# Turn the filtering engine On or Off SecFilterEngine On # Change Server: string SecServerSignature "MiServidorWeb" # This setting should be set to On only if the Web site is # using the Unicode encoding. Otherwise it may interfere with # the normal Web site operation. SecFilterCheckUnicodeEncoding Off # The audit engine works independently and # can be turned On of Off on the per-server or # on the per-directory basis. "On" will log everything, # "DynamicOrRelevant" will log dynamic requests or violations, # and "RelevantOnly" will only log policy violations SecAuditEngine RelevantOnly # The name of the audit log file SecAuditLog logs/audit_log # Should mod_security inspect POST payloads SecFilterScanPOST On # Action to take by default SecFilterDefaultAction "deny,log,status:403" ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## # Require HTTP_USER_AGENT and HTTP_HOST in all requests # SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$" # Require Content-Length to be provided with # every POST request SecFilterSelective REQUEST_METHOD "^POST$" chain SecFilterSelective HTTP_Content-Length "^$" # Don't accept transfer encodings we know we don't handle # (and you don't need it anyway) SecFilterSelective HTTP_Transfer-Encoding "!^$" # Protecting from XSS attacks through the PHP session cookie SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$" SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$" SecFilter "viewtopic\.php\?" chain SecFilter "chr\(([0-9]{1,3})\)" "deny,log" # Block various methods of downloading files to a server SecFilterSelective THE_REQUEST "wget " SecFilterSelective THE_REQUEST "lynx " SecFilterSelective THE_REQUEST "scp " SecFilterSelective THE_REQUEST "ftp " SecFilterSelective THE_REQUEST "cvs " SecFilterSelective THE_REQUEST "rcp " SecFilterSelective THE_REQUEST "curl " SecFilterSelective THE_REQUEST "telnet " SecFilterSelective THE_REQUEST "ssh " SecFilterSelective THE_REQUEST "echo " SecFilterSelective THE_REQUEST "links -dump " SecFilterSelective THE_REQUEST "links -dump-charset " SecFilterSelective THE_REQUEST "links -dump-width " SecFilterSelective THE_REQUEST "links http:// " SecFilterSelective THE_REQUEST "links ftp:// " SecFilterSelective THE_REQUEST "links -source " SecFilterSelective THE_REQUEST "mkdir " SecFilterSelective THE_REQUEST "cd /tmp " SecFilterSelective THE_REQUEST "cd /var/tmp " SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy " SecFilterSelective THE_REQUEST "/config.php?v=1&DIR " SecFilterSelective THE_REQUEST "&highlight=%2527%252E " SecFilterSelective THE_REQUEST "changedir=%2Ftmp%2F.php " SecFilterSelective THE_REQUEST "arta\.zip " SecFilterSelective THE_REQUEST "cmd=cd\x20/var " SecFilterSelective THE_REQUEST "HCL_path=http " SecFilterSelective THE_REQUEST "clamav-partial " SecFilterSelective THE_REQUEST "vi\.recover " SecFilterSelective THE_REQUEST "netenberg " SecFilterSelective THE_REQUEST "psybnc " SecFilterSelective THE_REQUEST "fantastico_de_luxe " SecFilter "bcc:" SecFilter "bcc\x3a" SecFilter "cc:" SecFilter "cc\x3a" SecFilter "bcc:|Bcc:|BCC:" chain SecFilter "[A-Z0-9._%-]+@[A-Z0-9._%-]+\.[A-Z]{2,4}\,\x20[A-Z0-9._%-]+@[A-Z0-9._%-]+\.[A-Z]{2,4}" SecFilterSelective POST_PAYLOAD "Bcc:" SecFilterSelective POST_PAYLOAD "Bcc:\x20" SecFilterSelective POST_PAYLOAD "cc:" SecFilterSelective POST_PAYLOAD "cc:\x20" SecFilterSelective POST_PAYLOAD "bcc:" SecFilterSelective POST_PAYLOAD "bcc:\x20" SecFilterSelective POST_PAYLOAD "bcc: " SecFilterSelective THE_REQUEST "Bcc:" SecFilterSelective THE_REQUEST "Bcc:\x20" SecFilterSelective THE_REQUEST "cc:" SecFilterSelective THE_REQUEST "cc:\x20" SecFilterSelective THE_REQUEST "bcc:" SecFilterSelective THE_REQUEST "bcc:\x20" SecFilterSelective THE_REQUEST "bcc: " # WEB-PHP phpbb quick-reply.php arbitrary command attempt SecFilterSelective THE_REQUEST "/quick-reply\.php" chain SecFilter "phpbb_root_path=" ##phpBB Calendar Pro catergory Parameter SQL Injection SecFilterSelective THE_REQUEST "/cal_view_month\.php\?month=.*&year=.*&category=.*(UNION|SELECT|DELETE|INSERT)" #PHPBB LinksLinks Pro Module SQL Injection Vulnerability SecFilterSelective THE_REQUEST "/links\.php\?func=show&id=\'" #PHPNuke general XSS attempt #/modules.php?name=News&file=article&sid=1&optionbox= SecFilterSelective THE_REQUEST "/modules\.php\?*name=*\<*(script|about|applet|activex|chrome)*\>" # PHPNuke SQL injection attempt SecFilterSelective THE_REQUEST "/modules\.php\?*name=Search*instory=" SecFilterSelective THE_REQUEST "/modules\.php\?*name=(Search|Web_Links).*\'" #PHP-Nuke remote file include attempt SecFilterSelective THE_REQUEST "/index\.php*file=*(http|https|ftp)" #phpnuke sql insertion SecFilterSelective THE_REQUEST "/modules\.php*name=Forums.*file=viewtopic*/forum=.*\'/" #OSCommerce XSS SecFilterSelective THE_REQUEST "/default\.php\?(error_message|info_message)=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"