O blog Zucco postou um tutorial com o passo-a-passo da instalação e configuração do ModSecurity (módulo de firewall web para Apache), com o Core Rule Set (projeto com conjunto de regras de proteção pré-definidas para o ModSecurity).
Os procedimentos são baseados no sistema operacional CentOS 5.6. Seguem as instruções abaixo:
– Instale as dependências necessárias:
# yum install gcc openssl-devel openssl apr-util-devel apr-devel pcre pcre-devel libjpeg-devel gd-devel libpng-devel libjpeg gd libpng gettext gettext-devel libmcrypt-devel libmcrypt libxml2 libxml2-devel bison zlib zlib-devel bzip2 bzip2-devel libtool libtool-ltdl readline readline-devel ncurses ncurses-devel curl curl-devel
– Obtenha os códigos-fonte:
Apache: http://httpd.apache.org/download.cgi
Lua: http://www.lua.org/ftp/lua-5.1.4.tar.gz
ModSecurity: http://www.modsecurity.org/download/modsecurity-apache_2.6.1-rc1.tar.gz
Core Rule Set: http://sourceforge.net/projects/mod-security/files/modsecurity-crs/0-CURRENT
Lua: http://www.lua.org/ftp/lua-5.1.4.tar.gz
ModSecurity: http://www.modsecurity.org/download/modsecurity-apache_2.6.1-rc1.tar.gz
Core Rule Set: http://sourceforge.net/projects/mod-security/files/modsecurity-crs/0-CURRENT
– Cheque a integridade dos códigos com md5sum ou sha1sum
– Instale o Apache:
# ./configure –prefix=/var/www –enable-auth-digest –enable-mime-magic –enable-usertrack –enable-ssl –enable-http –disable-cgi –enable-vhost-alias –disable-userdir –enable-so –enable-unique-id –enable-rewrite –with-z –disable-dav –disable-proxy –with-pcre –enable-deflate –enable-expires
# make
# make install
– Compile o Lua:
# tar xvfz lua-5.1.4.tar.gz
# cd lua-5.1.4
# make all linux
# make install INSTALL_TOP=/usr/local/lua-5.1.4
# cd src
# rm -f lua.o luac.o print.o && gcc -shared -Wall -O2 -o liblua5.1.so *.o
# cp liblua5.1.so /usr/local/lua-5.1.4/lib
# ln -s /usr/local/lua-5.1.4 /usr/local/lua
# echo “/usr/local/lua/lib” >> /etc/ld.so.conf
# ldconfig
# cd lua-5.1.4
# make all linux
# make install INSTALL_TOP=/usr/local/lua-5.1.4
# cd src
# rm -f lua.o luac.o print.o && gcc -shared -Wall -O2 -o liblua5.1.so *.o
# cp liblua5.1.so /usr/local/lua-5.1.4/lib
# ln -s /usr/local/lua-5.1.4 /usr/local/lua
# echo “/usr/local/lua/lib” >> /etc/ld.so.conf
# ldconfig
– Compile o ModSecurity:
# tar xvfz modsecurity-apache_2.6.1-rc1.tar.gz
# cd modsecurity-apache_2.6.1-rc1
# ./configure –with-apxs=/var/www/bin/apxs –with-lua=/usr/local/lua
# make
# make install
# cd modsecurity-apache_2.6.1-rc1
# ./configure –with-apxs=/var/www/bin/apxs –with-lua=/usr/local/lua
# make
# make install
– Instale e configure o Core Rule Set:
# mkdir /var/www/conf/modsecurity
# mkdir /var/www/conf/modsecurity/crs
# cp modsecurity-apache_2.6.1-rc1/modsecurity.conf-recommended /var/www/conf/modsecurity/modsecurity.conf
# touch /var/www/conf/modsecurity/whitelist.conf
# mkdir /var/www/conf/modsecurity/crs
# cp modsecurity-apache_2.6.1-rc1/modsecurity.conf-recommended /var/www/conf/modsecurity/modsecurity.conf
# touch /var/www/conf/modsecurity/whitelist.conf
# tar xvfz modsecurity-crs_2.2.0.tar.gz
# cp -a modsecurity-crs_2.2.0/* /var/www/conf/modsecurity/crs
# cd /var/www/conf/modsecurity/crs
# for f in `ls base_rules/` ; do ln -s ../base_rules/$f activated_rules/$f ; done
# cp modsecurity_crs_10_config.conf.example modsecurity_crs_10_config.conf
# ln -s ../modsecurity_crs_10_config.conf activated_rules/
# ls -l activated_rules/ /* Check simbolic links */
– Configure o Apache (httpd.conf):LoadFile /usr/lib/libxml2.so.2
