Instalação do ModSecurity 2.6.1-rc1 + CRS (Core Rule Set) 2.2.0

ModSecurity logoO blog Zucco postou um tutorial com o passo-a-passo da instalação e configuração do ModSecurity (módulo de firewall web para Apache), com o Core Rule Set (projeto com conjunto de regras de proteção pré-definidas para o ModSecurity).

Os procedimentos são baseados no sistema operacional CentOS 5.6. Seguem as instruções abaixo:
Instale as dependências necessárias:
# yum install gcc openssl-devel openssl apr-util-devel apr-devel pcre pcre-devel libjpeg-devel gd-devel libpng-devel libjpeg gd libpng gettext gettext-devel libmcrypt-devel libmcrypt libxml2 libxml2-devel bison zlib zlib-devel bzip2 bzip2-devel libtool libtool-ltdl readline readline-devel ncurses ncurses-devel curl curl-devel

Obtenha os códigos-fonte:

– Cheque a integridade dos códigos com md5sum ou sha1sum

– Instale o Apache:

# ./configure –prefix=/var/www –enable-auth-digest –enable-mime-magic –enable-usertrack –enable-ssl –enable-http –disable-cgi –enable-vhost-alias –disable-userdir –enable-so –enable-unique-id –enable-rewrite –with-z –disable-dav –disable-proxy –with-pcre –enable-deflate –enable-expires
# make
# make install

– Compile o Lua:

# tar xvfz lua-5.1.4.tar.gz
# cd lua-5.1.4
# make all linux
# make install INSTALL_TOP=/usr/local/lua-5.1.4
# cd src
# rm -f lua.o luac.o print.o && gcc -shared -Wall -O2 -o liblua5.1.so *.o
# cp liblua5.1.so /usr/local/lua-5.1.4/lib
# ln -s /usr/local/lua-5.1.4 /usr/local/lua
# echo “/usr/local/lua/lib” >> /etc/ld.so.conf
# ldconfig

– Compile o ModSecurity:

# tar xvfz modsecurity-apache_2.6.1-rc1.tar.gz
# cd modsecurity-apache_2.6.1-rc1
# ./configure –with-apxs=/var/www/bin/apxs –with-lua=/usr/local/lua
# make
# make install

– Instale e configure o Core Rule Set:

# mkdir /var/www/conf/modsecurity
# mkdir /var/www/conf/modsecurity/crs
# cp modsecurity-apache_2.6.1-rc1/modsecurity.conf-recommended /var/www/conf/modsecurity/modsecurity.conf
# touch /var/www/conf/modsecurity/whitelist.conf
# tar xvfz modsecurity-crs_2.2.0.tar.gz
# cp -a modsecurity-crs_2.2.0/* /var/www/conf/modsecurity/crs
# cd /var/www/conf/modsecurity/crs
# for f in `ls base_rules/` ; do ln -s ../base_rules/$f activated_rules/$f ; done
# cp modsecurity_crs_10_config.conf.example modsecurity_crs_10_config.conf
# ln -s ../modsecurity_crs_10_config.conf activated_rules/
# ls -l activated_rules/ /* Check simbolic links */

 

– Configure o Apache (httpd.conf):LoadFile /usr/lib/libxml2.so.2
LoadFile /usr/local/lua/lib/liblua5.1.so
LoadModule security2_module modules/mod_security2.so
# CRS
<IfModule security2_module>
Include conf/modsecurity/modsecurity.conf
Include conf/modsecurity/whitelist.conf
Include conf/modsecurity/crs/modsecurity_crs_10_config.conf
Include conf/modsecurity/crs/activated_rules/*.conf
</IfModule>

– Edite o modsecurity.conf:

SecRuleEngine On
SecAuditLog logs/modsec_audit.log

– Inicie o Apache e cheque o error_log:

[warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[notice] ModSecurity for Apache/2.6.1-rc1 (http://www.modsecurity.org/) configured.
[notice] ModSecurity: APR compiled version=”1.2.7″; loaded version=”1.2.7″
[notice] ModSecurity: PCRE compiled version=”6.6″; loaded version=”5.0 13-Sep-2004″
[notice] ModSecurity: LUA compiled version=”Lua 5.1″
[notice] ModSecurity: LIBXML compiled version=”2.6.26″
[notice] Digest: generating secret for digest authentication …
[notice] Digest: done

– Test your ModSecurity:

Access one url with a blocked estension, like: http://server/test.sql
You will see in apache error_log:
[error] [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 2). String match within “.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/” at TX:extension. [file “/var/www/conf/modsecurity/crs/activated_rules/modsecurity_crs_30_http_policy.conf”] [line “88”] [id “960035”] [msg “URL file extension is restricted by policy”] [data “.alq”] [severity “CRITICAL”] [tag “POLICY/EXT_RESTRICTED”] [tag “WASCTC/WASC-15”] [tag “OWASP_TOP_10/A7”] [tag “PCI/6.5.10”] [hostname “localhost”] [uri “/test.SQL”] [unique_id “Th8c038AAAEAAGugG2kAAAAD”]

A partir daí, você terá que fazer testes para falsos positivos e falsos negativos. Se você usa WordPress, joomla, phpbb, etc., cheque o diretório slr_rules. Ele deve estar ativado no httpd.conf.

Via: Zucco Weblog