{"id":9268,"date":"2014-05-18T22:43:50","date_gmt":"2014-05-18T13:43:50","guid":{"rendered":"https:\/\/a-tak.com\/blog\/?p=9268"},"modified":"2020-07-13T12:00:23","modified_gmt":"2020-07-13T03:00:23","slug":"mod-security1","status":"publish","type":"post","link":"https:\/\/a-tak.com\/blog\/2014\/05\/mod-security1\/","title":{"rendered":"\u81ea\u52d5\u3067mod_security\u306e\u30eb\u30fc\u30eb\u4f5c\u3063\u3066\u4e0d\u6b63\u30a2\u30af\u30bb\u30b9\u3092\u9632\u3050\u3088\u3046\u306b\u3057\u3066\u307f\u305f"},"content":{"rendered":"<div id=\"advads-469523292\" class=\"advads-before-content-placement advads-entity-placement\" style=\"margin-left: auto;margin-right: auto;text-align: center;\"><div class=\"advads-adlabel\">\u5e83\u544a<\/div><script async src=\"\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-7585646298782746\" crossorigin=\"anonymous\"><\/script><ins class=\"adsbygoogle\" style=\"display:inline-block;width:300px;height:250px;\" \ndata-ad-client=\"ca-pub-7585646298782746\" \ndata-ad-slot=\"6112122906\"><\/ins> \n<script> \n(adsbygoogle = window.adsbygoogle || []).push({}); \n<\/script>\n<\/div><p><a href=\"https:\/\/i0.wp.com\/a-tak.com\/blog\/wp-content\/uploads\/2014\/05\/mod-security.png?ssl=1\" title=\"Mod security\"><img data-recalc-dims=\"1\" decoding=\"async\" class=\"shadow-img\" src=\"https:\/\/i0.wp.com\/a-tak.com\/blog\/wp-content\/uploads\/2014\/05\/mod-security.png?w=500&#038;ssl=1\" alt=\"Mod security\" title=\"mod-security.png\" ><\/a><\/p>\n<p>\u3000\u306a\u305c\u304b\u6700\u8fd1\u3001\u3044\u307e\u3055\u3089\u300cWindows Vista\u300d\u3092\u30cd\u30bf\u306b\u3057\u305f\u8a18\u4e8b\u304c\u305a\u3063\u3068\u30a2\u30af\u30bb\u30b9\u4e0a\u4f4d\u306b\u6765\u308b\u306e\u3067\u8abf\u3079\u305f\u3089\u4e0d\u6b63\u30a2\u30af\u30bb\u30b9\u306e\u5146\u5019\u3067\u3057\u305f\u3002<\/p>\n<p>\u3000\u6700\u65b0\u30d0\u30fc\u30b8\u30e7\u30f3\u306eWordPress\u3092\u4f7f\u3063\u3066\u3044\u308b\u306e\u3067\u5b9f\u5bb3\u306f\u306a\u3044\u3067\u3059\u304c\u3001\u30e9\u30f3\u30ad\u30f3\u30b0\u304c\u304a\u304b\u3057\u304f\u306a\u308b\u306e\u306f\u5acc\u306a\u306e\u3067\u3001mod_security\u3067\u5bfe\u7b56\u3057\u307e\u3057\u305f\u3002<\/p>\n<p>\u3000\u3042\u3068Mac\u306b\u3082\u5165\u3063\u3066\u308bAWK\u3067\u306e\u30eb\u30fc\u30eb\u81ea\u52d5\u751f\u6210\u3082\u3084\u3063\u3066\u307f\u305f(\u3068\u304b\u66f8\u3044\u3066Mac\u30e6\u30fc\u30b6\u30fc\u306e\u8208\u5473\u3092\u60f9\u3044\u3066\u307f\u308b)<\/p>\n<p>\u3000\u3061\u306a\u307f\u306b\u4eca\u56de\u306e\u5185\u5bb9\u306f\u30ec\u30f3\u30bf\u30eb\u30b5\u30fc\u30d0\u30fc\u306a\u3069\u3067root\u6a29\u9650\u304c\u305f\u3076\u3093\u5fc5\u8981\u306b\u306a\u308a\u307e\u3059\u3002\u3042\u3068\u4e00\u6642\u9593\u306b\u4e00\u56deApache\u30b5\u30fc\u30d3\u30b9\u3092\u518d\u8d77\u52d5(\u6b63\u78ba\u306b\u306f\u30b0\u30ec\u30fc\u30b9\u30d5\u30eb\u30ea\u30b9\u30bf\u30fc\u30c8)\u3059\u308b\u3068\u3044\u3046\u8352\u6280\u3082\u4f7f\u3063\u3066\u3044\u308b\u306e\u3067\u81ea\u5df1\u8cac\u4efb\u3067\u304a\u9858\u3044\u3057\u307e\u3059\u3002<\/p>\n<p>mod_security\u306e\u30eb\u30fc\u30eb\u306e\u66f8\u304d\u65b9\u3082(\u7279\u306bID)\u6b63\u3057\u3044\u304b\u308f\u304b\u3089\u306a\u3044\u306e\u3067\u3001\u81ea\u5206\u3067\u3082\u8abf\u3079\u3066\u307f\u3066\u304f\u3060\u3055\u3044\u306d\u3002<br \/>\n<!--more--><\/p>\n<h2>\u8b0e\u306e\u30ed\u30b0\u304c\u591a\u6570<\/h2>\n<p>\u3053\u3093\u306a\u611f\u3058<\/p>\n<blockquote><p>\n  https:\/\/a-tak.com\/blog\/\u500b\u5225\u8a18\u4e8b\u306eURL\/#comment-7326+Result:+chosen+nickname+%22jvsyvgpy25%22;+success+%28from+first+page%29;\n<\/p><\/blockquote>\n<p>\u3000\u3053\u3093\u306a\u306e\u304c\u8907\u6570\u306e\u6240\u304b\u3089\u591a\u6570\u6765\u308b\u306e\u3067\u9806\u4f4d\u304c\u4e0a\u304c\u3063\u3066\u3057\u307e\u3063\u3066\u3044\u307e\u3059\u3002\u306a\u3093\u3067\u3001\u3053\u306e\u8a18\u4e8b\u3060\u3051?