作者 主題: mod_security的一些疑問  (閱讀 7273 次)

0 會員 與 1 訪客 正在閱讀本文。

fz150n

  • 憂鬱的高中生
  • ***
  • 文章數: 111
    • 檢視個人資料
mod_security的一些疑問
« 於: 2006-05-27 19:28 »
想請問一下,

前陣子小弟貼過了一篇關於Web Server被盜連的問題,
雖然使用了rewrite engine,結果還是沒有成效,現在改用
mod_security了,結果有這樣的紀錄:


access_log
代碼: [選擇]
70.35.23.196 - - [27/May/2006:19:11:14 +0800] "GET /somewhere/c/somepict.JPG HTTP/1.1" 200 73498 "http://profile.myspace.com/index.cfm?fuseaction=user.viewprofile&friendid=2348777" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/312.8 (KHTML, like Gecko) Safari/312.6"

error_log
代碼: [選擇]
70.35.23.196 - - [27/May/2006:19:11:14 +0800] "GET /somewhere/c/somepict.JPG HTTP/1.1" 200 73498 "http://profile.myspace.com/index.cfm?fuseaction=user.viewprofile&friendid=2348777" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/312.8 (KHTML, like Gecko) Safari/312.6"

modsec_audit.log
代碼: [選擇]
Request: www.example.com.tw 70.35.23.196 - - [27/May/2006:19:11:16 +0800] "GET /somewhere/c/somepict.JPG HTTP/1.1" 200 73498 "http://profile.myspace.com/index.cfm?fuseaction=user.viewprofile&friendid=2348777" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/312.8 (KHTML, like Gecko) Safari/312.6" - "-"

依照http status code看來,200    那不就表示其實這個存取的動作,
還是成功了呢?

這是我的mod_security的設定:
代碼: [選擇]
SecFilterSelective HTTP_Referer|ARGS "\.myspace\.com"

請問我應該怎麼做才能有效防止這個盜連呢?  profile.myspace.com

謝謝!

fz150n

  • 憂鬱的高中生
  • ***
  • 文章數: 111
    • 檢視個人資料
mod_security的一些疑問
« 回覆 #1 於: 2006-05-27 23:06 »
仔細看了一下文件,我想應該是沒有指定ACTION的關係,
於是,我把我自己的盜連黑名單建立出來,
並且加了一個選項:

SecFilterDefaultAction "deny,status:404"

代碼: [選擇]
SecFilterDefaultAction "deny,status:404"
SecFilterSelective HTTP_Referer|ARGS "\.myspace\.com"
SecFilterSelective HTTP_Referer|ARGS "\.dvd4arab\.com"
SecFilterSelective HTTP_Referer|ARGS "\.thaidvd\.net"
SecFilterSelective HTTP_Referer|ARGS "\.invisionfree\.com"
SecFilterSelective HTTP_Referer|ARGS "\.midnightthailand\.com"
SecFilterSelective HTTP_Referer|ARGS "\.alsayra\.com"
SecFilterSelective HTTP_Referer|ARGS "\.blogtw\.com"
SecFilterSelective HTTP_Referer|ARGS "\.oxxk\.com"
SecFilterSelective HTTP_Referer|ARGS "\.ccmove\.com"
SecFilterSelective HTTP_Referer|ARGS "\.blogspot\.com"
SecFilterSelective HTTP_Referer|ARGS "\.nexopia\.com"
SecFilterSelective HTTP_Referer|ARGS "\.toplog\.nl"
SecFilterSelective HTTP_Referer|ARGS "\.splinder\.com"
SecFilterSelective HTTP_Referer|ARGS "\.the-internationals\.com"
SecFilterSelective HTTP_Referer|ARGS "\.ath\.cx"
SecFilterSelective HTTP_Referer|ARGS "\.btuga\.info"
SecFilterSelective HTTP_Referer|ARGS "\.movie-family\.de"
SecFilterSelective HTTP_Referer|ARGS "\.lide\.cz"
SecFilterSelective HTTP_Referer|ARGS "\.blogcn\.com"
SecFilterSelective HTTP_Referer|ARGS "\.warez4ever\.net"
SecFilterSelective HTTP_Referer|ARGS "\.tracker\.traasje\.nl"


結果總算是我要的了:

