Use mod_security
2015/10/27
|
Use mod_security module to configure Web Application Firewall (WAF).
| |
[1] | Install mod_security. |
[root@www ~]#
yum -y install mod_security
|
[2] | After installing, config file is placed in the directory below and the setting is enabled. Some settings are already set in it and also you can add your own rules. |
[root@www ~]#
cat /etc/httpd/conf.d/mod_security.conf
<IfModule mod_security2.c> # ModSecurity Core Rules Set configuration IncludeOptional modsecurity.d/*.conf IncludeOptional modsecurity.d/activated_rules/*.conf # Default recommended configuration SecRuleEngine On SecRequestBodyAccess On SecRule REQUEST_HEADERS:Content-Type "text/xml" \ "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" ..... .....
# iy you'd not like to block requests if matchs rules,
# specify change to the parameter "SecRuleEngine DetectionOnly" |
[3] |
It's possible to write a rule like follows.
⇒ SecRule VARIABLES OPERATOR [ACTIONS]
Each parameter has many kind of values, refer to official documents below.
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual |
[4] | For Exmaple, set some rules and verify it works normally. |
[root@www ~]#
vi /etc/httpd/modsecurity.d/activated_rules/rules-01.conf
# default action when matching rules
SecDefaultAction "phase:2,deny,log,status:406"
# "etc/passwd" is included in request URI
SecRule REQUEST_URI "etc/passwd" "id:'500001'"
# "../" is included in request URI
SecRule REQUEST_URI "\.\./" "id:'500002'"
# "<SCRIPT" is included in arguments
SecRule ARGS "<[Ss][Cc][Rr][Ii][Pp][Tt]" "id:'500003'"
# "SELECT FROM" is included in arguments
SecRule ARGS "[Ss][Ee][Ll][Ee][Cc][Tt][[:space:]]+[Ff][Rr][Oo][Mm]" "id:'500004'"
systemctl restart httpd
|
[5] | Access to the URI which includes words you set and verify it works normally. |
[6] | The logs for mod_security is placed in the directory like follows. |
[root@www ~]#
cat /var/log/httpd/modsec_audit.log
--75d36531-A-- [28/Oct/2015:13:52:52 +0900] VjBUpAKZ9yAFgyhKj8zyyAAAAAE 10.0.0.108 53545 10.0.0.31 80 --75d36531-B-- GET /?../../etc/passwd HTTP/1.1 Host: www.server.world User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive --75d36531-F-- HTTP/1.1 406 Not Acceptable Content-Length: 251 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 --75d36531-E-- --75d36531-H-- Message: Access denied with code 406 (phase 2). Pattern match "etc/passwd" at REQUEST_URI. [file "/etc/httpd/modsecurity.d/activated_rules/rules-01.conf"] [line "3"] [id "500001"] Action: Intercepted (phase 2) Stopwatch: 1446007972909468 1333 (- - -) Stopwatch2: 1446007972909468 1333; combined=418, p1=395, p2=17, p3=0, p4=0, p5=6, sr=116, sw=0, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/); OWASP_CRS/2.2.6. Server: Apache/2.4.6 (CentOS) Engine-Mode: "ENABLED" --75d36531-Z-- |
[7] | General rules are provided from official repository and it's easy to apply them like follows. But maybe you need to customize them for your own web sites not to block necessary requests. |
[root@www ~]#
yum -y install mod_security_crs
# rules are placed like follows
# they are linked into the directory /etc/httpd/modsecurity.d/activated_rules
[root@www ~]#
ll /usr/lib/modsecurity.d/base_rules
total 332 -rw-r--r-- 1 root root 1980 Jun 10 2014 modsecurity_35_bad_robots.data -rw-r--r-- 1 root root 386 Jun 10 2014 modsecurity_35_scanners.data -rw-r--r-- 1 root root 3928 Jun 10 2014 modsecurity_40_generic_attacks.data -rw-r--r-- 1 root root 2610 Jun 10 2014 modsecurity_41_sql_injection_attacks.data -rw-r--r-- 1 root root 2224 Jun 10 2014 modsecurity_50_outbound.data -rw-r--r-- 1 root root 56714 Jun 10 2014 modsecurity_50_outbound_malware.data -rw-r--r-- 1 root root 22861 Jun 10 2014 modsecurity_crs_20_protocol_violations.conf -rw-r--r-- 1 root root 6915 Jun 10 2014 modsecurity_crs_21_protocol_anomalies.conf -rw-r--r-- 1 root root 3792 Jun 10 2014 modsecurity_crs_23_request_limits.conf -rw-r--r-- 1 root root 6933 Jun 10 2014 modsecurity_crs_30_http_policy.conf -rw-r--r-- 1 root root 5394 Jun 10 2014 modsecurity_crs_35_bad_robots.conf -rw-r--r-- 1 root root 19157 Jun 10 2014 modsecurity_crs_40_generic_attacks.conf -rw-r--r-- 1 root root 43961 Jun 10 2014 modsecurity_crs_41_sql_injection_attacks.conf -rw-r--r-- 1 root root 87470 Jun 10 2014 modsecurity_crs_41_xss_attacks.conf -rw-r--r-- 1 root root 1795 Jun 10 2014 modsecurity_crs_42_tight_security.conf -rw-r--r-- 1 root root 3660 Jun 10 2014 modsecurity_crs_45_trojans.conf -rw-r--r-- 1 root root 2253 Jun 10 2014 modsecurity_crs_47_common_exceptions.conf -rw-r--r-- 1 root root 2787 Jun 10 2014 modsecurity_crs_48_local_exceptions.conf.example -rw-r--r-- 1 root root 1835 Jun 10 2014 modsecurity_crs_49_inbound_blocking.conf -rw-r--r-- 1 root root 22314 Jun 10 2014 modsecurity_crs_50_outbound.conf -rw-r--r-- 1 root root 1448 Jun 10 2014 modsecurity_crs_59_outbound_blocking.conf -rw-r--r-- 1 root root 2674 Jun 10 2014 modsecurity_crs_60_correlation.conf |
Nenhum comentário:
Postar um comentário