本文展示了如何安装和配置mod_security。mod_security是一个Apache模块（适用于Apache 1和2），为web应用程序提供入侵检测和防御。它旨在保护web应用程序免受已知和未知的攻击，如SQL注入攻击、跨站脚本攻击、路径遍历攻击等。

在第一章中，我将展示如何在Debian Sarge、Ubuntu 6.06 LTS（Dapper Drake）和Fedora Core 5上安装mod_security，在第二章中，我们将描述如何为独立于您使用的发行版的mod_securities配置Apache。

首先，我想说，这不是建立这样一个系统的唯一途径。实现这一目标的方法有很多，但这是我采取的方式。我不能保证这对你有用！

1安装

1.1 Debian Sarge
mod_security在默认的Debian存储库中作为Debian软件包提供，因此安装就这么简单：

apt-get install libapache2-mod-security
a2enmod mod-security
/etc/init.d/apache2 force-reload

1.2 Ubuntu 6.06 LTS（Dapper Drake）
安装与Debian Sarge完全相同：

apt-get install libapache2-mod-security
a2enmod mod-security
/etc/init.d/apache2 force-reload

1.3 Fedora Core 5
在Fedora上，您可以按如下方式安装和激活mod_security：

yum install mod_security
/etc/init.d/httpd restart

现在，您应该找到/etc/httpd/conf.d/mod_security.conf文件，其中已经包含基本的mod_security配置：

vi /etc/httpd/conf.d/mod_security.conf

# Example configuration file for the mod_security Apache module

LoadModule security_module modules/mod_security.so

# Turn the filtering engine On or Off
SecFilterEngine On

# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis
SecAuditEngine RelevantOnly

# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On

# Unicode encoding check
SecFilterCheckUnicodeEncoding On

# Only allow bytes from this range
SecFilterForceByteRange 1 255

# Cookie format checks.
SecFilterCheckCookieFormat On

# The name of the audit log file
SecAuditLog logs/audit_log

# Should mod_security inspect POST payloads
SecFilterScanPOST On

# Default action set
SecFilterDefaultAction “deny,log,status:406”

# Simple example filter
# SecFilter 111

# Prevent path traversal (..) attacks
# SecFilter “\.\./”

# Weaker XSS protection but allows common HTML tags
# SecFilter “<( |\n)*script" # Prevent XSS atacks (HTML/Javascript injection) # SecFilter "<(.|\n)+>“

# Very crude filters to prevent SQL injection attacks
# SecFilter “delete[[:space:]]+from”
# SecFilter “insert[[:space:]]+into”
# SecFilter “select.+from”

# Require HTTP_USER_AGENT and HTTP_HOST headers
SecFilterSelective “HTTP_USER_AGENT|HTTP_HOST” “^$”

# Only accept request encodings we know how to handle
# we exclude GET requests from this because some (automated)
# clients supply “text/html” as Content-Type
SecFilterSelective REQUEST_METHOD “!^GET$” chain
SecFilterSelective HTTP_Content-Type “!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)”

# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD “^POST$” chain
SecFilterSelective HTTP_Content-Length “^$”

# Don’t accept transfer encodings we know we don’t handle
# (and you don’t need it anyway)
SecFilterSelective HTTP_Transfer-Encoding “!^$”

# Some common application-related rules from
# http://modsecrules.monkeydev.org/rules.php?safety=safe

#Nuke Bookmarks XSS
SecFilterSelective THE_REQUEST “/modules\.php\?name=Bookmarks\&file=(del_cat\&catname|del_mark\&markname|edit_cat\&catname|edit_cat\&catcomment|marks\&catname|uploadbookmarks\&category)=(<[[:space:]]*script|(http|https|ftp)\:/)" #Nuke Bookmarks Marks.php SQL Injection Vulnerability SecFilterSelective THE_REQUEST "modules\.php\?name=Bookmarks\&file=marks\&catname=.*\&category=.*/\*\*/(union|select|delete|insert)" #PHPNuke general XSS attempt #/modules.php?name=News&file=article&sid=1&optionbox= SecFilterSelective THE_REQUEST "/modules\.php\?*name=<[[:space:]]*script" # PHPNuke SQL injection attempt SecFilterSelective THE_REQUEST "/modules\.php\?*name=Search*instory=" #phpnuke sql insertion SecFilterSelective THE_REQUEST "/modules\.php*name=Forums.*file=viewtopic*/forum=.*\'/" # WEB-PHP phpbb quick-reply.php arbitrary command attempt SecFilterSelective THE_REQUEST "/quick-reply\.php" chain SecFilter "phpbb_root_path=" #Topic Calendar Mod for phpBB Cross-Site Scripting Attack SecFilterSelective THE_REQUEST "/calendar_scheduler\.php\?start=(<[[:space:]]*script|(http|https|ftp)\:/)" # phpMyAdmin: Safe #phpMyAdmin Export.PHP File Disclosure Vulnerability SecFilterSelective SCRIPT_FILENAME "export\.php$" chain SecFilterSelective ARG_what "\.\." #phpMyAdmin path vln SecFilterSelective REQUEST_URI "/css/phpmyadmin\.css\.php\?GLOBALS\[cfg\]\[ThemePath\]=/etc"

您可以保留此配置，但为了更好地了解mod_security可以做什么，您应该注释掉部分，重新启动Apache，并按照第2章进行操作。之后，您可以创建自己的mod_security规则集，或者切换回这个规则集。