Commit 5b42bcc9 authored by Lionel Ferrafiat's avatar Lionel Ferrafiat
Browse files

correction conflit Merge branch 'Modifications-Mohamed'

parents b81b39e7 763fd46d
<IfModule mod_headers.c>
######### Content Security Policy (CSP)
Header always set Content-Security-Policy " default-src 'self' data: 'unsafe-inline' ; script-src 'self' https://trueack.ovh/assets/js/vendor/popper.min.js https://trueack.ovh/dist/js/bootstrap.min.js https://code.jquery.com/jquery-3.3.1.slim.min.js https://ajax.googleapis.com www.google-analytics.com 'unsafe-inline' ; object-src 'self' ; form-action 'self' ; frame-ancestors 'self' ; base-uri 'self' ; "
<FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$">
Header unset Content-Security-Policy
</FilesMatch>
######## Reducing MIME type security risks
Header set X-Content-Type-Options "nosniff"
######## Clickjacking
Header set X-Frame-Options "SAMEORIGIN"
<FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$">
Header unset X-Frame-Options
</FilesMatch>
####### Reflected Cross-Site Scripting (XSS) attacks
Header set X-XSS-Protection "1; mode=block"
<FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$">
Header unset X-XSS-Protection
</FilesMatch>
####### Server software information Limitez donc au maximum les informations fournies par Apache
ServerTokens Prod
ServerSignature Off
Header unset X-Powered-By
</IfModule>
#
# This is the main Apache HTTP server configuration file. It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
......@@ -56,7 +56,11 @@ Group apache
<VirtualHost *:80>
ServerName trueack.ovh
Redirect / https://trueack.ovh
DocumentRoot "/var/www/html"
Redirect / https://trueack.ovh/
ErrorLog /var/log/httpd/modsec_audit.log
CustomLog /var/log/httpd/modsec_audit.log combined
</VirtualHost>
......@@ -67,43 +71,34 @@ ServerName www.trueack.ovh:80
DocumentRoot "/var/www/html"
<Directory "/">
##### Empecher -FollowSymLinks à suivre les liens symboliques et Server Side Includes avec -Indexes
#<Directory />
# Options All -Indexes
# AllowOverride none
# Require all denied
#</Directory>
Options -Indexes -FollowSymLinks
AllowOverride None
Require all denied
</Directory>
#<Directory "/var/www">
# Options Indexes FollowSymLinks MultiViews
# AllowOverride all
# Allow open access:
# Order allow,deny
# allow from all
# Require all granted
#</Directory>
<Directory "/var/www/html">
Options Indexes FollowSymLinks
Options -Indexes -FollowSymLinks
AllowOverride All
######### Avec cette règle on accepte que les dérectives suivantes GET POST HEAD
<LimitExcept GET POST HEAD>
deny from all
</LimitExcept>
Require all granted
</Directory>
<IfModule dir_module>
DirectoryIndex index.html index.php login.php formulaire.php connection.php
DirectoryIndex index.html index.php
</IfModule>
#<FilesMatch "/var/www/html/Upload">
# Order allow,deny
# Deny from all
#</FilesMatch>
<Files ".ht*">
Require all denied
</Files>
......@@ -124,6 +119,7 @@ LogLevel warn
#CustomLog "logs/access_log" common
CustomLog "logs/access_log" combined
</IfModule>
<IfModule alias_module>
......@@ -131,6 +127,7 @@ LogLevel warn
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
</IfModule>
<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
......@@ -161,16 +158,49 @@ AddDefaultCharset UTF-8
</IfModule>
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
#
ErrorDocument 500 "The server made a boo boo."
ErrorDocument 404 /erreur.html
ErrorDocument 404 "/cgi-bin/missing_handler.pl"
ErrorDocument 402 http://www.example.com/subscription_info.html
#EnableMMAP off
EnableSendfile on
# Chargement des Modules security2 & evasive20
LoadModule security2_module modules/mod_security2.so
LoadModule evasive20_module modules/mod_evasive24.so
# Include des fichiers modsecurity et les regles
<IfModule security2_module>
Include /etc/httpd/conf/modsecurity.d/crs-setup.conf
Include /etc/httpd/conf/modsecurity.d/rules/*.conf
</IfModule>
<IfModule mod_security2.c>
SecRuleRemoveById 200000
</IfModule>
# Chargement des session_module pour les cookie
LoadModule session_module modules/mod_session.so
LoadModule session_cookie_module modules/mod_session_cookie.so
# Derective Header HTTP
LoadModule headers_module /usr/lib/httpd/modules/mod_headers.so
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Lax
# Load config files in the "/etc/httpd/conf.d" directory, if any.
IncludeOptional conf.d/*.conf
LoadModule evasive20_module modules/mod_evasive24.so
<IfModule mod_evasive24.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
</IfModule>
<IfModule mod_security2.c>
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess On
SecDebugLog /var/log/httpd/modsec_debug.log
SecDebugLogLevel 1
SecResponseBodyMimeType text/plain text/html text/xml application/octet-stream
SecDataDir /tmp
</IfModule>
This diff is collapsed.
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.0.0
# Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# The purpose of this file is to hold LOCAL exceptions for your site. The