LoadFile /usr/local/lua/lib/liblua5.1.so
LoadModule security2_module modules/mod_security2.so
# CRS
<IfModule security2_module>
Include conf/modsecurity/modsecurity.conf
Include conf/modsecurity/whitelist.conf
Include conf/modsecurity/crs/modsecurity_crs_10_config.conf
Include conf/modsecurity/crs/activated_rules/*.conf
</IfModule>
LoadFile /usr/local/lua/lib/liblua5.1.so
LoadModule security2_module modules/mod_security2.so
# CRS
<IfModule security2_module>
Include conf/modsecurity/modsecurity.conf
Include conf/modsecurity/whitelist.conf
Include conf/modsecurity/crs/modsecurity_crs_10_config.conf
Include conf/modsecurity/crs/activated_rules/*.conf
</IfModule>
– Edite o modsecurity.conf:
SecRuleEngine On
SecAuditLog logs/modsec_audit.log
SecAuditLog logs/modsec_audit.log
– Inicie o Apache e cheque o error_log:
[warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[notice] ModSecurity for Apache/2.6.1-rc1 (http://www.modsecurity.org/) configured.
[notice] ModSecurity: APR compiled version=”1.2.7″; loaded version=”1.2.7″
[notice] ModSecurity: PCRE compiled version=”6.6″; loaded version=”5.0 13-Sep-2004″
[notice] ModSecurity: LUA compiled version=”Lua 5.1″
[notice] ModSecurity: LIBXML compiled version=”2.6.26″
[notice] Digest: generating secret for digest authentication …
[notice] Digest: done
[notice] ModSecurity for Apache/2.6.1-rc1 (http://www.modsecurity.org/) configured.
[notice] ModSecurity: APR compiled version=”1.2.7″; loaded version=”1.2.7″
[notice] ModSecurity: PCRE compiled version=”6.6″; loaded version=”5.0 13-Sep-2004″
[notice] ModSecurity: LUA compiled version=”Lua 5.1″
[notice] ModSecurity: LIBXML compiled version=”2.6.26″
[notice] Digest: generating secret for digest authentication …
[notice] Digest: done
– Test your ModSecurity:
Access one url with a blocked estension, like: http://server/test.sql
You will see in apache error_log:
[error] [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 2). String match within “.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/” at TX:extension. [file “/var/www/conf/modsecurity/crs/activated_rules/modsecurity_crs_30_http_policy.conf”] [line “88”] [id “960035”] [msg “URL file extension is restricted by policy”] [data “.alq”] [severity “CRITICAL”] [tag “POLICY/EXT_RESTRICTED”] [tag “WASCTC/WASC-15”] [tag “OWASP_TOP_10/A7”] [tag “PCI/6.5.10”] [hostname “localhost”] [uri “/test.SQL”] [unique_id “Th8c038AAAEAAGugG2kAAAAD”]
You will see in apache error_log:
[error] [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 2). String match within “.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/” at TX:extension. [file “/var/www/conf/modsecurity/crs/activated_rules/modsecurity_crs_30_http_policy.conf”] [line “88”] [id “960035”] [msg “URL file extension is restricted by policy”] [data “.alq”] [severity “CRITICAL”] [tag “POLICY/EXT_RESTRICTED”] [tag “WASCTC/WASC-15”] [tag “OWASP_TOP_10/A7”] [tag “PCI/6.5.10”] [hostname “localhost”] [uri “/test.SQL”] [unique_id “Th8c038AAAEAAGugG2kAAAAD”]
A partir daí, você terá que fazer testes para falsos positivos e falsos negativos. Se você usa WordPress, joomla, phpbb, etc., cheque o diretório slr_rules. Ele deve estar ativado no httpd.conf.
Via: Zucco Weblog