# ModSecurity 兼容 WAF 规则骨架 - Edu 平台 # ============================================================ # 说明:本文件为 ModSecurity SecRule 语法骨架, # 生产部署前请配合 OWASP CRS 使用并完成规则调优。 # 参考:https://github.com/SpiderLabs/ModSecurity # https://github.com/coreruleset/coreruleset # ---------- 基础配置 ---------- # 启用规则引擎 SecRuleEngine On # 请求体大小限制(10MB) SecRequestBodyLimit 10485760 # 默认动作:记录日志 + 拒绝(生产前调整) SecDefaultAction "phase:2,log,deny,status:403" # ============================================================ # 规则 1:SQL 注入检测 # 检测常见 SQL 注入关键字与元字符 # ============================================================ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_BODY|XML:/* \ "(?i)(union\s+select|select\s+.*\s+from|insert\s+into|update\s+.*\s+set|delete\s+from|drop\s+table|alter\s+table|create\s+table|exec\s*\(|;\s*drop\s|--\s|/\*.*\*/|or\s+1\s*=\s*1|and\s+1\s*=\s*1|'\s*or\s*'|sleep\s*\(|benchmark\s*\(|load_file\s*\(|into\s+outfile)" \ "id:1001,phase:2,log,deny,status:403,msg:'SQL Injection attempt',tag:'attack-sqli',severity:CRITICAL" # ============================================================ # 规则 2:XSS 检测 # 检测常见 XSS payload 与事件处理器 # ============================================================ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_BODY|XML:/* \ "(?i)(|javascript:|onerror\s*=|onload\s*=|onclick\s*=|onmouseover\s*=|onfocus\s*=|onblur\s*=|]+src\s*=|]+onload|document\.cookie|window\.location|eval\s*\(|alert\s*\(|prompt\s*\(|String\.fromCharCode)" \ "id:1002,phase:2,log,deny,status:403,msg:'XSS attempt',tag:'attack-xss',severity:CRITICAL" # ============================================================ # 规则 3:路径遍历检测 # 检测 ../ 与编码变体,防止读取敏感文件 # ============================================================ SecRule ARGS|ARGS_NAMES|REQUEST_FILENAME|REQUEST_URI|REQUEST_BODY \ "(?i)(\.\./|\.\.\\|\.\.%2f|\.\.%5c|%2e%2e%2f|%2e%2e%5c|/etc/passwd|/etc/shadow|/etc/hosts|/proc/self/environ|c:\\windows\\win\.ini|c:\\boot\.ini|\.\./\.\./\.\./)" \ "id:1003,phase:2,log,deny,status:403,msg:'Path Traversal attempt',tag:'attack-lfi',severity:CRITICAL" # ============================================================ # 规则 4:User-Agent 黑名单 # 拦截已知恶意扫描器与爬虫 # ============================================================ SecRule REQUEST_HEADERS:User-Agent \ "(?i)(sqlmap|nikto|nmap|nessus|acunetix|wpscan|hydra|metasploit|burpcollaborator|masscan|zgrab|dirbuster|gobuster|fuzzer|webinspect|appscan|jaeles|xrkmd)" \ "id:1004,phase:1,log,deny,status:403,msg:'Malicious User-Agent blocked',tag:'attack-scanner',severity:WARNING" # ============================================================ # 规则 5:远程文件包含(RFI)检测 # 检测通过 URL 参数引入远程文件 # ============================================================ SecRule ARGS|ARGS_NAMES \ "(?i)(^(http|https|ftp|php|data)://|(http|https|ftp|php|data)://.*\?(php|http|https|ftp|data)://)" \ "id:1005,phase:2,log,deny,status:403,msg:'Remote File Inclusion attempt',tag:'attack-rfi',severity:CRITICAL" # ============================================================ # 规则 6:命令注入检测 # 检测 shell 元字符与命令执行关键字 # ============================================================ SecRule ARGS|ARGS_NAMES|REQUEST_BODY|REQUEST_COOKIES \ "(?i)(;\s*(ls|cat|id|whoami|uname|pwd|wget|curl|nc|bash|sh|python|perl|ruby)\s|\$\(|`|&&\s*\w+\s|\|\|\s*\w+\s|\|\s*(ls|cat|id|whoami|uname|pwd|wget|curl|nc|bash|sh|python|perl|ruby)\s|/bin/(ba)?sh|/bin/cat|/usr/bin/(wget|curl|python|perl))" \ "id:1006,phase:2,log,deny,status:403,msg:'Command Injection attempt',tag:'attack-rce',severity:CRITICAL"