LynX's Time

Lost Space

Sky2 Layout

modsecurity 소스 다운로드

cd /usr/src/
wget https://www.modsecurity.org/tarball/2.9.1/modsecurity-2.9.1.tar.gz
tar zxvf modsecurity-2.9.1.tar.gz

 

modsecurity 소스 컴파일
cd modsecurity-2.9.1/
./configure --with-apxs=/apm/server/apache/httpd/bin/apxs --with-apr=/apm/server/apache/apr/ --with-apu=/apm/server/apache/apr-util-1.5.4/

make

 

modsecurity 모듈복사

cp apache2/.libs/mod_security2.so /apm/server/apache/httpd/modules/

 

modsecurity 룰셋 다운로드
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
cd owasp-modsecurity-crs/

 

modsecurity 룰셋 복사
cp crs-setup.conf.example /apm/server/config/extra/crs-setup.conf
cp -R rules /apm/server/config/extra/

 

modsecurity httpd 적용

vi /apm/server/config/httpd.conf

LoadModule security2_module modules/mod_security2.so
<IfModule security2_module>
Include /apm/server/config/extra/crs-setup.conf
Include /apm/server/config/extra/rules/*.conf
</IfModule>

 

httpd 재시작

systemctl restart apache.service

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

cd /usr/src/

 

yum update

 

CentOS7

yum install gcc-c++ flex bison yajl curl-devel curl zlib-devel pcre-devel autoconf automake git curl make libxml2-devel pkgconfig libtool redhat-rpm-config

yum install yajl-devel GeoIP-data GeoIP-devel lmdb-devel ssdeep-devel lua-devel

 

CentOS8

yum install gcc-c++ flex bison yajl curl-devel curl zlib-devel pcre-devel autoconf automake git curl make libxml2-devel pkgconfig libtool redhat-rpm-config

 

yum install GeoIP-data GeoIP-devel

 

wget https://forensics.cert.org/centos/cert/8/x86_64//GeoIP-devel-1.6.12-5.el8.x86_64.rpm

wget https://forensics.cert.org/centos/cert/8/x86_64//GeoIP-1.6.12-5.el8.x86_64.rpm

wget https://forensics.cert.org/centos/cert/8/x86_64//GeoIP-GeoLite-data-2018.06-3.el8.noarch.rpm

 

yum install GeoIP-GeoLite-data-2018.06-2.el8.remi.noarch.rpm

yum install GeoIP-1.6.12-4.el8.remi.x86_64.rpm

yum install GeoIP-devel-1.6.12-4.el8.remi.x86_64.rpm

 

 

git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity

 

cd ModSecurity

 

git submodule init

git submodule update

 

./build.sh

./configure

 

make

make install

 

cd ..

git clone https://github.com/SpiderLabs/ModSecurity-apache

 

cd ModSecurity-apache

./autogen.sh

./configure --with-libmodsecurity=/usr/local/modsecurity/ --with-apxs=/apm/server/apache/httpd/bin/apxs --with-apache=/apm/server/apache/httpd/bin/httpd

 

make

make install

 

mkdir /apm/server/conf/ext

cp src/.libs/mod_security3.so /apm/server/conf/ext/

 

#echo "LoadModule security3_module /usr/lib64/httpd/modules/mod_security3.so" | sudo tee -a /etc/httpd/conf/httpd.conf

 

vi /apm/server/conf/httpd.conf

LoadModule security3_module /apm/server/conf/ext/mod_security3.so

 

<IfModule security3_module>

        modsecurity on

        modsecurity_rules_file /apm/server/conf/extra/rules.conf

</IfModule>

 

 

vi /apm/server/conf/extra/rules.conf

Include /apm/server/conf/extra/modsecurity.conf

Include /apm/server/conf/extra/crs-setup.conf

Include /apm/server/conf/extra/rules/*.conf

 

cp ../ModSecurity/modsecurity.conf-recommended /apm/server/conf/extra/modsecurity.conf

cp ../ModSecurity/unicode.mapping /apm/server/conf/extra/

 

vi /apm/server/conf/extra/modsecurity.conf

 

SecRuleEngine DetectionOnly -> SecRuleEngine On

SecAuditLog /var/log/modsec_audit.log -> SecAuditLog /apm/server/apache/httpd/logs/modsec_audit.log

 

 

 

 

#sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/httpd/conf.d/modsecurity.d/modsecurity.conf

#sed -i 's#/var/log/modsec_audit.log#/var/log/httpd/modsec_audit.log#' /etc/httpd/conf.d/modsecurity.d/modsecurity.conf

 

 

 

 

cd ..

git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git

cd owasp-modsecurity-crs/

 

cp crs-setup.conf.example /apm/server/conf/extra/crs-setup.conf

cp -R rules /apm/server/conf/extra/

 

 

 

 

httpd 재시작

 

systemctl restart apache.service

 

 

 

 

 

 

 

 

 

curl localhost/index.html?exec=/bin/bash

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html><head>

<title>403 Forbidden</title>

</head><body>

<h1>Forbidden</h1>

<p>You don't have permission to access /index.html

on this server.</p>

</body></html>

If you see, 403 Forbidden then it means you have nailed it.

 

You can as well check Modsecurity logs;

 

tail /var/log/httpd/modsec_audit.log

ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:exec' (Value: `/bin/bash' ) [file "/etc/httpd/conf.d/modsecurity.d/owasp-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "488"] [id "932160"] [rev ""] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: bin/bash found within ARGS:exec: /bin/bash"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] [hostname "cent7.example.com"] [uri "/index.html"] [unique_id "156978926276.295922"] [ref "o1,8v21,9t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase"]

ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/httpd/conf.d/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "79"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "cent7.example.com"] [uri "/index.html"] [unique_id "156978926276.295922"] [ref ""]

ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:INBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/etc/httpd/conf.d/modsecurity.d/owasp-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "76"] [id "980130"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=5,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [hostname "cent7.example.com"] [uri "/index.html"] [unique_id "156978926276.295922"] [ref ""]

Well, there you go and that is it on our guide on how to install LibModsecurity with Apache on Fedora 30/29/CentOS 7. Feel free to set up more rules as you wish and protect your web application.

 

Reference: