This post will help you how to install and configure ModSecurity Web Application Firewall in your system, with the Core Rule Set 2.2.0. The operations system base is CentOS 5.6.
- Install dependencies:
# yum install gcc openssl-devel openssl apr-util-devel apr-devel pcre pcre-devel libjpeg-devel gd-devel libpng-devel libjpeg gd libpng gettext gettext-devel libmcrypt-devel libmcrypt libxml2 libxml2-devel bison zlib zlib-devel bzip2 bzip2-devel libtool libtool-ltdl readline readline-devel ncurses ncurses-devel curl curl-devel
- Get the source codes:
- Apache: http://httpd.apache.org/download.cgi
- Lua: http://www.lua.org/ftp/lua-5.1.4.tar.gz
- ModSecurity: http://www.modsecurity.org/download/modsecurity-apache_2.6.1-rc1.tar.gz
- Core Rule Set: http://sourceforge.net/projects/mod-security/files/modsecurity-crs/0-CURRENT/
- Check the integrity of sources with md5sum or sha1sum
- Install Apache from source:
# ./configure --prefix=/var/www --enable-auth-digest --enable-mime-magic --enable-usertrack --enable-ssl --enable-http --disable-cgi --enable-vhost-alias --disable-userdir --enable-so --enable-unique-id --enable-rewrite --with-z --disable-dav --disable-proxy --enable-deflate --enable-expires --with-pcre=/usr/bin/pcre-config
# make
# make install
- Compile Lua:
# tar xvfz lua-5.1.4.tar.gz
# cd lua-5.1.4
# make all linux
# make install INSTALL_TOP=/usr/local/lua-5.1.4
# cd src
# rm -f lua.o luac.o print.o && gcc -shared -Wall -O2 -o liblua5.1.so *.o
# cp liblua5.1.so /usr/local/lua-5.1.4/lib
# ln -s /usr/local/lua-5.1.4 /usr/local/lua
# echo "/usr/local/lua/lib" >> /etc/ld.so.conf
# ldconfig
- Compile ModSecurity:
# tar xvfz modsecurity-apache_2.6.1-rc1.tar.gz
# cd modsecurity-apache_2.6.1-rc1
# ./configure --with-apxs=/var/www/bin/apxs --with-lua=/usr/local/lua
# make
# make install
- Install and configure Core Rule Set:
# mkdir /var/www/conf/modsecurity
# mkdir /var/www/conf/modsecurity/crs
# cp modsecurity-apache_2.6.1-rc1/modsecurity.conf-recommended /var/www/conf/modsecurity/modsecurity.conf
# touch /var/www/conf/modsecurity/whitelist.conf
# tar xvfz modsecurity-crs_2.2.0.tar.gz
# cp -a modsecurity-crs_2.2.0/* /var/www/conf/modsecurity/crs
# cd /var/www/conf/modsecurity/crs
# for f in `ls base_rules/` ; do ln -s ../base_rules/$f activated_rules/$f ; done
# cp modsecurity_crs_10_config.conf.example modsecurity_crs_10_config.conf
# ln -s ../modsecurity_crs_10_config.conf activated_rules/
# ls -l activated_rules/ /* Check simbolic links */
- Configure Apache (httpd.conf)
LoadFile /usr/lib/libxml2.so.2
LoadFile /usr/local/lua/lib/liblua5.1.so
LoadModule security2_module modules/mod_security2.so
# CRS
<IfModule security2_module>
Include conf/modsecurity/modsecurity.conf
Include conf/modsecurity/whitelist.conf
Include conf/modsecurity/crs/modsecurity_crs_10_config.conf
Include conf/modsecurity/crs/activated_rules/*.conf
</IfModule>
- Edit modsecurity.conf:
SecRuleEngine On
SecAuditLog logs/modsec_audit.log
- Start Apache and check error_log:
[warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[notice] ModSecurity for Apache/2.6.1-rc1 (http://www.modsecurity.org/) configured.
[notice] ModSecurity: APR compiled version="1.2.7"; loaded version="1.2.7"
[notice] ModSecurity: PCRE compiled version="6.6"; loaded version="5.0 13-Sep-2004"
[notice] ModSecurity: LUA compiled version="Lua 5.1"
[notice] ModSecurity: LIBXML compiled version="2.6.26"
[notice] Digest: generating secret for digest authentication ...
[notice] Digest: done
- Test your ModSecurity:
Access one url with a blocked estension, like: http://server/test.sql
You will see in apache error_log:
[error] [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 2). String match within ".asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/" at TX:extension. [file "/var/www/conf/modsecurity/crs/activated_rules/modsecurity_crs_30_http_policy.conf"] [line "88"] [id "960035"] [msg "URL file extension is restricted by policy"] [data ".alq"] [severity "CRITICAL"] [tag "POLICY/EXT_RESTRICTED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "localhost"] [uri "/test.SQL"] [unique_id "Th8c038AAAEAAGugG2kAAAAD"]
Now, your work is just in the begining. Now you have to test your application for false positives and false negatives.
If you use Wordpress, joomla, phpbb, etc, check the slr_rules directory. You have to enable it in httpd.conf.
Postagens
2 comentários:
Cara.. muito obrigado por esse post funcionou perfeitamente Parabéns...
thanks for your solution
Postar um comentário