\u3068\u3044\u3046\u6c17\u3082\u3057\u307e\u3059\u304c\u3001\u30ea\u30af\u30a8\u30b9\u30c8\u306b\u542b\u307e\u308c\u3066\u3044\u308b\u300cchosen+nickname\u300d\u3067\u8abf\u3079\u305f\u3089\u3001\u6d77\u5916\u306e\u63b2\u793a\u677f\u306b\u3082\u540c\u3058\u4e8b\u4f8b\u304c\u6319\u304c\u3063\u3066\u307e\u3057\u305f\u3002<\/p>\n<p><a href=\"http:\/\/security.stackexchange.com\/questions\/26598\/strange-request-uri-with-lot-of-spaces-and-chosen-nickname\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft\" border=\"0\" src=\"http:\/\/capture.heartrails.com\/150x130\/shadow?http:\/\/security.stackexchange.com\/questions\/26598\/strange-request-uri-with-lot-of-spaces-and-chosen-nickname\" alt=\"\" width=\"150\" height=\"130\" \/><\/a><a style=\"color:#0070C5;\" href=\"http:\/\/security.stackexchange.com\/questions\/26598\/strange-request-uri-with-lot-of-spaces-and-chosen-nickname\" target=\"_blank\" rel=\"noopener noreferrer\">http &#8211; Strange request URI with lot of + (spaces) and &#8220;chosen nickname&#8221; &#8211; Information Security Stack Exchange<\/a><img decoding=\"async\" border=\"0\" src=\"http:\/\/b.hatena.ne.jp\/entry\/image\/http:\/\/security.stackexchange.com\/questions\/26598\/strange-request-uri-with-lot-of-spaces-and-chosen-nickname\" alt=\"\" \/><br \/><span style=\"color: #808080;font-size: 80%;\">2) it targets a specific page on my site. &#8230;<\/span><br style=\"clear:both;\" \/><\/p>\n<p>\u3000Chrome\u306e\u7ffb\u8a33\u306b\u3088\u308b\u3068\u3001\u7279\u5b9a\u306e\u30da\u30fc\u30b8\u3092\u5bfe\u8c61\u306b\u3057\u3066\u3044\u308b\u3068\u306e\u3053\u3068\u3002\u4ed6\u306b\u30821\u65e5\u308f\u305a\u304b40-60\u56de\u7a0b\u5ea6\u306e\u30a2\u30af\u30bb\u30b9\u3067DoS\u653b\u6483\u3067\u3082\u306a\u3044\u3068\u8a00\u3063\u3066\u3044\u307e\u3059\u3002\u3046\u3061\u3082\u307e\u3063\u305f\u304f\u540c\u3058\u73fe\u8c61\u3067\u3059\u3002<\/p>\n<p>\u3000\u8aad\u307f\u9032\u3081\u3066\u3044\u304f\u3068Exploit(\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3002\u8106\u5f31\u6027\u3092\u72d9\u3046\u30d7\u30ed\u30b0\u30e9\u30e0\u3002)\u306e\u75d5\u8de1\u3068\u304b\u3001\u3044\u3084XRumer\u3068\u3044\u3046\u30b9\u30d1\u30e0\u30bd\u30d5\u30c8\u30a6\u30a7\u30a2\u306e\u75d5\u8de1\u3068\u304b\u51fa\u3066\u3044\u307e\u3059\u3002\u4e00\u756a\u3057\u3064\u3053\u3044\u5974\u306eIP\u3092\u8abf\u3079\u305f\u3089\u3001\u305f\u3057\u304b\u306bProject Honey Pot\u306b\u8a72\u5f53\u306eIP\u304c\u63b2\u8f09\u3055\u308c\u3066\u3044\u307e\u3057\u305f\u3002\u30d1\u30ad\u30b9\u30bf\u30f3\u304b\u3002<\/p>\n<p>\u3000\u90aa\u9b54\u306a\u306e\u3067\u3001\u3053\u3044\u3064\u306e\u30a2\u30af\u30bb\u30b9\u81ea\u4f53\u3092WordPress\u304c\u51e6\u7406\u3059\u308b\u524d\u306b\u62d2\u5426\u3057\u3066\u3057\u307e\u304a\u3046\u3068WAF\u306e\u4e00\u3064\u3067\u3042\u308bmod security\u3092\u5165\u308c\u3066\u307f\u308b\u3053\u3068\u306b\u3057\u307e\u3057\u305f\u3002<\/p>\n<h2>WAF\u3063\u3066?