如何打造好用的ModSecurity系列 Part 1
如何打造好用的ModSecurity
一、 简介
ModSecurity 是一个 Web 应用程序防火墙 (WAF),并且具有一个强大的持续维护的规则库,其有以下优点。
-
实时监控和攻击检测
实时监控 HTTP 流量以检测攻击,并且提供可自定义的日志记录功能。
-
预防攻击和虚拟补丁
可以拦截利用已知漏洞进行的攻击,并且可以打虚拟补丁,对于一些异常的行为可以对其ip等进行打分行为,从而跟踪行为,最终判定是否拦截。
-
灵活的规则引擎
CRS(coreruleset)是ModSecurity体系的核心,规则体系强大并且灵活,下文也将重点介绍其规则体系。
-
嵌入式模式部署
ModSecurity 是一个嵌入式 Web 应用程序防火墙,这样可以缩小性能开销,并且对于https流量也能直接处理。
-
基于网络的部署
可以部署在反向代理服务器上,用于保护后端服务。
-
可移植性
能够用在各种操作系统上。
二、 安装
安装环境:Ubuntu18.04
1.1 Libmodsecurity
apt-get install g++ flex bison curl doxygen libyajl-dev libgeoip-dev libtool dh-autoreconf libcurl4-gnutls-dev libx ml2 libpcre++-dev libx ml2-dev
cd /opt/
git clone https://github.com/SpiderLabs/ModSecurity
cd ModSecurity/
git checkout -b v3/master origin/v3/master
sh build.sh
git submodule init
git submodule update #[for bindings/python, others/libinjection, test/test-cases/secrules-language-tests]
./configure
make
make install
include/lib文件位置:/usr/local/modsecurity
1.2 Nginx-modsecurity
安装带有modsec模块的Nginx
wget http://nginx.org/download/nginx-1.20.1.tar.gz
git clone https://github.com/SpiderLabs/ModSecurity-nginx.git
tar -zxvf nginx-1.20.1.tar.gz
cd nginx-1.20.1/
./configure --add-module=/root/modsecurity-nginx/ --prefix=/usr/local/nginx
make && make install
/usr/local/nginx/sbin/nginx -t # test
添加规则并配置Nginx
git clone https://github.com/coreruleset/coreruleset/
cd coreruleset/
cp crs-setup.conf.example crs-setup.conf
cp /root/ModSecurity/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf
修改modsecurity.conf令其加载crs,增加两行
Include /root/coreruleset/crs-setup.conf
Include /root/coreruleset/rules/*.conf
需要直接进行拦截的话,修改SecRuleEngine
SecRuleEngine On
修改/usr/local/nginx/conf/nginx.con,使Nginx加载modsec并指定配置文件
server {
modsecurity on;
listen 1001;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
modsecurity_rules_file /usr/local/nginx/conf/modsecurity.conf;
root html;
index index.html index.htm;
}
}
启动
/usr/local/nginx/sbin/nginx
发现报错
nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /usr/local/nginx/conf/modsecurity.conf. Line: 236. Column: 17. Failed to locate the unicode map file from: unicode.mapping Looking at: 'unicode.mapping', 'unicode.mapping', '/usr/local/nginx/conf/unicode.mapping', '/usr/local/nginx/conf/unicode.mapping'. in /usr/local/nginx/conf/nginx.conf:45
cp /root/ModSecurity/unicode.mapping /usr/local/nginx/conf/
1.3 Apache2-modsecurity
apt update
apt install apache2
apt-get install libapache2-mod-security2
apache2配置文件
/etc/apache2/mods-enabled/security2.load #加载库
/etc/apache2/mods-enabled/security2.conf
<IfModule security2_module>
# Default Debian dir for modsecurity's persistent data
SecDataDir /var/cache/modsecurity
# Include all the *.conf files in /etc/modsecurity.
# Keeping your local configuration in that directory
# will allow for an easy upgrade of THIS file and
# make your life easier
IncludeOptional /etc/modsecurity/*.conf #加载modsec中配置文件
# Include OWASP ModSecurity CRS rules if installed
IncludeOptional /usr/share/modsecurity-crs/owasp-crs.load #加载规则
</IfModule>
modsec位置
/etc/modsecurity
crs位置
/usr/share/modsecurity-crs
启动apache即可开启modsec
如果安装最新crs,需要按照上面步骤下载,在/etc/apache2/mods-enabled/security2.conf中修改规则位置
IncludeOptional /root/coreruleset/*.conf
IncludeOptional /root/coreruleset/rules/*.conf
重启
systemctl restart apache2
- 测试拦截
测试post_body: a=/bin/bash
2.1 nginx log
/usr/local/nginx/logs/error.log
2021/06/03 15:50:25 [error] 29019#0: *13
[client 1.1.1.1]
ModSecurity: Access denied with code 403 (phase 2).
Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `8' )
[file "/root/coreruleset/rules/REQUEST-949-BLOCKING-E VALUATION.conf"]
[line "138"]
[id "949110"]
[rev ""]
[msg "Inbound Anomaly Score Exceeded (Total Score: 8)"]
[data ""]
[severity "2"]
[ver "OWASP_CRS/3.4.0-dev"]
[maturity "0"]
[accuracy "0"]
[tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "192.168.1.59"]
[uri "/"]
[unique_id "1622706625"]
[ref ""],
client: 1.1.1.1,
server: localhost,
request: "POST / HTTP/1.1",
host: "1.1.1.1:1001"
其他modsec详细分析日志,默认放在/var/log/modsec_audit.log
2.2 apache2 log
使用coreruleset规则
/etc/log/apache2/error.log
[Thu Jun 03 16:02:02.896289 2021] [:error] [pid 32696]
[client 1.1.1.1:37233] [client 1.1.1.1]
ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score.
[file "/root/coreruleset/rules/REQUEST-949-BLOCKING-E VALUATION.conf"]
[line "150"]
[id "949110"]
[msg "Inbound Anomaly Score Exceeded (Total Score: 8)"]
[severity "CRITICAL"]
[ver "OWASP_CRS/3.4.0-dev"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
[hostname "1.1.1.1"]
[uri "/"]
[unique_id "YLiMetbycvfIaMD669H-hwAAAAA"]
三、 参考
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#Introduction
http://www.modsecurity.cn/chm/
- 发表于 2021-07-16 14:11:01
- 阅读 ( 8976 )
- 分类:渗透测试
5 篇文章
