O blog Zucco postou um tutorial com o passo-a-passo da instalação e configuração do ModSecurity (módulo de firewall web para Apache), com o Core Rule Set (projeto com conjunto de regras de proteção pré-definidas para o ModSecurity).
– Obtenha os códigos-fonte:
Lua: http://www.lua.org/ftp/lua-5.1.4.tar.gz
ModSecurity: http://www.modsecurity.org/download/modsecurity-apache_2.6.1-rc1.tar.gz
Core Rule Set: http://sourceforge.net/projects/mod-security/files/modsecurity-crs/0-CURRENT
– Cheque a integridade dos códigos com md5sum ou sha1sum
– Instale o Apache:
– Compile o Lua:
# cd lua-5.1.4
# make all linux
# make install INSTALL_TOP=/usr/local/lua-5.1.4
# cd src
# rm -f lua.o luac.o print.o && gcc -shared -Wall -O2 -o liblua5.1.so *.o
# cp liblua5.1.so /usr/local/lua-5.1.4/lib
# ln -s /usr/local/lua-5.1.4 /usr/local/lua
# echo “/usr/local/lua/lib” >> /etc/ld.so.conf
# ldconfig
– Compile o ModSecurity:
# cd modsecurity-apache_2.6.1-rc1
# ./configure –with-apxs=/var/www/bin/apxs –with-lua=/usr/local/lua
# make
# make install
– Instale e configure o Core Rule Set:
# mkdir /var/www/conf/modsecurity/crs
# cp modsecurity-apache_2.6.1-rc1/modsecurity.conf-recommended /var/www/conf/modsecurity/modsecurity.conf
# touch /var/www/conf/modsecurity/whitelist.conf
LoadFile /usr/local/lua/lib/liblua5.1.so
LoadModule security2_module modules/mod_security2.so
# CRS
<IfModule security2_module>
Include conf/modsecurity/modsecurity.conf
Include conf/modsecurity/whitelist.conf
Include conf/modsecurity/crs/modsecurity_crs_10_config.conf
Include conf/modsecurity/crs/activated_rules/*.conf
</IfModule>
– Edite o modsecurity.conf:
SecAuditLog logs/modsec_audit.log
– Inicie o Apache e cheque o error_log:
[notice] ModSecurity for Apache/2.6.1-rc1 (http://www.modsecurity.org/) configured.
[notice] ModSecurity: APR compiled version=”1.2.7″; loaded version=”1.2.7″
[notice] ModSecurity: PCRE compiled version=”6.6″; loaded version=”5.0 13-Sep-2004″
[notice] ModSecurity: LUA compiled version=”Lua 5.1″
[notice] ModSecurity: LIBXML compiled version=”2.6.26″
[notice] Digest: generating secret for digest authentication …
[notice] Digest: done
– Test your ModSecurity:
You will see in apache error_log:
[error] [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 2). String match within “.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/” at TX:extension. [file “/var/www/conf/modsecurity/crs/activated_rules/modsecurity_crs_30_http_policy.conf”] [line “88”] [id “960035”] [msg “URL file extension is restricted by policy”] [data “.alq”] [severity “CRITICAL”] [tag “POLICY/EXT_RESTRICTED”] [tag “WASCTC/WASC-15”] [tag “OWASP_TOP_10/A7”] [tag “PCI/6.5.10”] [hostname “localhost”] [uri “/test.SQL”] [unique_id “Th8c038AAAEAAGugG2kAAAAD”]
A partir daí, você terá que fazer testes para falsos positivos e falsos negativos. Se você usa WordPress, joomla, phpbb, etc., cheque o diretório slr_rules. Ele deve estar ativado no httpd.conf.
Via: Zucco Weblog