ModSecurity很强大,CyberPanel也很稳,两者结合实在是无与伦比的绝配。就是默认的“ModSecurity 规则”太过简陋,只有这一段:
SecRule ARGS "\.\./" "t:normalisePathWin,id:99999,severity:4,msg:'Drive Access' ,log,auditlog,deny"优化下“ModSecurity 规则”,让它更可靠:
注:可能你的Cyberpanel在输入时会提示错误,这是编码问题,最快的方法就是把下面代码里的中文全部去掉就行。
# ========================
# Custom ModSecurity Rules for CyberPanel on Ubuntu 20.04
# Created by Assistant for User
# ========================
# --- 1. 核心设置 ---
# 设置规则引擎为主动检测模式(On)、只记录模式(DetectionOnly)或关闭(Off)
SecRuleEngine On
# 设置请求体处理策略
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType text/plain text/html text/xml application/json
# 定义规则严重性等级对应的操作(这里将严重等级 4 和 5 的规则设置为拦截并记录)
SecDefaultAction "phase:2,log,auditlog,deny,status:403"
SecDefaultAction "phase:1,log,auditlog,deny,status:403"
# --- 2. 通用攻击防护 ---
# 2.1 防护 SQL 注入 (SQLi)
# 检测常见的 SQL 关键字和运算符,注意避免误报(如 `union` 可能在正常内容中出现)
SecRule ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent "@rx (?i)(?:\\b(?:union|select|insert|update|delete|drop|alter|create|rename|truncate|load_file|outfile|sleep|benchmark)\\b|\\d\\s*\\'|\\'\\s*\\d|\\b(?:or|xor|and)\\b\\s*[\\d\\'\\\"])" \
"id:1000,\
phase:2,\
block,\
t:none,t:lowercase,\
msg:'SQL Injection Attack Detected',\
logdata:'Matched Data: %{MATCHED_VAR}',\
severity:'CRITICAL',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-sqli'"
# 2.2 防护跨站脚本 (XSS)
# 检测 HTML/JS 事件和标签
SecRule ARGS|REQUEST_HEADERS|REQUEST_BODY "@rx (?i)(?:<script|javascript:|onload\\s*=|onerror\\s*=|onmouseover\\s*=|eval\\(|alert\\(|document\\.cookie)" \
"id:1001,\
phase:2,\
block,\
t:none,t:lowercase,\
msg:'XSS Attack Attempt Detected',\
logdata:'Matched Data: %{MATCHED_VAR}',\
severity:'CRITICAL',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss'"
# 2.3 防护远程命令/代码执行 (RCE)
# 检测系统命令执行符和常见危险命令
SecRule ARGS|REQUEST_HEADERS|REQUEST_BODY "@rx (?i)(?:\\b(?:bash|sh|cmd|powershell|python|perl|php)\\s*-c|\\b(?:whoami|id|ifconfig|ipconfig|ls|dir|cat|echo|curl|wget|ftp)\\b|\\|\\s*\\||&\\s*&|;\\s*;|`|\\$(?:\\(|\\{))" \
"id:1002,\
phase:2,\
block,\
t:none,t:lowercase,\
msg:'Remote Command Execution Attempt',\
logdata:'Matched Data: %{MATCHED_VAR}',\
severity:'CRITICAL',\
tag:'attack-rce'"
# 2.4 防护本地/远程文件包含 (LFI/RFI)
# 检测包含敏感路径或远程 URL 的指令
SecRule ARGS|REQUEST_HEADERS "@rx (?i)(?:\.\./|\.\\.\\|file:\\/\\/|php:\\/\\/input|php:\\/\\/filter|expect:\\/\\/|http:\\/\\/|https:\\/\\/|ftp:\\/\\/|\\b(?:etc|proc|usr|home|root|windows|winnt)\\b)" \
"id:1003,\
phase:2,\
block,\
t:none,t:lowercase,\
msg:'File Inclusion Attack Attempt',\
logdata:'Matched Data: %{MATCHED_VAR}',\
severity:'CRITICAL',\
tag:'attack-lfi',\
tag:'attack-rfi'"
# 2.5 防护会话固定攻击 (Session Fixation)
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/ "!@streq %{SESSION.ID}" \
"id:1004,\
phase:2,\
block,\
msg:'Session Fixation Attack Attempt',\
tag:'attack-session-fixation'"
# --- 3. 扫描器与机器人防护 ---
# 3.1 常见漏洞扫描器 User-Agent 拦截
SecRule REQUEST_HEADERS:User-Agent "@pmf /usr/local/lsws/conf/modsec/scanner-user-agents.list" \
"id:2000,\
phase:1,\
deny,\
msg:'Scanner Detected via User-Agent',\
logdata:'Scanner User-Agent: %{MATCHED_VAR}',\
severity:'WARNING',\
tag:'hostile-scanner'"
# 3.2 拦截某些 hostile IP(您需要创建这个 IP 列表文件)
# SecRule REMOTE_ADDR "@pmf /usr/local/lsws/conf/modsec/blocked-ips.list" \
# "id:2001,\
# phase:1,\
# deny,\
# msg:'Access from Blocked IP',\
# severity:'CRITICAL'"
# --- 4. 文件上传限制 ---
# 4.1 限制上传文件类型(黑名单方式,根据需求调整)
SecRule FILES_TMPNAMES "@rx \\.(?:php|pl|py|jsp|asp|sh|exe|dll|bat|cmd)$" \
"id:3000,\
phase:2,\
deny,\
msg:'Potentially Malicious File Upload Attempt',\
logdata:'File Name: %{MATCHED_VAR}',\
severity:'CRITICAL',\
tag:'attack-malicious-file'"
# --- 5. 信息泄露防护 ---
# 5.1 防止泄露 PHP 源码(如果 PHP 解析失败)
SecRule RESPONSE_BODY "@rx (?i:\\<\\?php.*\\?\\>)" \
"id:4000,\
phase:4,\
deny,\
msg:'PHP Source Code Leakage Detected',\
severity:'ERROR'"
# 5.2 防止常见敏感文件泄露(如 .git、.env、.DS_Store)
SecRule REQUEST_FILENAME "@rx /(\\.git|\\.env|\\.DS_Store)(/|$)|\\/\\.env$" \
"id:4001,\
phase:1,\
deny,\
msg:'Access to Sensitive Hidden File or Directory',\
logdata:'Matched File: %{MATCHED_VAR}',\
severity:'CRITICAL'"
# --- 6. 速率限制示例(防暴力破解) ---
# 示例:对 /wp-login.php 进行登录尝试速率限制(每分钟最多5次)
# 请根据您的实际登录页面路径修改
SecRule REQUEST_FILENAME "@streq /wp-login.php" \
"id:5000,\
phase:1,\
setvar:'ip.brute_force_counter=+1',\
expirevar:'ip.brute_force_counter=60',\
nolog,\
pass"
SecRule VARIABLE:brute_force_counter "@gt 5" \
"id:5001,\
phase:1,\
deny,\
msg:'Brute Force Attack Attempt from IP: %{REMOTE_ADDR}',\
logdata:'Requests in last 60 seconds: %{brute_force_counter}',\
severity:'WARNING'"
# --- 7. 包含您的现有规则 ---
# 您原有的规则,防止路径遍历,已经很好!
SecRule ARGS "\.\./" "t:normalisePathWin,id:99999,severity:4,msg:'Drive Access',log,auditlog,deny"
没有回复内容