You cannot see this page without javascript.

글 수 369

Apache httpd mod_security2 적용

APM 조회 수 972 추천 수 0 2017.02.09 09:45:12
LynX *.144.56.100

modsecurity 소스 다운로드

cd /usr/src/
wget https://www.modsecurity.org/tarball/2.9.1/modsecurity-2.9.1.tar.gz
tar zxvf modsecurity-2.9.1.tar.gz

 

modsecurity 소스 컴파일
cd modsecurity-2.9.1/
./configure --with-apxs=/apm/server/apache/httpd/bin/apxs --with-apr=/apm/server/apache/apr/ --with-apu=/apm/server/apache/apr-util-1.5.4/

make

 

modsecurity 모듈복사

cp apache2/.libs/mod_security2.so /apm/server/apache/httpd/modules/

 

modsecurity 룰셋 다운로드
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
cd owasp-modsecurity-crs/

 

modsecurity 룰셋 복사
cp crs-setup.conf.example /apm/server/config/extra/crs-setup.conf
cp -R rules /apm/server/config/extra/

 

modsecurity httpd 적용

vi /apm/server/config/httpd.conf

LoadModule security2_module modules/mod_security2.so
<IfModule security2_module>
Include /apm/server/config/extra/crs-setup.conf
Include /apm/server/config/extra/rules/*.conf
</IfModule>

 

httpd 재시작

systemctl restart apache.service

 

mod-se.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

cd /usr/src/

 

yum update

 

CentOS7

yum install gcc-c++ flex bison yajl curl-devel curl zlib-devel pcre-devel autoconf automake git curl make libxml2-devel pkgconfig libtool redhat-rpm-config

yum install yajl-devel GeoIP-data GeoIP-devel lmdb-devel ssdeep-devel lua-devel

 

CentOS8

yum install gcc-c++ flex bison yajl curl-devel curl zlib-devel pcre-devel autoconf automake git curl make libxml2-devel pkgconfig libtool redhat-rpm-config

 
dnf --enablerepo=PowerTools install yajl-devel doxygen lmdb-devel ssdeep-devel lua-devel

 

yum install GeoIP-data GeoIP-devel

 

wget https://forensics.cert.org/centos/cert/8/x86_64//GeoIP-devel-1.6.12-5.el8.x86_64.rpm

wget https://forensics.cert.org/centos/cert/8/x86_64//GeoIP-1.6.12-5.el8.x86_64.rpm

wget https://forensics.cert.org/centos/cert/8/x86_64//GeoIP-GeoLite-data-2018.06-3.el8.noarch.rpm

 

yum install GeoIP-GeoLite-data-2018.06-2.el8.remi.noarch.rpm

yum install GeoIP-1.6.12-4.el8.remi.x86_64.rpm

yum install GeoIP-devel-1.6.12-4.el8.remi.x86_64.rpm

 

 

git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity

 

cd ModSecurity

 

git submodule init

git submodule update

 

./build.sh

./configure

 

make

make install

 

cd ..

git clone https://github.com/SpiderLabs/ModSecurity-apache

 

cd ModSecurity-apache

./autogen.sh

./configure --with-libmodsecurity=/usr/local/modsecurity/ --with-apxs=/apm/server/apache/httpd/bin/apxs --with-apache=/apm/server/apache/httpd/bin/httpd

 

make

make install

 

mkdir /apm/server/conf/ext

cp src/.libs/mod_security3.so /apm/server/conf/ext/

 

#echo "LoadModule security3_module /usr/lib64/httpd/modules/mod_security3.so" | sudo tee -a /etc/httpd/conf/httpd.conf

 

vi /apm/server/conf/httpd.conf

LoadModule security3_module /apm/server/conf/ext/mod_security3.so

 

<IfModule security3_module>

        modsecurity on

        modsecurity_rules_file /apm/server/conf/extra/rules.conf

</IfModule>

 

 

vi /apm/server/conf/extra/rules.conf

Include /apm/server/conf/extra/modsecurity.conf

Include /apm/server/conf/extra/crs-setup.conf

Include /apm/server/conf/extra/rules/*.conf

 

cp ../ModSecurity/modsecurity.conf-recommended /apm/server/conf/extra/modsecurity.conf

cp ../ModSecurity/unicode.mapping /apm/server/conf/extra/

 

vi /apm/server/conf/extra/modsecurity.conf

 