引用
82.52.67.188 - - [27/May/2006:22:52:54 +0800] "GET /somewhere/somepict.JPG HTTP/1.1" 404 1229 "http://profile.myspace.com/index.cfm?fuseaction=user.viewprofile&friendid=24065413" "Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.7.6) Gecko/20050226 Firefox/1.0.1"
24.98.140.78 - - [27/May/2006:22:53:01 +0800] "GET /somewhere/somepict.JPG HTTP/1.1" 404 1227 "http://profile.myspace.com/index.cfm?fuseaction=user.viewprofile&friendid=7429408" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/418 (KHTML, like Gecko) Safari/417.9.3"
216.43.46.3 - - [27/May/2006:22:53:21 +0800] "GET /somewhere/somepict.JPG HTTP/1.1" 404 1319 "http://profile.myspace.com/index.cfm?fuseaction=user.viewprofile&friendid=33780113&MyToken=6e5934b6-e93b-4c81-8eae-2c5092399c9f" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FunWebProducts; .NET CLR 1.1.4322; HbTools 4.7.7)"
71.247.230.34 - - [27/May/2006:22:53:51 +0800] "GET /somewhere/somepict.JPG HTTP/1.1" 404 1229 "http://profile.myspace.com/index.cfm?fuseaction=user.viewprofile&friendid=18218859" "Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; rev1.2; Windows NT 5.1; SV1; FunWebProducts; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"


如果沒有status:404的話,我擔心被擋掉的網站會很不爽,
因為預設就會出現禁止存取的錯誤,所以我改成預設為404 Not Found

為什麼我想擋,倒也不是我的網佔有什麼機密資料,只是覺得給人家連好玩的,
頻寬又有限,就給它有點$@#$!@#:

這是awstats的統計:
引用
http://profile.myspace.com/index.cfm   64733
http://www.dvd4arab.com/forums/showthread.php   3569
http://www.thaidvd.net/forum/upload/index.php   1150
http://s14.invisionfree.com/Da_DC_Board/index.php   1087
http://82.192.81.14   854
http://www.midnightthailand.com   790
http://www.alsayra.com/vb/showthread.php   750
http://www.blogtw.com/blog.php   540
http://www.oxxk.com/vod/mlist.asp   525
http://blog.ccmove.com/joebow/   525
http://sharingmania.blogspot.com/2005_12_01_sharingmania_archive...   497
http://www.nexopia.com/profile.php   494
http://kiara15.toplog.nl   432
http://interzoneblog.splinder.com   378
http://torrent.the-internationals.com/details.php   369
http://tnt-torrents.ath.cx/index.php   354
http://www.btuga.info/viewthread.php   343
http://www.movie-family.de   336
http://82.192.81.14/details.php   332
http://blog.lide.cz/Michelle8/   324
http://www.blogcn.com/User13/crow119/index.html   317
http://warez4ever.net/modules.php   249
http://tracker.traasje.nl   214
http://www.bloghk.com/blog.php   202
http://dir.yam.com/ent/movies/mov%5Fpos/   197
http://www.hi5.com/friend/profile/displayProfile.do   196
http://nest.munihei.de/index.php   180
http://comments.myspace.com/index.cfm   179
http://www.newsgarden.net/modules.php   158
http://www.sharezade.net/index.php   158
http://www.blog.central.is/fannyfrikka   150
http://movie.eooeo.com/yule/movie/oumei/   135
http://blog.myspace.com/index.cfm   125
http://mazecontroller.livejournal.com   111
http://partyflock.nl/user/193355.html   108



你看,光一個myspace.com就一堆連結,跟他又沒有合作關係,
所以擋掉是應該的吧~   :D  :D


附註:

mod_security  不是   apache  預設安裝的,目前最新版是1.9.4,有興趣的人可以參考:

官方首頁:
http://www.modsecurity.org/index.php

簡介:
http://www.onlamp.com/pub/a/apache/2003/11/26/mod_security.html

專家寫好的規則:
http://www.gotroot.com/tiki-index.php?page=mod_security+rules

安裝   mod_security 需要 httpd-devel套件,及其他相關套件,缺的時候再去抓回來裝就好了。

代碼: [選擇]
apxs -cia mod_security.c

安裝好之後,模組會自動存放到指定的目錄,但是先不要重新啟動httpd,緊接著把你可能會用到的那些rule解壓縮,並且放到相關位置,如Fedora   /etc/httpd/conf.d
接著修改必要的內容,最後再把服務重新啟動或重新載入。

我想建議大家多多使用這個模組,不要說盜連,其實很多入侵行為都是藉由網頁而植入惡意程式的,修補及更新當然是需要的,但是如果能藉由一些現成的套件來對自己的網站多一些防護的話,我想安全性還是可以提高一些。