<\/h2>\n<p>\u3000Web Application Firewall\u306e\u7565\u3067WAF\u3067\u3059\u3002\u3056\u3063\u304f\u308a\u8a00\u3046\u3068\u901a\u5e38\u306e\u30d5\u30a1\u30a4\u30a2\u30a6\u30a9\u30fc\u30eb\u3060\u3068\u63a5\u7d9a\u5143\u306eIP\u3084\u30dd\u30fc\u30c8\u306a\u3069\u306eTCP\/IP\u30ec\u30d9\u30eb\u306e\u60c5\u5831\u3057\u304b\u30a2\u30af\u30bb\u30b9\u62d2\u5426\u306e\u6761\u4ef6\u306b\u4f7f\u3048\u307e\u305b\u3093\u304c\u3001WAF\u306e\u5834\u5408\u306fTCP\/IP\u3088\u308a\u4e0a\u4f4d\u306e\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u5c64\u306e\u60c5\u5831\u3092\u4f7f\u3063\u3066\u30d5\u30a3\u30eb\u30bf\u304c\u51fa\u6765\u307e\u3059\u3002Web\u306eHTTP\u30d7\u30ed\u30c8\u30b3\u30eb\u3082\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u5c64\u3067\u3059\u3002<\/p>\n<p>\u3000\u3053\u308c\u304c\u3067\u304d\u308b\u3068\u4f8b\u3048\u3070URL\u306b\u7279\u5b9a\u306e\u6587\u5b57\u304c\u5165\u3063\u3066\u3044\u305f\u308a\u3001POST\u3067\u7279\u5b9a\u306e\u60c5\u5831\u304c\u9001\u3089\u308c\u3066\u304d\u305f\u5834\u5408\u306b\u62d2\u5426\u3059\u308b\u306a\u3093\u3066\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002<\/p>\n<p>\u3000\u3068\u3044\u3046\u304b\u3001\u500b\u4eba\u30b5\u30a4\u30c8\u306bWAF\u307e\u3067\u666e\u901a\u5165\u308c\u308b\u304b?\u3068\u601d\u3063\u305f\u3093\u3067\u3059\u304c\u3001\u6700\u8fd1\u306f\u3042\u3061\u3053\u3061\u306e\u30ec\u30f3\u30bf\u30eb\u30b5\u30fc\u30d0\u30fc\u3067WAF\u5165\u3063\u3066\u308b\u3093\u3067\u3059\u306d\u3002\u3057\u3089\u3093\u304b\u3063\u305f\u3002<\/p>\n<h2>mod_security\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<\/h2>\n<pre><code>yum install mod_security -y\n<\/code><\/pre>\n<p>\u3000\u3053\u308c\u3067\u3044\u3051\u305f\u3002<\/p>\n<pre><code>rpm -ql mod_security\n<\/code><\/pre>\n<p>\u3067\u3001\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u5148\u3092\u78ba\u8a8d\u3002<br \/>\n\/etc\/httpd\/modsecurity.d\/activated_rules \u306b\u30eb\u30fc\u30eb\u3092\u5165\u308c\u308b\u307f\u305f\u3044\u3067\u3059\u3002\u65e5\u672c\u8a9e\u306e\u60c5\u5831\u304c\u306a\u304b\u306a\u304b\u30d2\u30c3\u30c8\u3057\u306a\u3044\u306e\u3067\u624b\u63a2\u308a&amp;\u82f1\u8a9e\u3068\u5927\u683c\u95d8\u3067\u3059(\u7b11)<\/p>\n<h2>\u30c7\u30d5\u30a9\u30eb\u30c8\u306e\u30eb\u30fc\u30eb\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<\/h2>\n<pre><code>yum install mod_security_crs -y\n<\/code><\/pre>\n<p>\u3000\u3053\u308c\u3067\u30c7\u30d5\u30a9\u30eb\u30c8\u306e\u30eb\u30fc\u30eb\u304c\u5165\u308a\u307e\u3059\u3002<\/p>\n<pre><code>service httpd graceful\n<\/code><\/pre>\n<p>\u3067\u8a2d\u5b9a\u304c\u53cd\u6620\u3055\u308c\u307e\u3059\u304c\u3001WordPress\u52d5\u304d\u307e\u305b\u3093(\u7b11)<\/p>\n<p>\u3000\u7d50\u69cb\u3001\u5143\u3005\u306e\u30eb\u30fc\u30eb\u304c\u53b3\u3057\u3081\u306e\u3088\u3046\u306a\u306e\u3067\u3001\u3057\u3087\u3046\u304c\u7121\u3044\u3067\u3059\u304c\u3001\u539f\u56e0\u306b\u306a\u3063\u3066\u3044\u308b\u30eb\u30fc\u30eb\u3092\u53d6\u308a\u9664\u3044\u3066\u52d5\u304f\u3088\u3046\u306b\u3057\u307e\u3059\u3002<\/p>\n<p>\/var\/log\/httpd\/modsec_audit.log \u3042\u305f\u308a\u306b\u30ed\u30b0\u304c\u51fa\u3066\u3044\u308b\u306f\u305a\u3067\u3059\u3002\u3053\u3093\u306a\u611f\u3058\u3067\u2193<\/p>\n<blockquote><p>\n  Message: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST<em>HEADERS. [file &#8220;\/etc\/httpd\/modsecurity.d\/activated<\/em>rules\/modsecurity<em>crs<\/em>40<em>generic<\/em>attacks.conf&#8221;] [line &#8220;182&#8221;] [id &#8220;950000&#8221;] [rev &#8220;1&#8221;] [msg &#8220;Session Fixation&#8221;] [data &#8220;Matched Data: phpsessid found within REQUEST<em>HEADERS: 0&#8243;] [severity &#8220;CRITICAL&#8221;] [ver &#8220;OWASP<\/em>CRS\/2.2.6&#8243;] [maturity &#8220;1&#8221;] [accuracy &#8220;7&#8221;] [tag &#8220;OWASP<em>CRS\/WEB<\/em>ATTACK\/SESSION<em>FIXATION&#8221;] [tag &#8220;WASCTC\/WASC-37&#8221;] [tag &#8220;OWASP<\/em>TOP_10\/A3&#8243;] [tag &#8220;PCI\/6.5.7&#8221;]\n<\/p><\/blockquote>\n<p>\u300cfile \u300d\u3067\u59cb\u307e\u3063\u3066\u3044\u308b\u3068\u3053\u308d\u306e\u300c\/etc\/httpd\/modsecurity.d\/activated<em>rules\/modsecurity<\/em>crs<em>40<\/em>generic_attacks.conf\u300d\u304c\u5f15\u3063\u304b\u304b\u3063\u305f\u30eb\u30fc\u30eb\u3067\u3059\u3002\u3053\u3044\u3064\u3092\u6d88\u3057\u3066Apache\u518d\u8d77\u52d5\u3059\u308b\u3068\u3001\u3053\u306e\u30eb\u30fc\u30eb\u306f\u7121\u52b9\u306b\u306a\u308a\u307e\u3059\u3002\u307e\u3041\u3001\u4ed5\u65b9\u306a\u3044\u3067\u3057\u3087\u3046\u3002<\/p>\n<p>\u3000\u3046\u3061\u306e\u5834\u5408\u3001\u30c8\u30c3\u30d7\u30da\u30fc\u30b8\u304c\u305d\u3082\u305d\u3082\u51fa\u306a\u304f\u3066\u3001\u6295\u7a3f\u306e\u6642\u306b\u3082\u5225\u306e\u30eb\u30fc\u30eb\u3067\u30a8\u30e9\u30fc\u306b\u306a\u3063\u3066\u307e\u3057\u305f\u3002<\/p>\n<p>\u3000\u30ed\u30b0\u3092\u3088\u304f\u898b\u308b\u3068PCI\/6.5.7\u3063\u3066\u51fa\u3066\u308b\u3051\u3069\u3001PCI-DSS\u8981\u4ef6\u306e\u9805\u756a\u306a\u306e\u304b\u306a?<\/p>\n<h2>\u3057\u304b\u3057chosen+nickname\u306e\u6587\u5b57\u5217\u3067\u306e\u62d2\u5426\u306f\u3067\u304d\u305a<\/h2>\n<p>\u3000\u3055\u3063\u305d\u304f\u3055\u3063\u304d\u306echosen+nickname\u304cURL\u306b\u3042\u308c\u3070\u63a5\u7d9a\u62d2\u5426\u3057\u3088\u3046\u3068\u601d\u3063\u305f\u306e\u3067\u3059\u304c\u3001\u7d50\u5c40\u3053\u308c\u4f7f\u3048\u307e\u305b\u3093\u3067\u3057\u305f\u3002\u3068\u3044\u3046\u306e\u3082\u3001\u3053\u306e\u6587\u5b57\u304c\u300c#\u300d\u306e\u5f8c\u308d\u306b\u3042\u308b\u304b\u3089\u3060\u3068\u601d\u3046\u306e\u3067\u3059\u304c\u3001mod<em>security\u306eREQUEST<\/em>URI\u306b\u5165\u3063\u3066\u3053\u306a\u3044\u3093\u3067\u3059\u306d\u3002\u305f\u3057\u304b\u306b\u3001#\u306f\u540c\u3058\u30da\u30fc\u30b8\u5185\u306e\u79fb\u52d5\u306a\u306e\u3067\u3001\u30b5\u30fc\u30d0\u30fc\u306e\u52d5\u304d\u306b\u95a2\u4fc2\u306a\u3044\u3068\u3044\u3048\u3070\u306a\u3044\u3093\u3067\u3059\u304c\u2026\u3002<\/p>\n<p>\u3000\u30d0\u30fc\u30b8\u30e7\u30f32.8\u4ee5\u4e0a\u3060\u3068FULL_REQUEST\u3068\u3044\u3046\u306e\u304c\u4f7f\u3048\u308b\u307f\u305f\u3044\u306a\u306e\u3067\u3001\u3053\u308c\u3060\u3063\u305f\u3089\u3067\u304d\u308b\u304b\u3082\u3057\u308c\u307e\u305b\u3093\u3002<\/p>\n<h2>\u7d50\u5c40IP\u3067\u62d2\u5426<\/h2>\n<p>\u3000\u7d50\u5c40\u3001\u666e\u901a\u306bIP\u3067\u62d2\u5426\u3059\u308b\u3053\u3068\u306b\u3057\u307e\u3057\u305f\u3002\u3060\u3063\u305f\u3089\u666e\u901a\u306e\u30d5\u30a1\u30a4\u30a2\u30a6\u30a9\u30fc\u30eb\u306e\u8a2d\u5b9a\u3067\u3044\u3044\u3058\u3083\u3093\u3068\u3044\u3046\u6c17\u3082\u3057\u305f\u306e\u3067\u3059\u304c\u3001\u305b\u3063\u304b\u304f\u5165\u308c\u305f\u306e\u3067mod_security\u3067\u8a2d\u5b9a\u3002<\/p>\n<p>\u3000\u3055\u304d\u307b\u3069\u306eactivated_rules\u306e\u4e2d\u306b\u30d5\u30a1\u30a4\u30eb\u3092\u4f5c\u3063\u3066\u3001<\/p>\n<pre><code>SecRule REMOTE_ADDR \"@ipMatch  192.187.xxx.xxx\" \"block,msg:'Wordpress Exploit access',id:150013,severity:'2'\"\n<\/code><\/pre>\n<p>\u3053\u3093\u306a\u611f\u3058\u3067IP\u6307\u5b9a\u3057\u307e\u3057\u305f\u3002\u8907\u6570\u3042\u308b\u5834\u5408\u306f\u8907\u6570\u884c\u6307\u5b9a\u304c\u5fc5\u8981\u3067\u3059\u304c\u3001id:\u306e\u5f8c\u308d\u306e\u6570\u5024\u306f\u88ab\u3089\u306a\u3044\u3088\u3046\u306b\u3059\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002service httpd