LoadModule security2_module modules/mod_security2.so

<IfModule security2_module>
# Some rules have nolog, remove it if you want to see it in the log.

# As always with mod_security: look for false postives :)

SecRuleEngine On

SecAuditEngine RelevantOnly
SecAuditLog logs/audit/audit.log
SecAuditLogParts ABCFHZ
SecAuditLogType concurrent
SecAuditLogStorageDir logs/audit
SecAuditLogRelevantStatus ^(?:5|4(?!04))

# Default: 600 (10 minutes)
SecCollectionTimeout 600

#### RULES ####
SecDefaultAction "deny,phase:1,status:403,nolog,auditlog"
SecDefaultAction "deny,phase:2,status:403,nolog,auditlog"


# We skip inspection GET & HEAD requests that have no parameters
# and that end with static content file extension


SecRule REQUEST_METHOD "^(?:GET|HEAD)$" "chain,phase:2,t:none,skip:1,pass,nolog,id:'900040',severity:'6'"
SecRule &ARGS "@eq 0" "t:none,setvar:tx.no_parameters=1"
SecAction "phase:2,id:'900041',t:none,nolog,pass,skipAfter:END_STATIC_CONTENT_CHECK"



# Determine actions based on static file extensions
# Images
SecRule REQUEST_FILENAME "\.(?:(?:jpe?|pn)g|zip|gif|ico)$" "phase:2,t:none,t:lowercase,allow,nolog,id:'900042',severity:'6'"
# Documents
SecRule REQUEST_FILENAME "\.(?:doc|pdf|txt)$" "phase:2,t:none,t:lowercase,allow,nolog,id:'900043',severity:'6'"
# HTML
SecRule REQUEST_FILENAME "\.(?:(?:cs|j)s|html?)$" "phase:2,t:none,t:lowercase,allow,nolog,id:'999005',severity:'6'"
SecMarker END_STATIC_CONTENT_CHECK


SecRule REQUEST_URI ^http:/ "id:60014,severity:2,msg:'http Proxy access attempt'"

# Do not accept GET or HEAD requests with bodies
SecRule REQUEST_METHOD "^(GET|HEAD)$" "chain,id:60011,severity:2,msg:'GET or HEAD requests with bodies'"
SecRule REQUEST_HEADERS:Content-Length "!^0?$"

# Restrict which request methods can be used
SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|HEAD|DELETE|PATCH|PUT))$" "phase:1,id:60032,severity:2,msg:'Method is not allowed by policy'"

# Restrict protocol versions.
SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1|2\.0)$" "id:60034,severity:2,msg:'HTTP protocol version is not allowed by policy'"


SecRule ARGS:page "^http" "id:90000,severity:4,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,msg:'Arg_page with http'"
SecRule ARGS_NAMES "configdir" "id:90001,severity:4,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,msg:'Awstats attack'"
SecRule ARGS_NAMES "^php:/" "id:90002,severity:4,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,msg:'php attack'"
SecRule ARGS:highlight "(\x27|%27|\x2527|%2527)" "id:90043,severity:4,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,msg:'phpBB attack'"
SecRule ARGS:phpbb_root_path "http" "id:90044,severity:4,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,msg:'phpBB rootpath attack'"
SecRule ARGS:agreed "true" "id:90045,severity:4,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,msg:'phpBB register attack'"
SecRule ARGS:t "http" "id:90006,severity:4,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,nolog,msg:'http in viewtopic'"
SecRule ARGS:p "http" "id:90007,severity:4,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,nolog,msg:'http in viewtopic'"
SecRule ARGS:info "http" "id:90008,severity:4,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,nolog,msg:'http in viewtopic'"

SecRule ARGS "\.\./" "t:normalizePathWin,id:50904,severity:4,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,msg:'Drive Access'"


## -- SQL Injection Attacks --------------------------------------------------

# Generic
SecRule ARGS "delete[[:space:]]+from" "id:90054,severity:4,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,msg:'SQL Inject'"
SecRule ARGS "drop[[:space:]]+database" "id:90055,severity:4,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,msg:'SQL Inject'"
SecRule ARGS "drop[[:space:]]+table" "id:90056,severity:4,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,msg:'SQL Inject'"
SecRule ARGS "drop[[:space:]]+column" "id:90057,severity:4,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,msg:'SQL Inject'"
SecRule ARGS "truncate[[:space:]]+table" "id:90058,severity:4,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,msg:'SQL Inject'"
SecRule ARGS "create[[:space:]]+table" "id:90059,severity:4,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,msg:'SQL Inject'"
SecRule ARGS "update.+set.+=" "id:90060,severity:4,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,msg:'SQL Inject'"
SecRule ARGS "insert[[:space:]]+into.+values" "id:900061,severity:4,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,msg:'SQL Inject'"


# RFI Attack
#
# -=[ Rule Logic ]=-
# These rules look for common types of Remote File Inclusion (RFI) attack methods.
#       - URL Contains an IP Address
#       - The PHP "include()" Function
#       - RFI Data Ends with Question Mark(s) (?)
#       - RFI Host Doesn't Match Local Host

SecRule ARGS "^(?:ht|f)tps?:\/\/(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" "id:950117,severity:4,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,msg:'Remote File Inclusion Attack'"
SecRule ARGS "(?:\binclude\s*\([^)]*(ht|f)tps?:\/\/)" "id:950118,severity:4,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,msg:'Remote File Inclusion Attack'"
SecRule ARGS "(?:ft|htt)ps?(.*?)\?+$" "id:950119,severity:4,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,msg:'Remote File Inclusion Attack'"
SecRule ARGS "^(?:ht|f)tps?://(.*)\?$" "chain,id:950120,severity:4,t:none,capture,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,msg:'Remote File Inclusion Attack'"
SecRule TX:1 "!@beginsWith %{request_headers.host}"

</IfModule>