Apacheとmod_securityをインストール
dnf -y install httpd dnf -y mod_security systemctl enable httpd systemctl start httpd
/etc/httpd/modsecurity.d/local_rules/modsecurity_localrules.confに追記する
# ログ設定 SecDefaultAction "phase:2,deny,log,status:406" # リクエスト URI に etc/passwd が含まれる場合弾く SecRule REQUEST_URI "etc/passwd" "id:'1000001'"
systemctl restart httpd
アクセスすると弾かれる。
/var/log/httpd/modsec_audit.logにログ出力される
--91943e32-A-- [08/Jan/2024:11:15:12.552351 +0000] ZZvZQA-g0g6EGKH2YFFc9QAAAAA 172.16.0.1 57571 10.0.3.114 80 --91943e32-B-- GET /etc/passwd HTTP/1.1 Host: 172.16.1.236 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: ja,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive Upgrade-Insecure-Requests: 1 --91943e32-F-- HTTP/1.1 406 Not Acceptable Content-Length: 249 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 --91943e32-E-- --91943e32-H-- Message: Access denied with code 406 (phase 2). Pattern match "etc/passwd" at REQUEST_URI. [file "/etc/httpd/modsecurity.d/local_rules/modsecurity_localrules.conf"] [line "14"] [id "1000001"] Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 172.16.0.1] ModSecurity: Access denied with code 406 (phase 2). Pattern match "etc/passwd" at REQUEST_URI. [file "/etc/httpd/modsecurity.d/local_rules/modsecurity_localrules.conf"] [line "14"] [id "1000001"] [hostname "172.16.1.236"] [uri "/etc/passwd"] [unique_id "ZZvZQA-g0g6EGKH2YFFc9QAAAAA"] Action: Intercepted (phase 2) Stopwatch: 1704712512551904 473 (- - -) Stopwatch2: 1704712512551904 473; combined=38, p1=12, p2=23, p3=0, p4=0, p5=2, sr=0, sw=1, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.9.6 (http://www.modsecurity.org/). Server: Apache/2.4.57 (AlmaLinux) Engine-Mode: "ENABLED" --91943e32-Z--