graceful\u3057\u305f\u3068\u304d\u306b\u30a8\u30e9\u30fc\u304c\u51fa\u307e\u3059\u3002<\/p>\n<h2>\u3081\u3093\u3069\u3046\u306a\u306e\u3067\u81ea\u52d5\u5316\u3059\u308b<\/h2>\n<p>\u3000\u304b\u306a\u308a\u8352\u6280\u306a\u306e\u3067\u304a\u52e7\u3081\u306f\u3057\u307e\u305b\u3093\u304cIP\u8ffd\u52a0\u3057\u3066\u3044\u304f\u306e\u304c\u9762\u5012\u306a\u306e\u3067\u81ea\u52d5\u5316\u3057\u307e\u3057\u305f\u3002\u4e0b\u624b\u3059\u308b\u3068\u81ea\u5206\u3082\u30c8\u30e9\u30c3\u30d7\u306b\u5f15\u3063\u304b\u304b\u308b\u304b\u3082\u3057\u308c\u306a\u3044\u3057\u3001\u6b63\u5e38\u306a\u30a2\u30af\u30bb\u30b9\u3082\u30c8\u30e9\u30c3\u30d7\u3059\u308b\u304b\u3082\u3057\u308c\u306a\u3044\u306e\u3067\u8981\u6ce8\u610f\u3002<\/p>\n<p>\u3044\u304d\u306a\u308a\u3067\u3059\u304c\u3053\u3093\u306a\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u7d44\u3093\u3067\/etc\/cron.hourly\u306b\u7a81\u3063\u8fbc\u3093\u3067chmod +x\u3057\u307e\u3057\u305f\u3002<\/p>\n<pre><code>#!\/bin\/bash\ncat \/var\/log\/httpd\/access_log | grep -E \"chosen\\+nickname\" | awk -F \" \" '{print $1}' | sort | uniq -c | awk -F \" \" '{if ($1&gt;1) print \"SecRule REMOTE_ADDR \\\"@ipMatch \"$2\"\\\" \\\"block,msg:\\047Wordpress Exploit access\\047,id:\"15000+NR\",severity:\\0472\\047\\\"\"}' &gt; \/etc\/httpd\/modsecurity.d\/activated_rules\/modsecurity_chosen_nickname.conf;service httpd graceful\n<\/code><\/pre>\n<p>[\u8ffd\u8a18]<br \/>\nTwitter\u3067awk\u306e\u6b63\u5f0f\u306a\u4f7f\u3044\u65b9\u6559\u3048\u3066\u9802\u304d\u307e\u3057\u305f!<\/p>\n<pre><code>#!\/bin\/bash\nawk -F \" \" '\/chosen\\+nickname\/ {print $1}' \/var\/log\/httpd\/access_log | sort | uniq -c | awk -F \" \" '{if ($1&gt;1) print \"SecRule REMOTE_ADDR \\\"@ipMatch \"$2\"\\\" \\\"block,msg:\\047Wordpress Exploit access\\047,id:\"15000+NR\",severity:\\0472\\047\\\"\"}' &gt; \/etc\/httpd\/modsecurity.d\/activated_rules\/modsecurity_chosen_nickname.conf;service httpd graceful\n<\/code><\/pre>\n<p>AWK\u306f\u30d1\u30bf\u30fc\u30f3\u3068\u51e6\u7406\u3092\u30bb\u30c3\u30c8\u3067\u66f8\u304f\u306e\u304c\u57fa\u672c\u3068\u306e\u3053\u3068\u3067\u3001\u3053\u3093\u306a\u611f\u3058\u3067\u5225\u3067grep\u3057\u3066\u30d1\u30a4\u30d7\u3067\u6e21\u3057\u3066\u3044\u305f\u6761\u4ef6\u3092awk\u306e\u4e2d\u306b\u5165\u308c\u8fbc\u307f\u307e\u3057\u305f\u3002\u3046\u3080\u3001\u30b7\u30f3\u30d7\u30eb\u306b\u306a\u3063\u305f\u3002<\/p>\n<p>\u3053\u308c\u304c\u5b9f\u884c\u3055\u308c\u308b\u3068\u3053\u3093\u306a\u5185\u5bb9\u306e\u30d5\u30a1\u30a4\u30eb\u304c\u81ea\u52d5\u3067\u3067\u304d\u3042\u304c\u308a\u307e\u3059\u3002<\/p>\n<pre><code>SecRule REMOTE_ADDR \"@ipMatch 66.117.9.90\" \"block,msg:'Wordpress Exploit access',id:15037,severity:'2'\"\nSecRule REMOTE_ADDR \"@ipMatch 66.117.9.99\" \"block,msg:'Wordpress Exploit access',id:15038,severity:'2'\"\nSecRule REMOTE_ADDR \"@ipMatch 68.64.166.2\" \"block,msg:'Wordpress Exploit access',id:15039,severity:'2'\"\nSecRule REMOTE_ADDR \"@ipMatch 74.91.23.100\" \"block,msg:'Wordpress Exploit access',id:15041,severity:'2'\"\n<\/code><\/pre>\n<p>\u7c21\u5358\u306b\u3084\u3063\u3066\u308b\u3053\u3068\u3092\u66f8\u304f\u3068\u2026<\/p>\n<ol>\n<li>Apach\u306e\u30ed\u30b0\u304b\u3089chosen+nickname\u306e\u884c\u3092\u629c\u304d\u51fa\u3057<\/li>\n<li>awk\u3067\u30b9\u30da\u30fc\u30b9\u3067\u4e00\u884c\u3092\u5206\u5272\u3057\u3066\u4e00\u756a\u76ee($1)\u306b\u3042\u308bIP\u3092\u62bd\u51fa<\/li>\n<li>sort \u3068 uniq\u3067IP\u6bce\u306e\u30a2\u30af\u30bb\u30b9\u56de\u6570\u3092\u51fa\u3059<\/li>\n<li>\u518d\u5ea6awk\u3067\u56de\u6570($1)\u304c1\u3088\u308a\u5927\u304d\u3044(\u3064\u307e\u308a2\u56de\u6765\u3084\u304c\u3063\u305f\u5834\u5408\u3084\u3063\u3064\u3051\u308b)IP($2)\u3060\u3051\u629c\u304d\u51fa\u3057<\/li>\n<li>awk\u306eprint\u3067mod_security\u306e\u30eb\u30fc\u30eb\u6587\u5b57\u5217\u3092\u751f\u6210<\/li>\n<li>activated_rules\u306e\u4e2d\u306b\u30eb\u30fc\u30eb\u30d5\u30a1\u30a4\u30eb\u3092\u4e0a\u66f8\u304d<\/li>\n<li>service httpd graceful\u3067\u8a2d\u5b9a\u53cd\u6620(\u5272\u3068\u4e71\u66b4)<\/li>\n<\/ol>\n<p>\u3053\u3093\u306a\u611f\u3058\u3067\u3059\u3002awk\u4fbf\u5229!