You cannot see this page without javascript.

Apache httpd mod_security2 적용

APM 조회 수 1020 추천 수 0 2017.02.09 09:45:12

modsecurity 소스 다운로드

cd /usr/src/
wget https://www.modsecurity.org/tarball/2.9.1/modsecurity-2.9.1.tar.gz
tar zxvf modsecurity-2.9.1.tar.gz

 

modsecurity 소스 컴파일
cd modsecurity-2.9.1/
./configure --with-apxs=/apm/server/apache/httpd/bin/apxs --with-apr=/apm/server/apache/apr/ --with-apu=/apm/server/apache/apr-util-1.5.4/

make

 

modsecurity 모듈복사

cp apache2/.libs/mod_security2.so /apm/server/apache/httpd/modules/

 

modsecurity 룰셋 다운로드
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
cd owasp-modsecurity-crs/

 

modsecurity 룰셋 복사
cp crs-setup.conf.example /apm/server/config/extra/crs-setup.conf
cp -R rules /apm/server/config/extra/

 

modsecurity httpd 적용

vi /apm/server/config/httpd.conf

LoadModule security2_module modules/mod_security2.so
<IfModule security2_module>
Include /apm/server/config/extra/crs-setup.conf
Include /apm/server/config/extra/rules/*.conf
</IfModule>

 

httpd 재시작

systemctl restart apache.service

 

mod-se.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

cd /usr/src/

 

yum update

 

CentOS7

yum install gcc-c++ flex bison yajl curl-devel curl zlib-devel pcre-devel autoconf automake git curl make libxml2-devel pkgconfig libtool redhat-rpm-config

yum install yajl-devel GeoIP-data GeoIP-devel lmdb-devel ssdeep-devel lua-devel

 

CentOS8

yum install gcc-c++ flex bison yajl curl-devel curl zlib-devel pcre-devel autoconf automake git curl make libxml2-devel pkgconfig libtool redhat-rpm-config

 
dnf --enablerepo=PowerTools install yajl-devel doxygen lmdb-devel ssdeep-devel lua-devel

 

yum install GeoIP-data GeoIP-devel

 

wget https://forensics.cert.org/centos/cert/8/x86_64//GeoIP-devel-1.6.12-5.el8.x86_64.rpm

wget https://forensics.cert.org/centos/cert/8/x86_64//GeoIP-1.6.12-5.el8.x86_64.rpm

wget https://forensics.cert.org/centos/cert/8/x86_64//GeoIP-GeoLite-data-2018.06-3.el8.noarch.rpm

 

yum install GeoIP-GeoLite-data-2018.06-2.el8.remi.noarch.rpm

yum install GeoIP-1.6.12-4.el8.remi.x86_64.rpm

yum install GeoIP-devel-1.6.12-4.el8.remi.x86_64.rpm

 

 

git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity

 

cd ModSecurity

 

git submodule init

git submodule update

 

./build.sh

./configure

 

make

make install

 

cd ..

git clone https://github.com/SpiderLabs/ModSecurity-apache

 

cd ModSecurity-apache

./autogen.sh

./configure --with-libmodsecurity=/usr/local/modsecurity/ --with-apxs=/apm/server/apache/httpd/bin/apxs --with-apache=/apm/server/apache/httpd/bin/httpd

 

make

make install

 

mkdir /apm/server/conf/ext

cp src/.libs/mod_security3.so /apm/server/conf/ext/

 

#echo "LoadModule security3_module /usr/lib64/httpd/modules/mod_security3.so" | sudo tee -a /etc/httpd/conf/httpd.conf

 

vi /apm/server/conf/httpd.conf

LoadModule security3_module /apm/server/conf/ext/mod_security3.so

 

<IfModule security3_module>

        modsecurity on

        modsecurity_rules_file /apm/server/conf/extra/rules.conf

</IfModule>

 

 

vi /apm/server/conf/extra/rules.conf

Include /apm/server/conf/extra/modsecurity.conf

Include /apm/server/conf/extra/crs-setup.conf

Include /apm/server/conf/extra/rules/*.conf

 

cp ../ModSecurity/modsecurity.conf-recommended /apm/server/conf/extra/modsecurity.conf

cp ../ModSecurity/unicode.mapping /apm/server/conf/extra/

 

vi /apm/server/conf/extra/modsecurity.conf

 

SecRuleEngine DetectionOnly -> SecRuleEngine On

SecAuditLog /var/log/modsec_audit.log -> SecAuditLog /apm/server/apache/httpd/logs/modsec_audit.log

 

 

 

 

#sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/httpd/conf.d/modsecurity.d/modsecurity.conf

#sed -i 's#/var/log/modsec_audit.log#/var/log/httpd/modsec_audit.log#' /etc/httpd/conf.d/modsecurity.d/modsecurity.conf

 

 

 

 

cd ..

git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git

cd owasp-modsecurity-crs/

 

cp crs-setup.conf.example /apm/server/conf/extra/crs-setup.conf

cp -R rules /apm/server/conf/extra/

 

 

 

 

httpd 재시작

 

systemctl restart apache.service

 

 

 

 

 

 

 

 

 

curl localhost/index.html?exec=/bin/bash

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html><head>

<title>403 Forbidden</title>

</head><body>

<h1>Forbidden</h1>

<p>You don't have permission to access /index.html

on this server.</p>

</body></html>

If you see, 403 Forbidden then it means you have nailed it.

 

You can as well check Modsecurity logs;

 

tail /var/log/httpd/modsec_audit.log

ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:exec' (Value: `/bin/bash' ) [file "/etc/httpd/conf.d/modsecurity.d/owasp-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "488"] [id "932160"] [rev ""] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: bin/bash found within ARGS:exec: /bin/bash"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] [hostname "cent7.example.com"] [uri "/index.html"] [unique_id "156978926276.295922"] [ref "o1,8v21,9t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase"]

ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/httpd/conf.d/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "79"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "cent7.example.com"] [uri "/index.html"] [unique_id "156978926276.295922"] [ref ""]

ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:INBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/etc/httpd/conf.d/modsecurity.d/owasp-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "76"] [id "980130"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=5,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [hostname "cent7.example.com"] [uri "/index.html"] [unique_id "156978926276.295922"] [ref ""]

Well, there you go and that is it on our guide on how to install LibModsecurity with Apache on Fedora 30/29/CentOS 7. Feel free to set up more rules as you wish and protect your web application.

 

Reference:

첨부
엮인글 :
List of Articles
번호 제목 글쓴이 날짜sort 조회 수
369 Windows7 OEM을 활용하여 클린설치 file [11] LynX 2010-11-06 765
368 Windows7 에서 시스템을 백업/복원하는 가장 쉬운 방법!! file LynX 2010-11-07 334
367 탐색기 메뉴에 '명령 프롬프트 열기'와 '메모장으로 열기' 추가하기 file [14] LynX 2010-11-08 591
366 인터넷 익스플로러 리플레쉬 file LynX 2011-05-02 286
365 활성 네트워크 중복으로 인한 인터넷 연결 안되는 문제 file [12] LynX 2011-05-26 971
364 32bit Driver을 64bi로 설치하기 [8] LynX 2011-06-21 325
363 설치파일(inf)에 대한 이해 [7] LynX 2011-06-22 598
362 inf 설치시 경고창 안뜨게 하기 file [10] LynX 2011-06-22 430
361 로우 포맷(Low level format, 저수준 포맷) 하기 file [11] LynX 2011-07-06 722
360 Win XP Crack file [8] LynX 2011-10-31 269
359 윈도우7 메모리 인식 문재 file [13] LynX 2011-11-30 530
358 RoundCube 첨부 용량 변경 / 한글 수정 [10] LynX 2012-01-31 836
357 윈도우7 알수없는장치 file [8] LynX 2012-03-13 270
356 디지털 서명 file [1] LynX 2012-03-15 445
355 아레한글 사용시 출력물에 음영이 나타나는 현상. file [11] LynX 2012-03-29 1154
354 Xyview DVR서버 연결 [8] LynX 2012-04-19 295
353 HP Officejet 6500A (Plus) 호환 드라이버 [8] LynX 2012-05-16 294
352 IIS에 FastCgi모듈 활성화 시키기 file [12] LynX 2012-11-21 1283
351 윈도우 2008서버에 XE 설치 절차 [9] LynX 2012-11-22 230
350 Windows Server 2012 설치 file LynX 2012-11-23 477

XE Login