Installation, activation and configuration of ModSecurity under Apache

ModSecurity is a powerful packet filtering tool that will check every packet entering your web server. It will compare each packet according to the internal rules and determine whether it needs to block the packet or continue to send it to the web server.

1. Download

modsecurity-apache: http://sourceforge.net/projects/mod-security/files/modsecurity-apache/
modsecurity-crs: http://sourceforge.net/projects/mod-security/files/modsecurity-crs/0-CURRENT/

2. Installation

1) Enable the mod_unique_id module
2) Verify that the server has the latest version of the libxml2 library installed
3) Stop Apache httpd

4) Unzip

gzip -d modsecurity-apache_2.6.3.tag.gz
tar xvzf modsecurity-apache_2.6.3.tar
gzip -d modsecurity-core-rules_2.6.tar.gz
tar xvzf modsecurity-core-rules_2.6.tar.gz

5) Configuration

./configure

6) Compile and test ModSecurity

make
make test

7) Installation

make install

Modify http.conf, enable ModSecurity, and add the following to the httpd.conf file:

LoadFile /usr/lib/libxml2.so
LoadModule security2_module modules/mod_security2.so

8) Restart Apache

ModSecurity has been installed here. You can view the configuration instructions document: http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual

Install Apache2+ModSecurity and customize WAF rules on Ubuntu

Although the VPS uses the cloud WAF function, I am still a little worried. For double insurance, I decided to use modsecurity to customize the rules. The following describes how to configure the ModSecurity shield for the Apache server (modsecurity currently also supports Nginx, IIS).

This time I chose to use the package manager to install it, because every time I use the source package installation method, I will be confused by strange library dependency errors.

Installation environment:

OS: Ubuntu 14.04.1 LTS
Apache: Apache/2.4.7 (Ubuntu)

Step 1: Install Apache

I recommend installing Apache using apt-get, which requires much less library support! ! ! ! If you don't mind the hassle, you can install it from source

Type apt-get install apache2

If it prompts that there is no such software package, update the software package apt-get install update

After this step is installed, Apache can provide services. Enter 127.0.0.1 to access the local website.

Step 2: Install modsecurity

This is the same as above, use

apt-get install libxml2 libxml2-dev libxml2-utils libaprutil1 libaprutil1-dev libapache2-modsecurity

After installation, you can check the version number of your modsecurity by using

dpkg -s libapache2-modsecurity | grep Version

Step 3: Configure modsecurity

service apache2 reload

After this command takes effect, the modsecurity log file modsec_audit.log will be generated in the /var/log/apache2/directory

Using the ModSecurity Core Rule Set

Place the rule set we want to use in the following directory

cd /usr/share/modsecurity-crs/activated_rules/

Select Enable base ruleset

for f in $(ls ../base_rules/); do ln -s ../base_rules/$f; done

Modify the apache module configuration to enable the rule set

Note: There are some differences in the configuration files between modsecurity 2.7 and 2.6

(1) Version 2.7

vim /etc/apache2/mods-available/security2.conf
Revise

<IfModule security2_module>
# Default Debian dir for modsecurity's persistent data
SecDataDir /var/cache/modsecurity
# Include all the *.conf files in /etc/modsecurity.
# Keeping your local configuration in that directory
# will allow for an easy upgrade of THIS file and
# make your life easier
IncludeOptional /etc/modsecurity/*.conf
IncludeOptional /usr/share/modsecurity-crs/*.conf
IncludeOptional /usr/share/modsecurity-crs/activated_rules/*.conf
</IfModule>

(2) Version 2.6

‍‍vim /etc/apache2/mods-available/mod-security.conf‍‍
Revise

Include /etc/modsecurity/*.conf
Include /usr/share/modsecurity-crs/*.conf
Include /usr/share/modsecurity-crs/activated_rules/*.conf

Step 4: Enable the modsecurity module

a2enmod headersa2enmod security2 (version 2.6: a2enmod mod-security)service apache2 restart

Step 5: Test the real attack payload

See if you can intercept

http://www.tanjiti.com/?case=archive&act=orders&aid[typeid`%3D1%20and%20ord(mid((select/**/concat(username,0x3a,password)%20from%20cmseasy_user),1,1))%3C49%23]=1
We found that the request packet was intercepted by 403.

