配置OWASP的ModSecurity規則

標籤：scan   line   microsoft   handle   ase   res   rac   int   rect   

1、下載OWASP的ModSecurity規則

cd /etc/httpdgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
mv owasp-modsecurity-crs modsecurity-crs
cd modsecurity-crs
mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf

 

 2、在Apache中啟用規則

vi /etc/httpd/conf/httpd.conf

 末尾添加

<IfModule security2_module>Include modsecurity-crs/modsecurity_crs_10_setup.confInclude modsecurity-crs/base_rules/*.conf
Include modsecurity-crs/activated_rules/*.conf</IfModule>

 

 3、建立白名單

vi /etc/httpd/modsecuirty.d/whitelist.conf#Whitelist file to control ModSec<IfModule mod_security2.c>SecRuleEngine OnSecRequestBodyAccess OnSecResponseBodyAccess OnSecDataDir /tmp</IfModule>

 

 4、自訂規則

vi /etc/httpd/modsecurity-crs/activated_rules/custom.conf

 此處可以自己寫一些規則或者移除一些規則。

 

IP白名單

SecRule REMOTE_ADDR "^192\.168\.1\.11" phase:1,log,allow,ctl:ruleEngine=off,id:100001

 規則白名單

<LocationMatch .*>        SecRuleRemoveById 960020</LocationMatch>

 目錄規則白名單

<LocationMatch “/home/www/test/”>        SecRuleRemoveById 300015 300016 300017</LocationMatch>    

 或者

<Directory /path/to/dir>SecRuleEngine Off</Directory>

 5、常見問題

本地測試時，如果啟用全策略，訪問web目錄時。

Forbidden

You don‘t have permission to access /bWAPP/ on this server.

查看modsec日誌

Message: Access denied with code 403 (phase 2). Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "98"] [id "960017"] [rev "2"] [msg "Host header is a numeric IP address"] [data "192.168.14.21"] [severity "WARNING"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx"]Action: Intercepted (phase 2)Apache-Handler: php5-scriptStopwatch: 1478141159604281 1340 (- - -)Stopwatch2: 1478141159604281 1340; combined=316, p1=207, p2=82, p3=0, p4=0, p5=27, sr=23, sw=0, l=0, gc=0Response-Body-Transformed: DechunkedProducer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/); OWASP_CRS/2.2.9.Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1Engine-Mode: "ENABLED"

960017對應的規則

# Check that the host header is not an IP address # This is not an HTTP RFC violation but it is indicative of automated client access.# Many web-based worms propagate by scanning IP address blocks.## -=[ Rule Logic ]=-# This rule triggers if the Host header contains all digits (and possible port)## -=[ References ]=-# http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx#SecRule REQUEST_HEADERS:Host "^[\d.:]+$" "phase:2,rev:‘2‘,ver:‘OWASP_CRS/2.2.9‘,maturity:‘9‘,accuracy:‘9‘,t:none,block,msg:‘Host header is a numeric IP address‘,logdata:‘%{matched_var}‘,severity:‘4‘,id:‘960017‘,tag:‘OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST‘,tag:‘WASCTC/WASC-21‘,tag:‘OWASP_TOP_10/A7‘,tag:‘PCI/6.5.10‘,tag:‘http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx‘,setvar:‘tx.msg=%{rule.msg}‘,setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/IP_HOST-%{matched_var_name}=%{matched_var}"

 

在/etc/httpd/modsecurity-crs/activated_rules/custom.conf加入規則

<LocationMatch .*>
　　　　SecRuleRemoveById 960017</LocationMatch>

 去掉對HTTP Header Host欄位內容是否為IP地址的檢測。預設如果是IP地址就會阻斷訪問。

 

配置OWASP的ModSecurity規則