# types of rules that would go into this file are one where you want to
# short-circuit inspection and allow certain transactions to pass through
# inspection or if you want to alter rules that are applied.
#
# This file is named REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example for a
# very specific reason. Files affixed with the .example extension are designed
# to contain user created/modified data. The '.example'. extension should be
# renamed to end in .conf. The advantage of this is that when OWASP CRS is
# updated, the updates will not overwrite a user generated configuration file.
#
# As a result of this design paradigm users are encouraged NOT to directly
# modify rules. Instead they should use this
# REQUEST-900-EXCLUSION-RULES-BEFORE-CRS and the
# RESPONSE-999-EXCLUSION-RULES-AFTER-CRS file to modify OWASP rules using
# methods similar to the examples specified below.
#
# REQUEST-900-EXCLUSION-RULES-BEFORE-CRS and
# RESPONSE-999-EXCLUSION-RULES-AFTER-CRS serve different purposes. ModSecurity
# effectively maintains two different context: startup, and per transaction.
# As a rule, directives are processed within the startup context. While they
# can affect the per transaction context they generally remain fixed during the
# execution of ModSecurity.
#
# As a result if one wanted to disable a rule at bootup the SecRuleRemoveById
# directive or one of its siblings would have to be placed AFTER the rule is
# listed, otherwise it will not have knowledge of the rules existence (since
# these rules are read in at the same time). This means that when using
# directives that effect SecRules, these exceptions should be placed AFTER all
# the existing rules. This is why RESPONSE-999-EXCLUSION-RULES-AFTER-CRS is
# designed such that it loads LAST.
#
# Conversely, ModSecurity supports several actions that can change the state of
# the underlying configuration during the per transaction context, this is when
# rules are being processed. Generally, these are accomplished by using the
# 'ctl' action. As these are part of a rule, they will be evaluated in the
# order rules are applied (by physical location, considering phases). As a
# result of this ordering a 'ctl' action should be placed with consideration to
# when it will be executed. This is particularly relevant for the 'ctl' options
# that involve modifying ID's (such as ruleRemoveById). In these cases it is
# important that such rules are placed BEFORE the rule ID they will affect.
# Unlike the setup context, by the time we process rules in the per-transaction
# context, we are already aware of all the rule ID's. It is by this logic that
# we include rules such as this BEFORE all the remaining rules. As a result
# REQUEST-900-EXCLUSION-RULES-BEFORE-CRS is designed to load FIRST.
#
# As a general rule:
# ctl:ruleEngine -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
# ctl:ruleRemoveById -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
# ctl:ruleRemoveByMsg -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
# ctl:ruleRemoveByTag -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
# ctl:ruleRemoveTargetById -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
# ctl:ruleRemoveTargetByMsg -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
# ctl:ruleRemoveTargetByTag -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
#
# SecRuleRemoveById -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
# SecRuleRemoveByMsg -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
# SecRuleRemoveByTag -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
# SecRuleUpdateActionById -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
# SecRuleUpdateTargetById -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
# SecRuleUpdateTargetByMsg -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
# SecRuleUpdateTargetByTag -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
#
#
# What follows are a group of examples that show you how to perform rule
# exclusions.
#
#
# Example Exclusion Rule: Disable inspection for an authorized client
#
# This ruleset allows you to control how ModSecurity will handle traffic
# originating from Authorized Vulnerability Scanning (AVS) sources. See
# related blog post -
# http://blog.spiderlabs.com/2010/12/advanced-topic-of-the-week-handling-authorized-scanning-traffic.html
#
# White-list ASV network block (no blocking or logging of AVS traffic) Update
# IP network block as appropriate for your AVS traffic
#
# ModSec Rule Exclusion: Disable Rule Engine for known ASV IP
# SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \
# "phase:1,id:1000,pass,nolog,ctl:ruleEngine=Off"
#
#
# Example Exclusion Rule: Removing a specific ARGS parameter from inspection
# for an individual rule
#
# This rule shows how to conditionally exclude the "password"
# parameter for rule 942100 when the REQUEST_URI is /index.php
# ModSecurity Rule Exclusion: 942100 SQL Injection Detected via libinjection
#
# SecRule REQUEST_URI "@beginsWith /index.php" \
# "id:1001,phase:1,pass,nolog, \
# ctl:ruleRemoveTargetById=942100;ARGS:password"
#
#
# Example Exclusion Rule: Removing a specific ARGS parameter from inspection
# for only certain attacks
#
# Attack rules within the CRS are tagged, with tags such as 'attack-lfi',
# 'attack-sqli', 'attack-xss', 'attack-injection-php', et cetera.
#
# ModSecurity Rule Exclusion: Disable inspection of ARGS:pwd
# for all rules tagged attack-sqli
# SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
# "id:1002,phase:request,pass,nolog,\
# ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:pwd"
#
# Example Exclusion Rule: Removing a specific ARGS parameter from inspection
# for all CRS rules
#
# This rule illustrates that we can use tagging very effectively to whitelist a
# common false positive across an entire ModSecurity instance. This can be done
# because every rule in OWASP_CRS is tagged with OWASP_CRS. This will NOT
# affect custom rules.
#
# ModSecurity Rule Exclusion: Disable inspection of ARGS:pwd
# for all CRS rules
# SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
# "id:1003,phase:request,pass,nolog,\
# ctl:ruleRemoveTargetByTag=CRS;ARGS:pwd"
#
# Example Exclusion Rule: Removing a range of rules
#
# This rule illustrates that we can remove a rule range via a ctl action.
# This uses the fact, that rules are grouped by topic in rule files covering
# a certain id range.
#
# ModSecurity Rule Exclusion: Disable all SQLi and XSS rules
# SecRule REQUEST_FILENAME "@beginsWith /admin" \
# "id:1004,phase:request,pass,nolog,\
# ctl:ruleRemoveById=941000-942999"
#
#
# The application specific rule exclusion files
# REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
# REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
# bring additional examples which can be useful then tuning a service.
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.0.0
# Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# This file REQUEST-901-INITIALIZATION.conf initializes the Core Rules
# and performs preparatory actions. It also fixes errors and omissions
# of variable definitions in the file crs-setup.conf.
# The setup.conf can and should be edited by the user, this file
# is part of the CRS installation and should not be altered.
#
#
# -=[ Rules Version ]=-
#
# Rule version data is added to the "Producer" line of Section H of the Audit log:
#
# - Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.0.0.
#
# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecComponentSignature
#
SecComponentSignature "OWASP_CRS/3.0.0"
#
# -=[ Default setup values ]=-
#
# The CRS checks the tx.crs_setup_version variable to ensure that the setup
# file is included at the correct time. This detects situations where
# necessary settings are not defined, for instance if the file
# inclusion order is incorrect, or if the user has forgotten to
# include the crs-setup.conf file.
#
# If you are upgrading from an earlier version of the CRS and you are
# getting this error, please make a new copy of the setup template
# crs-setup.conf.example to crs-setup.conf, and re-apply your policy
# changes. There have been many changes in settings syntax from CRS2
# to CRS3, so an old setup file may cause unwanted behavior.
#
# If you are not planning to use the crs-setup.conf template, you must
# manually set the tx.crs_setup_version variable before including
# the CRS rules/* files.
#
# The variable is a numerical representation of the CRS version number.
# E.g., v3.0.0 is represented as 300.
#
SecRule &TX:crs_setup_version "@eq 0" \
"id:901001,\
phase:1,\
auditlog,\
log,\
deny,\
status:500,\
severity:CRITICAL,\
msg:'ModSecurity Core Rule Set is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions.'"