SecRuleEngine DetectionOnly -> SecRuleEngine On

SecAuditLog /var/log/modsec_audit.log -> SecAuditLog /apm/server/apache/httpd/logs/modsec_audit.log

 

 

 

 

#sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/httpd/conf.d/modsecurity.d/modsecurity.conf

#sed -i 's#/var/log/modsec_audit.log#/var/log/httpd/modsec_audit.log#' /etc/httpd/conf.d/modsecurity.d/modsecurity.conf

 

 

 

 

cd ..

git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git

cd owasp-modsecurity-crs/

 

cp crs-setup.conf.example /apm/server/conf/extra/crs-setup.conf

cp -R rules /apm/server/conf/extra/

 

 

 

 

httpd 재시작

 

systemctl restart apache.service

 

 

 

 

 

 

 

 

 

curl localhost/index.html?exec=/bin/bash

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html><head>

<title>403 Forbidden</title>

</head><body>

<h1>Forbidden</h1>

<p>You don't have permission to access /index.html

on this server.</p>

</body></html>

If you see, 403 Forbidden then it means you have nailed it.

 

You can as well check Modsecurity logs;

 

tail /var/log/httpd/modsec_audit.log

ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:exec' (Value: `/bin/bash' ) [file "/etc/httpd/conf.d/modsecurity.d/owasp-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "488"] [id "932160"] [rev ""] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: bin/bash found within ARGS:exec: /bin/bash"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] [hostname "cent7.example.com"] [uri "/index.html"] [unique_id "156978926276.295922"] [ref "o1,8v21,9t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase"]

ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/httpd/conf.d/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "79"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "cent7.example.com"] [uri "/index.html"] [unique_id "156978926276.295922"] [ref ""]

ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:INBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/etc/httpd/conf.d/modsecurity.d/owasp-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "76"] [id "980130"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=5,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [hostname "cent7.example.com"] [uri "/index.html"] [unique_id "156978926276.295922"] [ref ""]

Well, there you go and that is it on our guide on how to install LibModsecurity with Apache on Fedora 30/29/CentOS 7. Feel free to set up more rules as you wish and protect your web application.

 

Reference:

첨부
엮인글 :
목록
List of Articles
번호 제목 글쓴이 날짜sort 조회 수
349 윈도우서버2008 - 01 <설치 및 설정> file [3] LynX 2012-11-28 336
348 윈도우서버2008 - 02 (Active Directory Service<AD>) file [15] LynX 2012-11-28 369
347 윈도우서버2008 - 03 (액티브디렉토리,XP환경) file [9] LynX 2012-11-28 573
346 윈도우서버2008 - 04 (그룹 생성,관리,권한) file LynX 2012-11-28 411
345 윈도우서버2008 - 05 (공유,DFS 분산파일시스템) file [13] LynX 2012-11-28 363
344 윈도우서버2008 - 06 (보안 정책 및 감사) file [10] LynX 2012-11-28 285
343 Linux 01 - 정규식과 표현 LynX 2012-11-29 317
342 Linux 02 - CentOS 다운로드 및 설치 (VMware 설치) file [13] LynX 2012-11-29 2793
341 Linux 03 - VMware,네트워크,VMware인터넷설정,리눅스인터넷 file LynX 2012-11-29 305
340 Linux 04 - 와이어샤크,접근제어,방화벽,텔넷,패킷 file [12] LynX 2012-11-29 585
339 Linux 05 - SSH,Xshell설치,암호화 file [11] LynX 2012-11-29 336
338 Linux 06 - SCP,SFTP,Vncserver file [1] LynX 2012-11-29 343
337 Linux 07 - DHCP file [10] LynX 2012-11-29 224
336 Linux 08 - DNS서버 file LynX 2012-11-29 241
335 Linux 09 - FTP.FTP Tunneling,cifs file [9] LynX 2012-11-29 219
334 Linux 10 - NFS,apache file [10] LynX 2012-11-29 298
333 ODBC 오류 LynX 2012-12-08 204
332 PHP 5.3 + MSSQL 연동 [2] LynX 2012-12-08 699
331 URL 재작성 [8] LynX 2012-12-12 214
330 IIS+MSSQL+XE [9] LynX 2012-12-12 1142
쓰기 목록

XE Login