Example of modsecurity rule syntax
Secrule is a modsecurity the primary directive, which is used to create security rules. The basic syntax is as follows:
Secrule VARIABLES OPERATOR [ACTIONS]
Representative HTTP The identity item in the package that specifies the object that the security rule targets. Common variables include:ARGS(all request parameters),files(all file names), and so on.
represents an operator that is typically used to define the matching criteria for a security rule. Common operators include:@rx ( Regular expression),@streq ( the same string),@ipmatch (IP Same) and so on.
represents a response action, which is typically used to define the response action of a packet after it has been hit by a rule. Common actions include:deny(packet denied),Pass ( allow packet pass),ID(number of the defined rule) , Severity ( define the severity of the event).
It is worth noting that for more in-depth syntax, please refer to the official manual. Since this experiment involves a custom security rule, the three rules that are involved in it are described in detail, as follows:
rules 1 : Anti- XSS Attack
Secrule args| Request_headers "@rx <script>" "id:001,msg: ' XSS Attack ', severity:error,deny,status:404"
ARGS : All request parameters; request_headers : Request data header.
@rx <script> : If the regular match string "<script>" succeeds, the rule executes.
id:001 001 msg: ' XSS Attack ' XSS Attack severity:error error deny status:404 indicates that the server response status number is 404
Description: Severity is divided into 8 level: emergency (0) , alert (1) , critical (2) , error (3) , warning (4) , notice (5) , info (6) , debug (7)
This rule indicates that all request parameters contain a string "<script>" of the HTTP packets are intercepted and logged by the server.
rules 2 : Set White list
Secrule remote_addr "@ipmatch 192.168.1.9" "Id:002,phase:1,t:none,
REMOTE_ADDR : Remote host IP
@ipmatch 192.168.1.9 : If the request host IP address is 192.168.1.9 , the rule executes.
id:002specify that the rule number is002;phase:1indicates the scope of the rule execution is the request header;T:nonerepresentsVARIABLESthe value does not need to be converted (TRepresentativeTransform);NologThe representative does not record the log;PassThe representative continues the next rule;Ctl:ruleengine=offrepresents off blocking mode and all rules are invalidated.
Description: Phase The numbering provisions are as follows: request Headers (1), Request body (2), Response Headers (3), Response Body (4) and Logging (5).
This rule indicates that: for host 192.168.1.9 sent by HTTP package, the server shuts down interception mode, allowing all packets to pass.
rules 3 : chain rules
secrule args:username "@streq admin" Chain,deny , id:003
Secrule remote_addr "!streq 192.168.1.9"
Args:username all the user name information that represents the request parameter.
@streq admin indicates user name equals string " admin " actions
id:003 003 Chain admin IP not 192.168.1.9 Span style= "font-family: Song Body") to perform the next action; deny
This rule indicates that all host names are Admin , but the corresponding host IP address is not 192.168.1.9 request packets are rejected by the server. It means that only one host can log in with the admin User (typically the system administrator's host), greatly improving the security of the system.
two or one-button installation LAMP Environment
- Execute Command apt-get Update .
- Execute Command apt-get Install lamp-server^ .
- During the installation process, you will jump Mysql Database root user Password Setup window, enter the password as required:123, press tab to select "OK", press ENTER to enter the next step, as shown in:
- repeat Password:123, press the tab key to select "OK" and press ENTER to continue the installation as shown:
- Open the browser, enter in the Address bar:http://localhost, you can verify that the Apache2 installation was successful, as:
5. Enter the command mysql-u root-p, successfully enter the MySQL window,mysql installation is successful.
Third, installation modsecurity
- installation libapache2-modsecurity module and its dependent packages, enter:
$ apt-get Install libxml2 libxml2-dev libxml2-utils libapache2-modsecurity
- Enquiry modsecurity version number, verify that the installation was successful, enter:
$ dpkg-s libapache2-modsecurity | grep Version
Note: See Version is case-sensitive.
- Restart Apache Service, enter:
$ service Apache2 Reload
- config modsecurity , enable interception mode, enter:
Span style= "Font-family:times New Roman" >$ cd/etc/modsecurity
$ mv modsecurity.conf-recommended modsecurity.conf
$ vim modsecurity.conf
This action renames the recommended profile in the installation package to the standard profile name and enables the vim Edit the configuration file.
- Edit modsecurity.conf and Will "Secruleengine detectiononly" instead "Secruleengine on" , save and exit. As shown in the following:
the above operation will turn on the security rule engine, that is, enable blocking mode, filter HTTP traffic.
Iv. Configuring Custom Rules
- go to folder Activated_rules , Associate the startup file to this folder, using a soft link, type:
$ cd/usr/share/modsecurity-crs/ Activated_rules
$ ln-s. /modsecurity_crs_10_setup.conf./modsecurity_crs_10_setup.conf
< Span style= "Font-family:times New Roman" > $ tree
- Execute command Vim my.conf XSS rules (numbering 001 ) as follows:
secrule args| Request_headers "@rx <script>" "id:003,msg: ' XSS Attack ', severity:error,deny,status:404" P style= "margin-left:2pt" >
- setting up the configuration file security2.conf , enter:
- in the file, add the following: includeoptional/usr/share/modsecurity-crs/activated_rules/*.conf as shown in the following:
- Restart Apache Service, enter:
$ Service Apache2 Reload
Five, verify the protection effect
- Log in to the host "hacker" to enter the attacker mode. In the browser address bar, enter: http://localhost/?q=<script> alert (1) </script>. The experimental results are as follows:
- To execute the command vim/var/log/apache2/modsec_audit.log, view the WAF interception log as shown in:
from the local host. GET request to be a rule file my.conf in the 001 the malicious code contained in the message is intercepted.
Installing apache2+modsecurity and customizing WAF rules in ubuntu16.04