You can view the modsecurity log file to see the specific interception situation

tail /var/log/apache2/modsec_audit.log
message: Access denied with code 403 (phase 2). Pattern match "(/\\*!?|\\*/|[&#039;;]--|--[\\s\\r\\n\\v\\f]|(?:--[^-]*?-)|([^\\-&])#.*?[\\s\\r\\n\\v\\f]|;?\\x00)" at ARGS_NAMES:aid[typeid`=1 and ord(mid((select/**/concat(username,0x3a,password) from cmseasy_user),1,1))
<49#].
[file "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "49"] [id "981231"] [rev "2"] [msg "SQL Comment Sequence Detected."] [data "Matched Data: /* found within ARGS_NAMES:aid[typeid`=1 and ord(mid((select/**/concat(username,0x3a,password) from cmseasy_user),1,1))<49#]: aid[typeid`=1 and ord(mid((select/**/concat(username,0x3a,password) from cmseasy_user),1,1))<49#]"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.8"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]

It can be seen that it was intercepted by rule 981231 of the modsecurity_crs_41_sql_injection_attacks.conf file of the base rule set, hitting the SQL comment statement.
For webmasters who are familiar with the website structure, they can customize the rules, especially the whitelist rules, to protect our website.

Step 6: Customize WAF rules

Rule syntax quick start reference ModSecurity SecRule cheatsheets

WAF rule example 1: Upload file name whitelist, only allow image files to be uploaded

vim /usr/share/modsecurity-crs/activated_rules/MY.conf
Adding rules

SecRule FILES "!\\.(?i:jpe?g|gif|png|bmp)$" "deny,tag:'WEB_ATTACK/FILEUPLOAD',msg:'upload no-picture file',id:0000001,phase:2"
Test, upload php file

(For the usage of http, please refer to HTTP packet sending tool - HTTPie)
http www.tanjiti.com [email protected]
We can see that the request packet is intercepted, check the modsecurity log

more /var/log/apache2/modsec_audit.log
You can see that rule 0000001 is hit.

Message: Access denied with code 403 (phase 2). Match of "rx \\.(?i:jpe?g|gif|png|bmp)$" against "FILES:filename" required. [file "/usr/share/modsecurity-crs/activated_rules/MY.conf"] [line "1"] [id "0000001"] [msg "upload no-picture file"] [tag "WEB_ATTACK/FILEUPLOAD"]
WAF rule example 2: Block uploaded files containing %00 in the file name

vim /usr/share/modsecurity-crs/activated_rules/MY.conf
Adding rules

SecRule FILES "@contains %00" "deny,tag:'WEB_ATTACK/FILEUPLOAD',msg:'filename has null character',id:0000002,phase:2"
Test, upload a file with a file name containing %00

http www.tanjiti.com [email protected]%00.jpeg
We can see that the request packet is intercepted, check the modsecurity log

more /var/log/apache2/modsec_audit.log
You can see that rule 0000002 is hit.

Message: Access denied with code 403 (phase 2). String match "%00" at FILES:filename. [file "/usr/share/modsecurity-crs/activated_rules/MY.conf"] [line "2"] [id "0000002"] [msg "filename has null character"] [tag "WEB_ATTACK/FILEUPLOAD"]
It’s very simple, right? Next, I plan to introduce the protection of the nginx server.

Notice! ! ! ! ! ! ! ! ! ! ! ! ! !
Once this modification is made, a 403 error will be displayed when using the IP address! ! ! ! ! ! I have been working on this error for a whole day, searching for various 403 errors on the Internet but to no avail. Why? ? ? ?
By checking errol.log, you can find that modsecurity prohibits IP access! ! ! ! ! ! You can access it normally using localhost. . .
Therefore, reading the log is a very important thing.