mod security

conf/modsecurity.conf

@@ -7,22 +7,18 @@ SecAuditLogParts ABIJ
 SecAuditLogType Serial
 SecAuditLog /var/log/modsecurity/audit.log
 
-# SQL Injection protection
-SecRule ARGS "(?i)(union(\s+all)?\s+select|select\s+.*\s+from|insert\s+into|update\s+.*\s+set|delete\s+from|drop\s+table|or\s+1=1|--|#|/\*|\*/|\bexec\b|\bexecute\b)" \
+# sql injection
+SecRule ARGS "['\";]|--" \
     "id:950001,phase:2,deny,status:403,msg:'SQL Injection Attack Detected',log"
 
-# XSS / HTML Injection protection
-SecRule ARGS "(?i)(<script|javascript:|on\w+=|<img|<svg|<iframe|<object|<embed|<form|<input|%3c|%3e|%22|%27|%60)" \
+# xss / html injection
+SecRule ARGS "<.*>" \
     "id:950003,phase:2,deny,status:403,msg:'XSS/HTML Injection Detected',log"
 
-# Remote File Inclusion protection
-SecRule ARGS "(?i)(https?|ftp)://" \
-    "id:950005,phase:2,deny,status:403,msg:'Remote File Inclusion Attempt',log"
-
-# Command Injection protection
-SecRule ARGS "(?i)(;|&&|\|\||\$\(|\`|\bexec\b|\bcmd\b|\bsystem\b)" \
+# command injection
+SecRule ARGS "exec|cat|more|ls|dir|/etc/passwd" \
     "id:950006,phase:2,deny,status:403,msg:'Command Injection Detected',log"
 
-# Path Traversal protection
-SecRule ARGS "(\./|\.\./)" \
+# path traversal
+SecRule ARGS "(\./|\.\./)|ftp|metrics|api-docs" \
     "id:950007,phase:2,deny,status:403,msg:'Path Traversal Attempt',log"