Um colega do trabalho, Eduardo, teve uma pequena tarefa nessa última semana, instalar o modsecurity 2.6.7 em um servidor Linux RedHAt 5.7, mas sem todos os pré-reqs. O legal disso foi que ele gerou um how to muito bom e que será apresentado abaixo. Vamos à ele:

Red Hat EL 5.7 X64 — O mesmo deverá estar cadastrado/registrado junto a RHN para que você possa utilizar o gerenciador de pacotes. Mas é claro que há alternativas — 🙂

Apache 2.2.22
modsecurity-2.6.7
modsecurity-crs_2.2.5 –> Regras gratuitas e que podem ser baixadas da OWASP

Pulo do gato, pacotes que precisam ser instalados utilizando o YUM:

curl
curl-devel
libxml
libxml-devel
expat
expat-devel
pcre
pcre-devel
lua
lua-devel
lua-static

Howto:

 1) Instalando Apache.

# tar xzvf httpd-2.2.22.tar.gz

# ./configure –prefix=/app/apache/oif/httpd-2.2.22 –with-mpm=worker –enable-so –enable-proxy –enable-proxy-connect –enable-proxy-ftp –enable-proxy-http –enable-headers –enable-rewrite –enable-status –enable-info –enable-deflate –enable-mem-cache –enable-cache –enable-ssl –with-ssl=/app/ssl/openssl/bin/ –with-pcre=/usr/bin/pcre-config –enable-unique-id –enable-mods-shared=all
# make
# make install

 2) Compilando mod security

  # tar xzvf modsecurity-apache_2.6.7.tar.gz

# ./configure –prefix=/app/modsecurity-2.6.7 –with-apxs=/app/apache/oif/httpd-2.2.22/bin/apxs –with-apr=/app/apache/oif/httpd-2.2.22/bin/apr-1-config –with-apu=/app/apache/oif/httpd-2.2.22/bin/apu-1-config –with-lua –with-pcre=/usr/bin/pcre-config –with-curl=/usr/bin/curl-config
# make
# make install

 

Copiando modulo para o Apache:

# cp -prf /app/modsecurity-2.6.7/lib/mod_security2.so /app/apache/oif/httpd-2.2.22/modules/

3) Configurando modsecurity-crs:

Criando estrutura de diretorios do modsecurity-crs:

# tar xzvf modsecurity-crs_2.2.5.tar.gz

# mkdir -p /app/apache/oif/httpd-2.2.22/conf/modsecurity/crs

# cp -prf /app/packages/modsecurity-crs_2.2.5/* /app/apache/oif/httpd-2.2.22/conf/modsecurity/crs/

 

Criando white list de acls:

# touch /app/apache/oif/httpd-2.2.22/conf/modsecurity/whitelist.conf

4)  Configurando mod security:

# cp -prf /app/packages/modsecurity-apache_2.6.7/modsecurity.conf-recommended /app/apache/oif/httpd-2.2.22/conf/modsecurity/modsecurity.conf

# cp -prf /app/apache/oif/httpd-2.2.22/conf/modsecurity/crs/modsecurity_crs_10_setup.conf.example /app/apache/oif/httpd-2.2.22/conf/modsecurity/crs/modsecurity_crs_10_setup.conf

Configurando acls:

 # cd /app/apache/oif/httpd-2.2.22/conf/modsecurity/crs/

# for f in `ls base_rules/` ; do ln -s ../base_rules/$f activated_rules/$f ; done

 

 Criando arquivo para ser carregado no Apache:

# touch /app/apache/oif/httpd-2.2.22/conf/modsecurity/modsecurity.load

 

Inserir o seguinte conteúdo:

# Carregando modulos e libs necessarias para funcionamento do modsecurity;

LoadFile /usr/lib64/libxml2.so

LoadFile /usr/lib64/liblua-5.1.so

LoadModule security2_module modules/mod_security2.so

 

<IfModule security2_module>

Include conf/modsecurity/modsecurity.conf

Include conf/modsecurity/whitelist.conf

Include conf/modsecurity/crs/modsecurity_crs_10_setup.conf

Include conf/modsecurity/crs/activated_rules/*.conf

 

 

Inserir entradas no arquivo httpd.conf:

# Include modsecurity

Include conf/modsecurity/modsecurity.load

Configurando o arquivo /app/apache/oif/httpd-2.2.22/conf/modsecurity/modsecurity.conf

 

Alterar o parâmetro abaixo — Importante, ele serve para que o modsecurity faça o papel dele, bloquear os ataques detectados pelas suas regras.

DE: 

SecRuleEngine DetectionOnly

 PARA:

SecRuleEngine On

 

Alterar o parâmetro abaixo para ter um controle maior do logs

DE:

SecAuditLog /var/log/modsec_audit.log

 

PARA:

SecAuditLog /logs/apache/oif/modsecurity/modsec_audit.log

 

 5) Testando / Iniciando Apache

 

# apachectl -t

# apachectl start.

 

Logs — Analisando para ver se tudo está funcionando de acordo com o planejado e configurado.

 

[Fri Aug 24 15:49:03 2012] [notice] ModSecurity for Apache/2.6.7 (http://www.modsecurity.org/) configured.

[Fri Aug 24 15:49:03 2012] [notice] ModSecurity: APR compiled version=”1.4.5″; loaded version=”1.4.5″

[Fri Aug 24 15:49:03 2012] [notice] ModSecurity: PCRE compiled version=”6.6 “; loaded version=”6.6 06-Feb-2006″

[Fri Aug 24 15:49:03 2012] [notice] ModSecurity: LUA compiled version=”Lua 5.1″

[Fri Aug 24 15:49:03 2012] [notice] ModSecurity: LIBXML compiled version=”2.6.26”

 

 6) Como realizer um teste:

 

Crie um arquivo chamado teste.cfg no htdocs do vhost:

 

Conteúdo do teste.cfg:

 

<p>TESTE</p>

 

 

Execute via browser http://site/teste.cfg devera aparar algo como::

 

Forbidden

 

You don’t have permission to access /teste.cfg on this server.

 

 Analisando os logs:

less /logs/apache/oif/modsecurity/modsec_audit.log

Message: Access denied with code 403 (phase 2). String match within “.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/” at TX:extension. [file “/app/apache/oif/httpd-2.2.22/conf/modsecurity/crs/activated_rules/modsecurity_crs_30_http_policy.conf”] [line “88”] [id “960035”] [msg “URL file extension is restricted by policy”] [data “.cfg”] [severity “CRITICAL”] [tag “POLICY/EXT_RESTRICTED”] [tag “WASCTC/WASC-15”] [tag “OWASP_TOP_10/A7”] [tag “PCI/6.5.10”]

Action: Intercepted (phase 2)

Stopwatch: 1345833422962130 1764 (- – -)

Stopwatch2: 1345833422962130 1764; combined=832, p1=412, p2=365, p3=0, p4=0, p5=55, sr=106, sw=0, l=0, gc=0

Response-Body-Transformed: Dechunked

Producer: ModSecurity for Apache/2.6.7 (http://www.modsecurity.org/); OWASP_CRS/2.2.5.

Server: Apache

 

Funcionou. 🙂 A extensão *.cfg é bloqueada conforme a ACL descrita acima.