFilterSelective ARG_action "^user$" chain 178 SecFilterSelective ARG_subaction "^(|listing|edit|save|add|remove|groups|pw|rights|pwchange|addgrouptouser|adduser|delete)$" allow 179 180 SecFilterSelective ARG_action "^group$" chain 181 SecFilterSelective ARG_subaction "^(|listing|edit|save|add|remove|users)$" allow 182 183 SecFilterSelective ARG_action "^profile$" chain 184 SecFilterSelective ARG_subaction "^(|edit|saveprofile|savepw|pwchange)$" allow 185 186 SecFilterSelective ARG_action "^element$" chain 187 SecFilterSelective ARG_subaction "^(|properties|saveproperties|name|remove|type|delete)$" allow 188 189 190 191 # Temporär alles loggen und erstmal trotzdem erlauben. 192 SecFilter ".*" log,allow 193 194 # Fallback: Alles ablehnen. 195 SecFilter ".*" 196 197 198 199 # Ausgabe-Filterung 200 SecFilterScanOutput On 201 SecFilterSelective OUTPUT "Fatal error:" deny,status:500 202 SecFilterSelective OUTPUT "Parse error:" deny,status:500 203 204 </IfModule>