1. 설치
ModSecurity와 Apache를 연동해본다.
$ sudo apt -y install libapache2-mod-security2
$ cd /etc/modsecurity/
$ sudo cp modsecurity.conf-recommended modsecurity.conf2. 설정
설정은 modsecurity.conf파일에서 변경하면 된다.
$ sudo vi modsecurity.conf
...
# Enable ModSecurity, attaching it to every transaction. Use detection
# only to start with, because that minimises the chances of post-installation
# disruption.
#
SecRuleEngine On| Conf | Description |
|---|---|
| SecRuleEngine | On : ModSecurity 활성화 Off : ModSecurity 비활성화 DetectionOnly : 차단하지 않고 탐지만 수행 |
| SecAuditEngine | On : 로깅 활성화 Off : 로깅 비활성화 RelevantOnly : Error, Warning, SecAuditLogRelevantStatus에 정의된 상태 코드에 대해서만 로깅 활성화 |
| SecAuditLog | 로그 파일의 경로 |
| SecRequestBodyAccess | On : Request Body 검사 활성 Off : Request Body 검사 비활성 |
| SecResponseBodyAccess | On : Response Body 검사 활성 Off : Response Body 검사 비활성 |
Apache 서비스를 재시작한다.
$ sudo systemctl restart apache2
$ sudo apache2ctl -M | grep -i security
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
security2_module (shared)/etc/apache2/mods-enabled/security2.conf의 내용을 확인하면
/usr/share/modsecurity-crs의 load파일들을 포함한다.
$ cat /etc/apache2/mods-enabled/security2.conf
<IfModule security2_module>
# Default Debian dir for modsecurity's persistent data
SecDataDir /var/cache/modsecurity
# Include all the *.conf files in /etc/modsecurity.
# Keeping your local configuration in that directory
# will allow for an easy upgrade of THIS file and
# make your life easier
IncludeOptional /etc/modsecurity/*.conf
# Include OWASP ModSecurity CRS rules if installed
IncludeOptional /usr/share/modsecurity-crs/*.load
</IfModule>해당 경로에는 owasp-crs.load파일이 존재하고 파일의 내용에 있는 규칙들을 포함한다.
$ cat /usr/share/modsecurity-crs/owasp-crs.load
##
## This file loads OWASP CRS's rules when the package is installed
## It is Included by libapache2-mod-security2
##
Include /etc/modsecurity/crs/crs-setup.conf
IncludeOptional /etc/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
Include /usr/share/modsecurity-crs/rules/*.conf
IncludeOptional /etc/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf적용 여부를 확인하기 위해
/var/www/html/index.html에 다음과 같이 작성한다.
<body>
<form action="index.html" method="post">
<input type="text" name="userid">
<input type="password" name="userpw">
<input type="submit" value="ok">
</form>
</body>로그를 모니터링하면서 input값에 SQL Injection(' or 1=1 #)을 넣은뒤 로그를 살펴본다.
H 부분에 SQLi가 감지되었다고 한다.
또한 차단하였기 때문에 403이 반환된다.
$ sudo tail -f /var/log/apache2/modsec_audit.log
...
--8738f62b-H--
Message: Warning. Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/usr/share/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "696"] [id "920350"] [msg "Host header is a numeric IP address"] [data "192.168.0.23"] [severity "WARNING"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
Message: Warning. detected SQLi using libinjection with fingerprint 's&1c' [file "/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "67"] [id "942100"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: s&1c found within ARGS:userid: ' or 1=1 #"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
...
IT 도서관