ModSecurity

提供: セキュリティ
移動: 案内検索
スポンサーリンク

ModSecurity は、オープンソースWebアプリケーションファイアウォール (WAF) です。Apache HTTP Server のモジュールとして動作します。

読み方

ModSecurity
もど せきゅりてぃ

概要

ModSecurity は、オープンソースWebアプリケーションファイアウォール (WAF) です。Apache HTTP Server のモジュールとして動作します。

リクエストヘッダやパラメータ、表示するコンテンツなどから攻撃や脆弱性を検知します。セキュリティフィルタが提供され、Luaで独自のフィルタを作成できます。

TrustWave社がGPLv2 とコマーシャルライセンスのデュアルライセンスで提供しています。

OWASP は、GPLv2で ModSecurity のルール(シグネチャ)を提供しています。

インストール

FreeBSDにインストールする場合

ports コレクションからインストールする場合

cd /usr/ports/www/mod_security
sudo make install clean

pkgコマンドでインストールする場合

sudo pkg install mod_security

portmasterコマンドでインストールする場合

sudo portmaster -y -d /usr/ports/www/mod_security

portinstallコマンドでインストールする場合

sudo portinstall /usr/ports/www/mod_security

CentOSにインストールする場合

CentOSyum コマンドでインストールする場合。

sudo yum -y  install mod_security

Ubuntu/Debianにインストールする場合

apt-get コマンドでインストールする場合です。

sudo apt-get install libapache2-mod-security

インストールされたファイル

FreeBSD の場合。

% pkg_info -L ap22-mod_security-2.6.6_1
Information for ap22-mod_security-2.6.6_1:
 
Files:
/usr/local/etc/modsecurity.conf-example
/usr/local/libexec/apache22/mod_security2.so
/usr/local/bin/rules-updater.pl
/usr/local/lib/mod_security2.so
/usr/local/share/licenses/ap22-mod_security-2.6.6_1/catalog.mk
/usr/local/share/licenses/ap22-mod_security-2.6.6_1/LICENSE
/usr/local/share/licenses/ap22-mod_security-2.6.6_1/AL2
/usr/local/share/doc/mod_security2/doc/Reference_Manual.html
/usr/local/share/doc/mod_security2/doc/Reference_Manual_files/index.css
/usr/local/share/doc/mod_security2/doc/Reference_Manual_files/commonPrint.css
/usr/local/share/doc/mod_security2/doc/Reference_Manual_files/index.php
/usr/local/share/doc/mod_security2/doc/Reference_Manual_files/poweredby_mediawiki_88x31.png
/usr/local/share/doc/mod_security2/doc/Reference_Manual_files/600px-Apache_request_cycle-modsecurity.jpg
/usr/local/share/doc/mod_security2/doc/Reference_Manual_files/ajax.js
/usr/local/share/doc/mod_security2/doc/Reference_Manual_files/wikibits.js
/usr/local/share/doc/mod_security2/doc/Reference_Manual_files/index_004.css
/usr/local/share/doc/mod_security2/doc/Reference_Manual_files/index_002.css
/usr/local/share/doc/mod_security2/doc/Reference_Manual_files/index_003.css

設定

sudo cp /usr/local/etc/modsecurity.conf-example /usr/local/etc/apache24/Includes/modsecurity.conf

ルールのダウンロード

ルールの配置

sudo mkdir /usr/local/etc/apache24/Includes/modsecurity-crs
sudo cp ./modsecurity_crs_10_setup.conf.example /usr/local/etc/apache24/Includes/modsecurity/modsecurity_crs_10_setup.conf
sudo cp -r base_rules /usr/local/etc/apache24/Includes/modsecurity-crs/

設定

LoadModule security2_module libexec/apache24/mod_security2.so
LoadModule unique_id_module libexec/apache24/mod_unique_id.so
<IfModule security2_module>
       Include /usr/local/etc/apache24/Includes/modsecurity-crs/*.conf
       Include /usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/*.conf
</IfModule>

使い方

ModSecurity は、攻撃の検出モード(ディテクションモード) と 実際に攻撃をブロックするモードがあります。

検出モードの設定は、以下の通りです。

SecRuleEngine DetectionOnly

実際に攻撃と判定したアクセスをブロックする場合は、以下の設定をします。 Apache は、HTTPステータスコード 403 を返します。

SecRuleEngine on

検証

ディテクションモードとブロックモード

ディテクションモード (SecRuleEngine Detectiononly) の場合は、ブロックせずに動作します。

% curl -I "http://localhost/?union+select"
HTTP/1.1 200 OK
Date: Sat, 26 Oct 2013 05:00:29 GMT
Server: Apache/2.4.6 (FreeBSD) PHP/5.4.19
Last-Modified: Mon, 11 Jun 2007 18:53:14 GMT
ETag: "2d-432a5e4a73a80"
Accept-Ranges: bytes
Content-Length: 45
Content-Type: text/html

