Um colega do trabalho, Eduardo, teve uma pequena tarefa nessa última semana, instalar o modsecurity 2.6.7 em um servidor Linux RedHAt 5.7, mas sem todos os pré-reqs. O legal disso foi que ele gerou um how to muito bom e que será apresentado abaixo. Vamos à ele:
Red Hat EL 5.7 X64 — O mesmo deverá estar cadastrado/registrado junto a RHN para que você possa utilizar o gerenciador de pacotes. Mas é claro que há alternativas — 🙂
Apache 2.2.22
modsecurity-2.6.7
modsecurity-crs_2.2.5 –> Regras gratuitas e que podem ser baixadas da OWASP
Pulo do gato, pacotes que precisam ser instalados utilizando o YUM:
curl
curl-devel
libxml
libxml-devel
expat
expat-devel
pcre
pcre-devel
lua
lua-devel
lua-static
Howto:
1) Instalando Apache.
# tar xzvf httpd-2.2.22.tar.gz
# ./configure –prefix=/app/apache/oif/httpd-2.2.22 –with-mpm=worker –enable-so –enable-proxy –enable-proxy-connect –enable-proxy-ftp –enable-proxy-http –enable-headers –enable-rewrite –enable-status –enable-info –enable-deflate –enable-mem-cache –enable-cache –enable-ssl –with-ssl=/app/ssl/openssl/bin/ –with-pcre=/usr/bin/pcre-config –enable-unique-id –enable-mods-shared=all
# make
# make install
2) Compilando mod security
# tar xzvf modsecurity-apache_2.6.7.tar.gz
# ./configure –prefix=/app/modsecurity-2.6.7 –with-apxs=/app/apache/oif/httpd-2.2.22/bin/apxs –with-apr=/app/apache/oif/httpd-2.2.22/bin/apr-1-config –with-apu=/app/apache/oif/httpd-2.2.22/bin/apu-1-config –with-lua –with-pcre=/usr/bin/pcre-config –with-curl=/usr/bin/curl-config
# make
# make install
Copiando modulo para o Apache:
# cp -prf /app/modsecurity-2.6.7/lib/mod_security2.so /app/apache/oif/httpd-2.2.22/modules/
3) Configurando modsecurity-crs:
Criando estrutura de diretorios do modsecurity-crs:
# tar xzvf modsecurity-crs_2.2.5.tar.gz
# mkdir -p /app/apache/oif/httpd-2.2.22/conf/modsecurity/crs
# cp -prf /app/packages/modsecurity-crs_2.2.5/* /app/apache/oif/httpd-2.2.22/conf/modsecurity/crs/
Criando white list de acls:
# touch /app/apache/oif/httpd-2.2.22/conf/modsecurity/whitelist.conf
4) Configurando mod security:
# cp -prf /app/packages/modsecurity-apache_2.6.7/modsecurity.conf-recommended /app/apache/oif/httpd-2.2.22/conf/modsecurity/modsecurity.conf
# cp -prf /app/apache/oif/httpd-2.2.22/conf/modsecurity/crs/modsecurity_crs_10_setup.conf.example /app/apache/oif/httpd-2.2.22/conf/modsecurity/crs/modsecurity_crs_10_setup.conf
Configurando acls:
# cd /app/apache/oif/httpd-2.2.22/conf/modsecurity/crs/
# for f in `ls base_rules/` ; do ln -s ../base_rules/$f activated_rules/$f ; done
Criando arquivo para ser carregado no Apache:
# touch /app/apache/oif/httpd-2.2.22/conf/modsecurity/modsecurity.load
Inserir o seguinte conteúdo:
# Carregando modulos e libs necessarias para funcionamento do modsecurity;
LoadFile /usr/lib64/libxml2.so
LoadFile /usr/lib64/liblua-5.1.so
LoadModule security2_module modules/mod_security2.so
<IfModule security2_module>
Include conf/modsecurity/modsecurity.conf
Include conf/modsecurity/whitelist.conf
Include conf/modsecurity/crs/modsecurity_crs_10_setup.conf
Include conf/modsecurity/crs/activated_rules/*.conf
Inserir entradas no arquivo httpd.conf:
# Include modsecurity
Include conf/modsecurity/modsecurity.load
Configurando o arquivo /app/apache/oif/httpd-2.2.22/conf/modsecurity/modsecurity.conf
Alterar o parâmetro abaixo — Importante, ele serve para que o modsecurity faça o papel dele, bloquear os ataques detectados pelas suas regras.
DE:
SecRuleEngine DetectionOnly
PARA:
SecRuleEngine On
Alterar o parâmetro abaixo para ter um controle maior do logs
DE:
SecAuditLog /var/log/modsec_audit.log
PARA:
SecAuditLog /logs/apache/oif/modsecurity/modsec_audit.log
5) Testando / Iniciando Apache
# apachectl -t
# apachectl start.
Logs — Analisando para ver se tudo está funcionando de acordo com o planejado e configurado.
[Fri Aug 24 15:49:03 2012] [notice] ModSecurity for Apache/2.6.7 (http://www.modsecurity.org/) configured.
[Fri Aug 24 15:49:03 2012] [notice] ModSecurity: APR compiled version=”1.4.5″; loaded version=”1.4.5″
[Fri Aug 24 15:49:03 2012] [notice] ModSecurity: PCRE compiled version=”6.6 “; loaded version=”6.6 06-Feb-2006″
[Fri Aug 24 15:49:03 2012] [notice] ModSecurity: LUA compiled version=”Lua 5.1″
[Fri Aug 24 15:49:03 2012] [notice] ModSecurity: LIBXML compiled version=”2.6.26”
6) Como realizer um teste:
Crie um arquivo chamado teste.cfg no htdocs do vhost:
Conteúdo do teste.cfg:
<p>TESTE</p>
Execute via browser http://site/teste.cfg devera aparar algo como::
Forbidden
You don’t have permission to access /teste.cfg on this server.
Analisando os logs:
less /logs/apache/oif/modsecurity/modsec_audit.log
Message: Access denied with code 403 (phase 2). String match within “.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/” at TX:extension. [file “/app/apache/oif/httpd-2.2.22/conf/modsecurity/crs/activated_rules/modsecurity_crs_30_http_policy.conf”] [line “88”] [id “960035”] [msg “URL file extension is restricted by policy”] [data “.cfg”] [severity “CRITICAL”] [tag “POLICY/EXT_RESTRICTED”] [tag “WASCTC/WASC-15”] [tag “OWASP_TOP_10/A7”] [tag “PCI/6.5.10”]
Action: Intercepted (phase 2)
Stopwatch: 1345833422962130 1764 (- – -)
Stopwatch2: 1345833422962130 1764; combined=832, p1=412, p2=365, p3=0, p4=0, p5=55, sr=106, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.6.7 (http://www.modsecurity.org/); OWASP_CRS/2.2.5.
Server: Apache
Funcionou. 🙂 A extensão *.cfg é bloqueada conforme a ACL descrita acima.
Paulo
28 ago 2012E o php gustavo?
Gustavo Lima
28 ago 2012Calma .. vendo isso.. 🙂
Júnior @l0c4lh05t
29 ago 2012É bom o pessoal deixar up somente as rules que forem nescessarias para o seu ambiente, pra dar uma otimizada e tb pq o mod_sec gasta uma memoria consideravel….