Install Apache2 + ModSecurity and customize WAF rules on ubuntu

Install Apache2 + ModSecurity and customize WAF rules on ubuntu
Although VPS uses the cloud WAF function, it is still a little worried. For double insurance, we decided to use modsecurity to customize rules, the following describes how to configure ModSecurity protection for the apache server (modsecurity currently supports Nginx and IIS ).‍‍
The package manager is used for installation this time, because the installation method of the source code package will be confused by the library dependency error.
‍‍Installation environment:‍‍
OS: Ubuntu 14.04.1 LTS
Apache: Apache/2.4.7 (Ubuntu)
Step 1: InstallLibapache2-modsecurityModules and their dependent packages
Apt-get install libxml2 libxml2-dev libxml2-utils libaprutil1 libaprutil1-dev libapache2-modsecurity
Run the following command to check the current version of modsecurity:
Dpkg-s libapache2-modsecurity | grep Version
‍‍Version: 2.7.7-2 is installed on my vps.‍‍
Step 2: Configure modsecurity and enable interception mode
Service apache2 reload
‍‍‍‍After the command takes effect, the modsecurity log File modsec_audit.log is generated in the/var/log/apache2/directory.‍‍‍‍
Cd/etc/modsecurity/mv modsecurity. conf-recommended modsecurity. confvim/etc/modsecurity. conf
Modify
SecRuleEngine On
Step 3: Use the modsecurity core rule set
For details about the core rule set, see:
ModSecurity CRS notes, WAF defense checklist, and WAF architecture ideas
Place the rule set we remember in the following directory
Cd/usr/share/modsecurity-crs/activated_rules/
Select enable base Rule Set
For f in $ (ls ../base_rules/); do ln-s ../base_rules/$ f; done
You can use the same method to enable other rule sets. Note that different rule sets may need to enable specific modules.
Modify the configuration of the apache module and enable the rule set.
Note: configuration files of modsecurity 2.7 and 2.6 are different.
(1) version 2.7
Vim/etc/apache2/mod-available/security2.conf
Modify
<IfModule security2_module>
# Default Debian dir for modsecurity's persistent data
SecDataDir/var/cache/modsecurity
# Include all the *. conf files in/etc/modsecurity.
# Keeping your local configuration in that directory
# Will allow for an easy upgrade of THIS file and
# Make your life easier
IncludeOptional/etc/modsecurity/*. conf
IncludeOptional/usr/share/modsecurity-crs/*. conf
IncludeOptional/usr/share/modsecurity-crs/activated_rules/*. conf
</IfModule>
(2) version 2.6
‍‍Vim/etc/apache2/mod-available/mod-security.conf‍‍
Modify
Include/etc/modsecurity/*. conf
Include/usr/share/modsecurity-crs/*. conf
Include/usr/share/modsecurity-crs/activated_rules/*. conf
Step 4: Enable the modsecurity Module
A2enmod headersa2enmod security2 (version 2.6: a2enmod mod-security) service apache2 restart
Step 5: test the real attack payload
Check whether it can intercept
Http://www.tanjiti.com /? Case = archive & act = orders & aid [typeid '% 3D1% 20and % 20ord (mid (select/**/concat (username, 0x3a, password) % 20 from % 20cmseasy_user), 1, 1) % 3C49% 23] = 1
We found that the request packet was intercepted by 403,
You can view the modsecurity log file to view the specific interception information.
Tail/var/log/apache2/modsec_audit.log
‍‍Message: Access denied with code 403 (phase 2). Pattern match "(/\\*!? | \ */| [& #039;] -- | -- [\ s \ r \ n \ v \ f] | (? : -- [^-] *? -) | ([^ \-&]) #. *? [\ S \ r \ n \ v \ f] | ;? \ X00) "at ARGS_NAMES: aid [typeid' = 1 and ord (mid (select/**/concat (username, 0x3a, password) from cmseasy_user), 1, 1 ))
<49 #].
[File "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_ SQL _injection_attacks.conf"] [line "49"] [id "981231"] [rev "2"] [msg "SQL Comment sequence Detected. "] [data" Matched Data:/* found within ARGS_NAMES: aid [typeid' = 1 and ord (mid (select/**/concat (username, 0x3a, password) from cmseasy_user), 1, 1) <49 #]: aid [typeid' = 1 and ord (mid (select/**/concat (username, 0x3a, password) from cmseasy_user), 1, 1 )) <49 #] "] [severity" CRITICAL "] [ver" OWASP_CRS/2.2.8 "] [maturity" 8 "] [accuracy" 8 "] [tag" OWASP_CRS/WEB_ATTACK/SQL _INJECTION "] [tag" WASCTC/WASC-19 "] [tag" OWASP_TOP_10/A1 "] [tag" owasp_1_ensor/CIE1 "] [tag" PCI/6.5.2 "]
‍‍‍‍‍‍‍‍It can be seen that the rule is blocked by rule 981231 in the modsecurity_crs_41_ SQL _injection_attacks.conf file of the base rule set, hitting the SQL comment statement.‍‍‍‍
‍
‍‍‍‍‍‍Webmasters who are familiar with website structures can customize rules, especially whitelist rules, to protect our websites.
Step 6: Customize WAF rules
For more information about Rule syntax, see ModSecurity SecRule cheatsheets.
‍‍WAFRule Example 1: a whitelist of uploaded file names. Only image files can be uploaded.‍‍
Vim/usr/share/modsecurity-crs/activated_rules/MY. conf
Add Rules
SecRule FILES "! \\.(? I: jpe? G | gif | png | bmp) $ "" deny, tag: 'web _ ATTACK/fileupload', msg: 'upload no-picture file', id: 0000001, phase: 2"
‍‍‍‍Test and upload PHP files
(For http usage, refer to HTTP packet sending tool-HTTPie)‍‍‍‍
Http www.tanjiti.com filename@a.php
We can see the request packet interception and view the modsecurity log.
More/var/log/apache2/modsec_audit.log
We can see that rule 0000001 is hit.
Message: Access denied with code 403 (phase 2). Match of "rx \\.(? I: jpe? G | gif | png | bmp) $ "against" FILES: filename "required. [file "/usr/share/modsecurity-crs/activated_rules/MY. conf "] [line" 1 "] [id" 0000001 "] [msg" upload no-picture file "] [tag" WEB_ATTACK/FILEUPLOAD "]
WAFRule Example 2: The Upload File name contains % 00 for blocking
‍
Vim/usr/share/modsecurity-crs/activated_rules/MY. conf
Add Rules
SecRule FILES "@ contains % 00" "deny, tag: & #039; WEB_ATTACK/FILEUPLOAD ', msg: 'filenamehas null character', id: 0000002, phase: 2"
Test: upload a file with a file name of % 00
Http www.tanjiti.com filename@a.php000000.jpeg
We can see the request packet interception and view the modsecurity log.
More/var/log/apache2/modsec_audit.log
We can see that rule 0000002 is hit.
Message: Access denied with code 403 (phase 2 ). string match "% 00" at FILES: filename. [file "/usr/share/modsecurity-crs/activated_rules/MY. conf "] [line" 2 "] [id" 0000002 "] [msg" filename has null character "] [tag" WEB_ATTACK/FILEUPLOAD "]
The next step is to introduce the protection of nginx servers.
[Reference source http://ubuntuforums.org/showthread.php? T = 2219109]