# Only inspect dynamic requests # (YOU MUST TEST TO MAKE SURE IT WORKS AS EXPECTED) SecFilterEngine DynamicOnly # Reject requests with status 403 SecFilterDefaultAction "deny,log,status:403" # Some sane defaults SecFilterScanPOST On SecFilterCheckURLEncoding On SecFilterCheckCookieFormat On SecFilterCheckUnicodeEncoding Off # Accept almost all byte values SecFilterForceByteRange 1 255 #SecFilterSelective "QUERY_STRING" "wget" "deny,log,status:403" SecFilterSelective "QUERY_STRING" "cmd=wget" "deny,log,status:403" SecFilterSelective "QUERY_STRING" ";wget" "deny,log,status:403" SecFilterSelective "QUERY_STRING" "wget " "deny,log,status:403" SecFilterSelective "QUERY_STRING" " wget" "deny,log,status:403" # phpbb2 (and friends?) remote code exec SecFilterSelective ARG_highlight "(\x27|%27|\x2527|%2527)" SecFilterSelective THE_REQUEST "\x27|%27|\x2527|%2527" # Server masking is optional # SecServerSignature "Apache" #SecUploadDir /tmp #SecUploadKeepFiles Off # Only record the interesting stuff SecAuditEngine RelevantOnly SecAuditLog logs/audit_log # You normally won't need debug logging SecFilterDebugLevel 0 SecFilterDebugLog logs/modsec_debug_log # Only accept request encodings we know how to handle # we exclude GET requests from this because some (automated) # clients supply "text/html" as Content-Type SecFilterSelective REQUEST_METHOD "!^GET$" chain SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)" # Require Content-Length to be provided with # every POST request SecFilterSelective REQUEST_METHOD "^POST$" chain SecFilterSelective HTTP_Content-Length "^$" # Don't accept transfer encodings we know we don't handle # (and you don't need it anyway) SecFilterSelective HTTP_Transfer-Encoding "!^$"