ModSecurity Web Application Firewall Installation and Configuration

据说网络攻击有约七成发生在Web Application层面,在系统防火墙如iptables、FirewallD、UFW之外为Web服务器配置一款适用的防火墙来过滤和阻挡各种攻击显得尤为重要。近期在编译Apache服务器过程中,意外得知一款叫ModSecurity的WAF(Web Application Firewall),它可整合进Apache和Nginx中去,本篇博文以Apache为例,介绍一下ModSecurity的安装、配置和部署。

编译的是Apache和ModSecurity的当前版本(分别为2.4.37和2.9.3),试试看这个应用工具层面的防火墙到底怎么样。

编译准备工作

有关Linux系统(仍以CentOS 6 64位版为例)的安装和基本环境搭建就不再赘述,Apache和ModSecurity均编译到默认的路径下,Apache的路径为/usr/local/apache2,ModSecurity的安装路径为/usr/local/modsecurity。一些基本的依赖包如libxml2、pcre、zlib、apr等可自己编译也可使用软件包管理工具安装。

ModSecurity WAF安装及配置

ModSecurity的编译安装命令如下例:

1
2
3
4
5
6
7
wget -qO - https://www.modsecurity.org/tarball/2.9.3/modsecurity-2.9.3.tar.gz | tar xz 
cd modsecurity-2.9.3
./configure --enable-verbose-output \
--with-apxs=/usr/local/apache2/bin/apxs \
--with-apr=/usr/local/apache2/bin/apr-1-config --with-apu=/usr/local/apache2/bin/apu-1-config \
--with-pcre=/usr/local --enable-pcre-jit
make && make install

编辑Apache服务器配置文件httpd.conf,添加如下代码:

1
2
LoadModule unique_id_module modules/mod_unique_id.so
LoadModule security2_module modules/mod_security2.so

启动Apache并查看载入的模块/usr/local/apache2/bin/apachectl -M | grep security2_module得到如下结果

1
security2_module (shared)

这说明ModSecurity模块安装成功并随Apache服务器载入。

随后,添加防火墙规则,在Apache的安装目录下增加modsecurity.d/owasp-modsecurity-crs目录以添加规则文档及配置。使用如下命令:

1
2
3
4
5
6
7
8
9
# 在Apache安装目录下添加ModSecurity的规则储存目录
mkdir -p /usr/local/apache2/modsecurity.d && cd $_
# 从Github下载官方规则预制包
wget -qO - https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.1.0.tar.gz | tar xz
mv owasp-modsecurity-crs-3.1.0 owasp-modsecurity-crs
# 使用官方预制的规则配置文件
mv owasp-modsecurity-crs/crs-setup.conf.example owasp-modsecurity-crs/crs-setup.conf
# 将官方建议的ModSecurity配置文件复制到Apache服务器的配置目录下
cp /usr/local/src/modsecurity-2.9.3/modsecurity.conf-recommended /usr/local/apache2/conf/extra/modsecurity.conf

最后,到Apache的服务器配置文件httpd.conf中增加以下几行,并重新启动Apache服务器。

1
2
3
4
5
<IfModule security2_module>
Include conf/extra/modsecurity.conf
Include modsecurity.d/owasp-modsecurity-crs/crs-setup.conf
Include modsecurity.d/owasp-modsecurity-crs/rules/*.conf
</IfModule>

防火墙测试

防火墙安装配置完成之后,不要马上激活它,而应当在部署到生产环境以前先测试一下它是否能够探测出攻击行为。

假设该服务器IP地址为123.456.789.0,攻击者的IP地址为1.2.3.4,攻击者在浏览器端执行了命令http://123.456.789.0/?param="><script>alert(1);</script>

打开/usr/local/apache2/logs/error_log查看服务器错误日志记录,可发现日志记录下了一系列相关信息,包括攻击者IP地址、ModSecurity应用的拦截规则和模式、攻击者执行的有害指令、危害等级等。对上述指令,ModSecurity的判断结果为XSS using libinjection,但仍然放行了攻击,在浏览器端可正常查看到Web服务器下的网页。