<\/p>\n<p>awk\u306e\u4e2d\u3067\u4f7f\u3063\u3066\u3044\u308bNR\u306f\u884c\u756a\u53f7\u3067\u3001\u3053\u308c\u3092\u4f7f\u3063\u3066\u88ab\u3089\u306a\u3044ID\u3092\u63a1\u756a\u3057\u3066\u3044\u307e\u3059\u3002\u300c\\047\u300d\u306f\u30b7\u30f3\u30b0\u30eb\u30af\u30a9\u30fc\u30c6\u30fc\u30b7\u30e7\u30f3\u3067\u3059\u3002<\/p>\n<p>\u3061\u306a\u307f\u306bawk\u3068\u304bMac\u306e\u30bf\u30fc\u30df\u30ca\u30eb\u3067\u666e\u901a\u306b\u4f7f\u3048\u308b\u306e\u3067\u3001\u4f7f\u3044\u3053\u306a\u305b\u308b\u3068\u30c6\u30ad\u30b9\u30c8\u51e6\u7406\u3068\u304b\u4fbf\u5229\u3067\u3059\u3088\u3002<\/p>\n<p>\u3000cron.hourly\u306b\u7a81\u3063\u8fbc\u3093\u3067\u5b9f\u884c\u6a29\u9650\u3092\u4e0e\u3048\u308b\u3053\u3068\u3067\u3001\u3053\u308c\u304c\u4e00\u6642\u9593\u306b\u4e00\u56de\u5b9f\u884c\u3055\u308c\u3066\u3069\u3093\u3069\u3093\u30b9\u30d1\u30e0\u696d\u8005\u304c\u30d5\u30a3\u30eb\u30bf\u3055\u308c\u3066\u3044\u304d\u307e\u3059\u3002\u4eca\u306e\u6240\u3001\u3046\u307e\u304f\u52d5\u3044\u3066\u7d9a\u3005\u3068\u30d5\u30a3\u30eb\u30bf\u306b\u8ffd\u52a0\u3055\u308c\u3066\u3044\u3063\u3066\u307e\u3059\u3002\u3057\u3081\u3057\u3081(\u7b11)<\/p>\n<p>\u3000Apache\u306e\u30ed\u30b0\u30d5\u30a1\u30a4\u30eb\u306f1\u65e5\u3067\u30ed\u30fc\u30c6\u30b7\u30e7\u30f3\u3055\u308c\u3066\u3001\u307e\u3063\u3055\u3089\u306b\u306a\u308b\u306e\u3067\u3001\u4e00\u65e5\u3054\u3068\u306b\u3053\u306e\u30eb\u30fc\u30eb\u306f\u307e\u3063\u3055\u3089\u306b\u306a\u308a\u307e\u3059\u3002\u3068\u308a\u3042\u3048\u305a\u3053\u308c\u3067\u904b\u7528\u3057\u3066\u3001\u30a4\u30de\u30a4\u30c1\u3060\u3063\u305f\u3089\u3001\u4e00\u9031\u9593\u6bce\u306e\u30af\u30ea\u30a2\u3059\u308b\u306a\u3069\u306b\u5909\u3048\u3088\u3046\u3068\u601d\u3044\u307e\u3059\u3002<\/p>\n<h2>\u3053\u306e\u8a18\u4e8b\u3092\u30a2\u30c3\u30d7\u3059\u308b\u3068\u304d\u306b\u30a8\u30e9\u30fc(\u7b11)<\/h2>\n<p>\u3000\u4eca\u56de\u306e\u8a18\u4e8b\u3092MarsEdit\u304b\u3089\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3057\u3088\u3046\u3068\u3057\u305f\u3089<\/p>\n<blockquote><p>\n  Request body no files data length is larger than the configured limit 131072).. Deny with code (413)\n<\/p><\/blockquote>\n<p>\u3000\u3063\u3066\u6b62\u3081\u3089\u308c\u305f(\u7b11)<\/p>\n<p>\u3000\u30d5\u30a1\u30a4\u30eb\u3092\u9664\u3044\u305f\u30c7\u30fc\u30bf\u304c131072\u30d0\u30a4\u30c8\u3092\u8d85\u3048\u305f\u304b\u3089\u3089\u3057\u3044\u3002\u53b3\u3057\u3044\u306a\u3041(\u7b11)<\/p>\n<pre><code>\/etc\/httpd\/conf.d\/mod_security.conf\n<\/code><\/pre>\n<p>\u306e<\/p>\n<pre><code>RequestBodyNoFilesLimit 131072\n<\/code><\/pre>\n<p>\u3000\u3053\u3053\u3092\u5909\u66f4\u3057\u305f\u3002<\/p><div id=\"advads-4283382093\" class=\"advads-content-placement-after-3rd-paragraph advads-entity-placement\" style=\"margin-left: auto;margin-right: auto;text-align: center;\"><div class=\"advads-adlabel\">\u5e83\u544a<\/div><script async src=\"\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-7585646298782746\" crossorigin=\"anonymous\"><\/script><ins class=\"adsbygoogle\" style=\"display:inline-block;width:300px;height:250px;\" \ndata-ad-client=\"ca-pub-7585646298782746\" \ndata-ad-slot=\"6112122906\"><\/ins> \n<script> \n(adsbygoogle = window.adsbygoogle || []).push({}); \n<\/script>\n<\/div>\n<div