使用Maldetect进行实时Malaware扫描:被批准者脚本

时间:2017-03-05 18:50:25

标签: apache cpanel mod-security2 clam

我有一个带有apache 2.4和Maldetect,ClamAV的cPanel服务器。我想在服务器上安装实时恶意软件扫描程序,以阻止黑客在服务器上上传恶意文件。我的意思是当有人上传文件时,apache将使用mod-security 2.9调用扫描程序并扫描上传的文件。

如果发现它是恶意软件 - 应该被拒绝。 如果找到好的文件 - 应该上传到正确的目的地。

我尝试使用https://www.rfxn.com/appdocs/README.maldetect

中所述的以下设置执行此操作 
To enable upload scanning with mod_security2 you must set enable the public_scan option
in conf.maldet (public_scan=1) then add the following rules to your mod_security2 
configuration. These rules are best placed in your modsec2.user.conf file on cpanel servers
or at the top of the appropraite rules file for your setup.

/usr/local/apache/conf/modsec2.user.conf (or similar mod_security2 rules file):
SecRequestBodyAccess On
SecRule FILES_TMPNAMES "@inspectFile /usr/local/maldetect/hookscan.sh" \
                "id:'999999',log,auditlog,deny,severity:2,phase:2,t:none"

If using ModSecurity >=2.9, you should set 'SecTmpSaveUploadedFiles On' before the
'SecRule FILES_TMPNAMES' line.

A restart of the Apache service is required following these changes.

问题是这样做的所有文件都被拒绝了,即使是好的文件也是如此。上述设置有什么问题吗?

# cat /usr/local/apache/conf/modsec2.user.conf
### UPLOAD PARAMETERS BEGIN ####
SecUploadDir /tmp
SecTmpDir /tmp/
SecDataDir /tmp/
SecUploadKeepFiles RelevantOnly
### UPLOAD PARAMETERS END  ####

SecRequestBodyAccess On
SecTmpSaveUploadedFiles On
SecRule FILES_TMPNAMES "@inspectFile /usr/local/maldetect/hookscan.sh" \
                "id:'999999',log,auditlog,deny,severity:2,phase:2,t:none"

以下是日志中的错误

[Sun Mar 05 21:11:35.936553 2017] [:error] [pid 9800] [client x.x.x.x] ModSecurity: Access denied with code 406 (phase 2). File "/tmp/20170305-211135-WLxNz@kP@rKcABIc7ZF3lAAAAAM-file-SfujtQ" rejected by the approver script "/usr/local/maldetect/hookscan.sh": Linux Malware Detect v1.5 [file "/usr/local/apache/conf/modsec2.user.conf"] [line "13"] [id "999999"] [severity "CRITICAL"] [hostname "x.x.x.x"] [uri "/test.php"] [unique_id "WLxNz@kP@rKcABIc7ZF3lAAAAAM"]
[Sun Mar 05 21:11:44.511418 2017] [:error] [pid 9526] [client x.x.x.x] ModSecurity: Access denied with code 406 (phase 2). File "/tmp/20170305-211144-WLxN2EJsvK1FL3paCDmxrgAAAAE-file-iQx2zR" rejected by the approver script "/usr/local/maldetect/hookscan.sh": Linux Malware Detect v1.5 [file "/usr/local/apache/conf/modsec2.user.conf"] [line "13"] [id "999999"] [severity "CRITICAL"] [hostname "x.x.x.x"] [uri "/test.php"] [unique_id "WLxN2EJsvK1FL3paCDmxrgAAAAE"]

1 个答案:

答案 0 :(得分:0)

我也遇到了这个问题。问题是这一行:

  

打开SecTmpSaveUploadedFiles

尝试将其从规则中删除。

相关问题
最新问题