1
2
3
4
5
6
[Wed Jan 02 02:34:51.959351 2019] [:error] [pid 23103:tid 139744922363648] [client 1.2.3.4:9416] [client 1.2.3.4] ModSecurity: Warning. Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/usr/local/apache2/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "792"] [id "920350"] [msg "Host header is a numeric IP address"] [data "123.456.789.0"] [severity "WARNING"] [ver "OWASP_CRS/3.1.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "123.456.789.0"] [uri "/"] [unique_id "[email protected]"]
[Wed Jan 02 02:34:51.960347 2019] [:error] [pid 23103:tid 139744922363648] [client 1.2.3.4:9416] [client 1.2.3.4] ModSecurity: Warning. detected XSS using libinjection. [file "/usr/local/apache2/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "60"] [id "941100"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:param: \\x22><script>alert(1);</script>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.1.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "123.456.789.0"] [uri "/"] [unique_id "[email protected]"]
[Wed Jan 02 02:34:51.960475 2019] [:error] [pid 23103:tid 139744922363648] [client 1.2.3.4:9416] [client 1.2.3.4] ModSecurity: Warning. Pattern match "(?i)[<\\xef\\xbc\\x9c]script[^>\\xef\\xbc\\x9e]*[>\\xef\\xbc\\x9e][\\\\s\\\\S]*?" at ARGS:param. [file "/usr/local/apache2/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "92"] [id "941110"] [msg "XSS Filter - Category 1: Script Tag Vector"] [data "Matched Data: <script> found within ARGS:param: \\x22><script>alert(1);</script>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.1.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "123.456.789.0"] [uri "/"] [unique_id "[email protected]"]
[Wed Jan 02 02:34:51.960676 2019] [:error] [pid 23103:tid 139744922363648] [client 1.2.3.4:9416] [client 1.2.3.4] ModSecurity: Warning. Pattern match "(?i)<[^\\\\w<>]*(?:[^<>\\"'\\\\s]*:)?[^\\\\w<>]*(?:\\\\W*?s\\\\W*?c\\\\W*?r\\\\W*?i\\\\W*?p\\\\W*?t|\\\\W*?f\\\\W*?o\\\\W*?r\\\\W*?m|\\\\W*?s\\\\W*?t\\\\W*?y\\\\W*?l\\\\W*?e|\\\\W*?s\\\\W*?v\\\\W*?g|\\\\W*?m\\\\W*?a\\\\W*?r\\\\W*?q\\\\W*?u\\\\W*?e\\\\W*?e|(?:\\\\W*?l\\\\W*?i\\\\W*?n\\\\W*?k|\\\\W*?o\\\\W*?b\\\\W*?j\\\\W*?e\\ ..." at ARGS:param. [file "/usr/local/apache2/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "217"] [id "941160"] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: <script found within ARGS:param: \\x22><script>alert(1);</script>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.1.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "123.456.789.0"] [uri "/"] [unique_id "[email protected]"]
[Wed Jan 02 02:34:51.961382 2019] [:error] [pid 23103:tid 139744922363648] [client 1.2.3.4:9416] [client 1.2.3.4] ModSecurity: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/usr/local/apache2/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 18)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "123.456.789.0"] [uri "/"] [unique_id "[email protected]"]
[Wed Jan 02 02:34:51.962446 2019] [:error] [pid 23103:tid 139744922363648] [client 1.2.3.4:9416] [client 1.2.3.4] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/local/apache2/modsecurity.d/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 18 - SQLI=0,XSS=15,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): NoScript XSS InjectionChecker: HTML Injection; individual paranoia level scores: 18, 0, 0, 0"] [tag "event-correlation"] [hostname "123.456.789.0"] [uri "/index.html"] [unique_id "[email protected]"]

至此,可将/usr/local/apache2/conf/extra/modsecurity.conf中的SecRuleEngine DetectionOnly修改为SecRuleEngine On,即激活ModSecurity Web Application Firewall,保护网站安全。

重新启动Apache服务器,再次从浏览器端输入攻击代码,此时提示信息变为

1
2
Forbidden
You don't have permission to access / on this server.

即禁止访问,将攻击者阻拦掉。