class=\"booklink-box\" style=\"text-align:left;padding-bottom:20px;font-size:small;\/zoom: 1;overflow: hidden;\">\n<div class=\"booklink-image\" style=\"float:left;margin:0 15px 10px 0;\"><a href=\"http:\/\/www.amazon.co.jp\/exec\/obidos\/asin\/B00BH772VU\/website1-22\/\" name=\"booklink\" rel=\"nofollow noopener noreferrer\" target=\"_blank\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ecx.images-amazon.com\/images\/I\/51zw8iQ8H6L._SL160_.jpg\" style=\"border: none;\" \/><\/a><\/div>\n<div class=\"booklink-info\" style=\"line-height:120%;\/zoom: 1;overflow: hidden;\">\n<div class=\"booklink-name\" style=\"margin-bottom:10px;line-height:120%\"><a href=\"http:\/\/www.amazon.co.jp\/exec\/obidos\/asin\/B00BH772VU\/website1-22\/\" rel=\"nofollow noopener noreferrer\" name=\"booklink\" target=\"_blank\">\u3067\u304d\u308bPRO Apache Web\u30b5\u30fc\u30d0\u30fc \u6539\u8a02\u7248\u3000Version 2.4\uff0f2.2\uff0f2.0\u5bfe\u5fdc[Kindle\u7248]<\/a><\/p>\n<div class=\"booklink-powered-date\" style=\"font-size:8pt;margin-top:5px;font-family:verdana;line-height:120%\">posted with <a href=\"http:\/\/yomereba.com\" rel=\"nofollow noopener noreferrer\" target=\"_blank\">\u30e8\u30e1\u30ec\u30d0<\/a><\/div>\n<\/div>\n<div class=\"booklink-detail\" style=\"margin-bottom:5px;\">\u8fbb \u79c0\u5178,\u6e21\u8fba \u9ad8\u5fd7,\u9234\u6728 \u5e78\u654f,\u3067\u304d\u308b\u30b7\u30ea\u30fc\u30ba\u7de8\u96c6\u90e8 \u30a4\u30f3\u30d7\u30ec\u30b9\u30b8\u30e3\u30d1\u30f3 2013-02-17    <\/div>\n<div class=\"booklink-link2\" style=\"margin-top:10px;\">\n<div class=\"shoplinkkindle\" style=\"display:inline;margin-right:5px\">Kindle<\/div>\n<div class=\"shoplinkamazon\" style=\"display:inline;margin-right:5px\"><a href=\"http:\/\/www.amazon.co.jp\/exec\/obidos\/ASIN\/4844333399\/website1-22\/\" rel=\"nofollow noopener noreferrer\" target=\"_blank\" title=\"\u30a2\u30de\u30be\u30f3\">Amazon[\u66f8\u7c4d\u7248]<\/a><\/div>\n<\/p><\/div>\n<\/div>\n<div class=\"booklink-footer\" style=\"clear: left\"><\/div>\n<\/div>\n<div class=\"booklink-box\" style=\"text-align:left;padding-bottom:20px;font-size:small;\/zoom: 1;overflow: hidden;\">\n<div class=\"booklink-image\" style=\"float:left;margin:0 15px 10px 0;\"><a href=\"http:\/\/www.amazon.co.jp\/exec\/obidos\/asin\/4900900583\/website1-22\/\" name=\"booklink\" rel=\"nofollow noopener noreferrer\" target=\"_blank\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ecx.images-amazon.com\/images\/I\/51RTWMQVJML._SL160_.jpg\" style=\"border: none;\" \/><\/a><\/div>\n<div class=\"booklink-info\" style=\"line-height:120%;\/zoom: 1;overflow: hidden;\">\n<div class=\"booklink-name\" style=\"margin-bottom:10px;line-height:120%\"><a href=\"http:\/\/www.amazon.co.jp\/exec\/obidos\/asin\/4900900583\/website1-22\/\" rel=\"nofollow noopener noreferrer\" name=\"booklink\" target=\"_blank\">sed &#038; awk\u30d7\u30ed\u30b0\u30e9\u30df\u30f3\u30b0 \u6539\u8a02\u7248 (A nutshell handbook)<\/a><\/p>\n<div class=\"booklink-powered-date\" style=\"font-size:8pt;margin-top:5px;font-family:verdana;line-height:120%\">posted with <a href=\"http:\/\/yomereba.com\" rel=\"nofollow noopener noreferrer\" target=\"_blank\">\u30e8\u30e1\u30ec\u30d0<\/a><\/div>\n<\/div>\n<div class=\"booklink-detail\" style=\"margin-bottom:5px;\">Dale Dougherty,Arnold Robbins \u30aa\u30e9\u30a4\u30ea\u30fc\u30fb\u30b8\u30e3\u30d1\u30f3 1997-10-01    <\/div>\n<div class=\"booklink-link2\" style=\"margin-top:10px;\">\n<div class=\"shoplinkamazon\" style=\"display:inline;margin-right:5px\"><a href=\"http:\/\/www.amazon.co.jp\/exec\/obidos\/asin\/4900900583\/website1-22\/\" rel=\"nofollow