LoadModule security_module extramodules/mod_security.so
# Examples below are taken from the online documentation
# Refer to:
# http://www.modsecurity.org/documentation/quick-examples.html
# Turn the filtering engine On or Off
SecFilterEngine On
# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On
# Only allow bytes from this range
SecFilterForceByteRange 32 126
# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis. "On" will log everything,
# "DynamicOrRelevant" will log dynamic requests or violations,
# and "RelevantOnly" will only log policy violations
SecAuditEngine RelevantOnly
# The name of the audit log file
SecAuditLog logs/audit_log
SecFilterDebugLog logs/modsec_debug_log
SecFilterDebugLevel 0
# Should mod_security inspect POST payloads
SecFilterScanPOST On
# Action to take by default
SecFilterDefaultAction "deny,log,status:500"
# Redirect user on filter match
SecFilter xxx redirect:http://www.webkreator.com
# Execute the external script on filter match
SecFilter yyy log,exec:/home/users/ivanr/apache/bin/report-attack.pl
# Simple filter
SecFilter 111
# Only check the QUERY_STRING variable
SecFilterSelective QUERY_STRING 222
# Only check the body of the POST request
SecFilterSelective POST_PAYLOAD 333
# Only check arguments (will work for GET and POST)
SecFilterSelective ARGS 444
# Test filter
SecFilter "/cgi-bin/modsec-test.pl/keyword"
# Another test filter, will be denied with 404 but not logged
# action supplied as a parameter overrides the default action
SecFilter 999 "deny,nolog,status:500"
# Prevent OS specific keywords
SecFilter /etc/passwd
# Prevent path traversal (..) attacks
SecFilter "\.\./"
# Weaker XSS protection but allows common HTML tags
SecFilter "<[[:space:]]*script"
# Prevent XSS atacks (HTML/Javascript injection)
SecFilter "<(.|\n)+>"
# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
# Require HTTP_USER_AGENT and HTTP_HOST headers
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
# Forbid file upload
SecFilterSelective "HTTP_CONTENT_TYPE" multipart/form-data
# Only watch argument p1
SecFilterSelective "ARG_p1" 555
# Watch all arguments except p1
SecFilterSelective "ARGS|!ARG_p2" 666
# Only allow our own test utility to send requests (or Mozilla)
SecFilterSelective HTTP_USER_AGENT "!(mod_security|mozilla)"
# Do not allow variables with this name
SecFilterSelective ARGS_NAMES 777
# Do now allow this variable value (names are ok)
SecFilterSelective ARGS_VALUES 888
# Test for a POST variable parsing bug, see test #41
SecFilterSelective ARG_p2 AAA
# Stop spamming through FormMail
# note the exclamation mark at the beginning
# of the filter - only requests that match this regex will
# be allowed
SecFilterSelective "ARG_recipient" "!@webkreator.com$"
# when allowing upload, only allow images
# note that this is not foolproof, a determined attacker
# could get around this
SecFilterInheritance Off
SecFilterSelective POST_PAYLOAD "!image/(jpeg|bmp|gif)"