#
# -=[ Default setup values ]=-
#
# Some constructs or individual rules will fail if certain parameters
# are not set in the setup.conf file. The following rules will catch
# these cases and assign sane default values.
#
# Default Inbound Anomaly Threshold Level (rule 900110 in setup.conf)
SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \
"id:901100,\
phase:1,\
pass,\
nolog,\
setvar:tx.inbound_anomaly_score_threshold=5"
# Default Outbound Anomaly Threshold Level (rule 900110 in setup.conf)
SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \
"id:901110,\
phase:1,\
pass,\
nolog,\
setvar:tx.outbound_anomaly_score_threshold=4"
# Default Paranoia Level (rule 900000 in setup.conf)
SecRule &TX:paranoia_level "@eq 0" \
"id:901120,\
phase:1,\
pass,\
nolog,\
setvar:tx.paranoia_level=1"
# Default Sampling Percentage (rule 900400 in setup.conf)
SecRule &TX:sampling_percentage "@eq 0" \
"id:901130,\
phase:1,\
pass,\
nolog,\
setvar:tx.sampling_percentage=100"
# Default Anomaly Scores (rule 900100 in setup.conf)
SecRule &TX:critical_anomaly_score "@eq 0" \
"id:901140,\
phase:1,\
pass,\
nolog,\
setvar:tx.critical_anomaly_score=5"
SecRule &TX:error_anomaly_score "@eq 0" \
"id:901141,\
phase:1,\
pass,\
nolog,\
setvar:tx.error_anomaly_score=4"
SecRule &TX:warning_anomaly_score "@eq 0" \
"id:901142,\
phase:1,\
pass,\
nolog,\
setvar:tx.warning_anomaly_score=3"
SecRule &TX:notice_anomaly_score "@eq 0" \
"id:901143,\
phase:1,\
pass,\
nolog,\
setvar:tx.notice_anomaly_score=2"
# Default do_reput_block
SecRule &TX:do_reput_block "@eq 0" \
"id:901150,\
phase:1,\
pass,\
nolog,\
setvar:tx.do_reput_block=0"
# Default block duration
SecRule &TX:reput_block_duration "@eq 0" \
"id:901152,\
phase:1,\
pass,\
nolog,\
setvar:tx.reput_block_duration=300"
# Default HTTP policy: allowed_methods (rule 900200)
SecRule &TX:allowed_methods "@eq 0" \
"id:901160,\
phase:1,\
pass,\
nolog,\
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
# Default HTTP policy: allowed_request_content_type (rule 900220)
SecRule &TX:allowed_request_content_type "@eq 0" \
"id:901162,\
phase:1,\
pass,\
nolog,\
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json|text/plain'"
# Default HTTP policy: allowed_http_versions (rule 900230)
SecRule &TX:allowed_http_versions "@eq 0" \
"id:901163,\
phase:1,\
pass,\
nolog,\
setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'"
# Default HTTP policy: restricted_extensions (rule 900240)
SecRule &TX:restricted_extensions "@eq 0" \
"id:901164,\
phase:1,\
pass,\
nolog,\
setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
# Default HTTP policy: restricted_headers (rule 900250)
SecRule &TX:restricted_headers "@eq 0" \
"id:901165,\
phase:1,\
pass,\
nolog,\
setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ /translate/ /if/'"
# Default HTTP policy: static_extensions (rule 900260)
SecRule &TX:static_extensions "@eq 0" \
"id:901166,\
phase:1,\
pass,\
nolog,\
setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'"
#
# -=[ Initialize internal variables ]=-
#
# Initialize anomaly scoring variables.
# All _score variables start at 0, and are incremented by the various rules
# upon detection of a possible attack.
# sql_error_match is used for shortcutting rules for performance reasons.
SecAction \
"id:901200,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:tx.anomaly_score=0,\
setvar:tx.sql_injection_score=0,\
setvar:tx.xss_score=0,\
setvar:tx.rfi_score=0,\
setvar:tx.lfi_score=0,\
setvar:tx.rce_score=0,\
setvar:tx.php_injection_score=0,\
setvar:tx.http_violation_score=0,\
setvar:tx.session_fixation_score=0,\
setvar:tx.inbound_anomaly_score=0,\
setvar:tx.outbound_anomaly_score=0,\
setvar:tx.sql_error_match=0"
#
# -=[ Initialize collections ]=-
#
# Create both Global and IP collections for rules to use.
# There are some CRS rules that assume that these two collections
# have already been initiated.
#
SecRule REQUEST_HEADERS:User-Agent "^(.*)$" \
"id:901318, \
phase:1, \
t:none,t:sha1,t:hexEncode, \
setvar:tx.ua_hash=%{matched_var}, \