noopener noreferrer\" target=\"_blank\" title=\"\u30a2\u30de\u30be\u30f3\">Amazon<\/a><\/div>\n<div class=\"shoplinkkindle\" style=\"display:inline;margin-right:5px\"><a href=\"http:\/\/www.amazon.co.jp\/gp\/search?keywords=sed%20%26%20awk%83v%83%8D%83O%83%89%83%7E%83%93%83O%20%89%FC%92%F9%94%C5%20%28A%20nutshell%20handbook%29&#038;__mk_ja_JP=%83J%83%5E%83J%83i&#038;url=node%3D2275256051&#038;tag=website1-22\" rel=\"nofollow noopener noreferrer\" target=\"_blank\">Kindle<\/a><\/div>\n<div class=\"shoplinkrakuten\" style=\"display:inline;margin-right:5px\"><a href=\"http:\/\/hb.afl.rakuten.co.jp\/hgc\/031ab7ae.bf2cee6c.0399c94c.aaceb9d6\/?pc=http%3A%2F%2Fbooks.rakuten.co.jp%2Frb%2F925890%2F%3Fscid%3Daf_ich_link_urltxt%26m%3Dhttp%3A%2F%2Fm.rakuten.co.jp%2Fev%2Fbook%2F\" rel=\"nofollow noopener noreferrer\" target=\"_blank\" title=\"\u697d\u5929\u30d6\u30c3\u30af\u30b9\">\u697d\u5929\u30d6\u30c3\u30af\u30b9<\/a><\/div>\n<div class=\"shoplinkkino\" style=\"display:inline;margin-right:5px\"><a href=\"http:\/\/ck.jp.ap.valuecommerce.com\/servlet\/referral?sid=2274895&#038;pid=882170520&#038;vc_url=http%3A%2F%2Fwww.kinokuniya.co.jp%2Ff%2Fdsg-01-9784900900585\" target=\"_blank\" title=\"kino\" rel=\"noopener noreferrer\">\u7d00\u4f0a\u570b\u5c4b\u66f8\u5e97<img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ad.jp.ap.valuecommerce.com\/vc\/images\/1x1.gif?resize=1%2C1\" height=\"1\" width=\"1\" border=\"0\"><\/a><\/div>\n<\/p><\/div>\n<\/div>\n<div class=\"booklink-footer\" style=\"clear: left\"><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\u3000\u306a\u305c\u304b\u6700\u8fd1\u3001\u3044\u307e\u3055\u3089\u300cWindows Vista\u300d\u3092\u30cd\u30bf\u306b\u3057\u305f\u8a18\u4e8b\u304c\u305a\u3063\u3068\u30a2\u30af\u30bb\u30b9\u4e0a\u4f4d\u306b\u6765\u308b\u306e\u3067\u8abf\u3079\u305f\u3089\u4e0d\u6b63\u30a2\u30af\u30bb\u30b9\u306e\u5146\u5019\u3067\u3057\u305f\u3002 \u3000\u6700\u65b0\u30d0\u30fc\u30b8\u30e7\u30f3\u306eWordPress\u3092\u4f7f\u3063\u3066\u3044\u308b\u306e\u3067\u5b9f\u5bb3\u306f\u306a\u3044\u3067\u3059\u304c\u3001\u30e9\u30f3\u30ad\u30f3\u30b0\u304c\u304a\u304b [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":9269,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_crdt_document":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[8,59,28],"tags":[532,513,341,533,131],"class_list":["post-9268","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","category-mac-2","category-website","tag-awk","tag-linux","tag-mod-security","tag-533","tag-131"],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/a-tak.com\/blog\/wp-content\/uploads\/2014\/05\/mod-security1.png?fit=1140%2C902&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/a-tak.com\/blog\/wp-json\/wp\/v2\/posts\/9268","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/a-tak.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/a-tak.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/a-tak.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/a-tak.com\/blog\/wp-json\/wp\/v2\/comments?post=9268"}],"version-history":[{"count":0,"href":"https:\/\/a-tak.com\/blog\/wp-json\/wp\/v2\/posts\/9268\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/a-tak.com\/blog\/wp-json\/wp\/v2\/media\/9269"}],"wp:attachment":[{"href":"https:\/\/a-tak.com\/blog\/wp-json\/wp\/v2\/media?parent=9268"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/a-tak.com\/blog\/wp-json\/wp\/v2\/categories?post=9268"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/a-tak.com\/blog\/wp-json\/wp\/v2\/tags?post=9268"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}