ブロックモードでは、HTTPステータスコード 403 が返されます。

% curl -I "http://localhost/?union+select"
HTTP/1.1 403 Forbidden
Date: Sat, 26 Oct 2013 05:01:26 GMT
Server: Apache/2.4.6 (FreeBSD) PHP/5.4.19
Content-Type: text/html; charset=iso-8859-1

XSS

XSS のリクエストを送信するテストです。

curl 'http://localhost/<script>alert(0)</script>'

Apache のエラーログに出力された警告です。

 [Sat Oct 26 13:35:59.082899 2013] [:error] [pid
5955] [client 127.0.0.1] ModSecurity: Warning. Pattern match
"(?i:([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*)?
([\\\\d\\\\w]+)([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*)?
(?:=|<=>|r?like|sounds\\\\s+like|regexp)
([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*)?\\\\2|
([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\
..." at REQUEST_FILENAME. [file
"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "77"] [id "950901"] [rev "2.2.5"] [msg "SQL Injection Attack"] [data
"script>alert"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag
"WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag
"PCI/6.5.2"] [hostname "localhost"] [uri "/<script>alert(0)</script>"]
[unique_id "UmtGr8CoAMoAABdDeHoAAAAE"] [Sat Oct 26 13:35:59.083765 2013]
[:error] [pid 5955] [client 127.0.0.1] ModSecurity: Warning. Pattern match
"\\\\balert\\\\b\\\\W*?\\\\(" at REQUEST_FILENAME. [file
"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf"]
[line "148"] [id "958052"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS)
Attack"] [data "alert("] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag
"WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag
"OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "localhost"] [uri
"/<script>alert(0)</script>"] [unique_id "UmtGr8CoAMoAABdDeHoAAAAE"] [Sat Oct
26 13:35:59.084020 2013] [:error] [pid 5955] [client 127.0.0.1] ModSecurity:
Warning. Pattern match "\\\\< ?script\\\\b" at REQUEST_FILENAME. [file
"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf"]
[line "196"] [id "958051"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS)
Attack"] [data "<script"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag
"WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag
"OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "localhost"] [uri
"/<script>alert(0)</script>"] [unique_id "UmtGr8CoAMoAABdDeHoAAAAE"] [Sat Oct
26 13:35:59.085223 2013] [:error] [pid 5955] [client 127.0.0.1] ModSecurity:
Warning. Pattern match "\\\\balert\\\\b\\\\W*?\\\\(" at REQUEST_URI. [file
"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf"]
[line "393"] [id "958120"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS)
Attack"] [data "alert("] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag
"WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag
"OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "localhost"] [uri
"/<script>alert(0)</script>"] [unique_id "UmtGr8CoAMoAABdDeHoAAAAE"] [Sat Oct
26 13:35:59.086008 2013] [:error] [pid 5955] [client 127.0.0.1] ModSecurity:
Warning. Pattern match "\\\\< ?script\\\\b" at REQUEST_URI. [file
"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf"]
[line "457"] [id "958119"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS)
Attack"] [data "<script"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag
"WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag
"OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "localhost"] [uri
"/<script>alert(0)</script>"] [unique_id "UmtGr8CoAMoAABdDeHoAAAAE"] [Sat Oct
26 13:35:59.086399 2013] [:error] [pid 5955] [client 127.0.0.1] ModSecurity:
Warning. Pattern match
"<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|
blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|
comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|h..."
at REQUEST_FILENAME. [file
"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf"]
[line "556"] [id "973300"] [rev "2.2.5"] [msg "Possible XSS Attack Detected -
HTML Tag Handler"] [data "<script>"] [hostname "localhost"] [uri
"/<script>alert(0)</script>"] [unique_id "UmtGr8CoAMoAABdDeHoAAAAE"] [Sat Oct
26 13:35:59.086563 2013] [:error] [pid 5955] [client 127.0.0.1] ModSecurity:
Warning. Pattern match "(fromcharcode|alert|eval)\\\\s*\\\\(" at
REQUEST_FILENAME. [file
"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf"]
[line "646"] [id "973307"] [rev "2.2.5"] [msg "XSS Attack Detected"] [data
"alert("] [hostname "localhost"] [uri "/<script>alert(0)</script>"] [unique_id
"UmtGr8CoAMoAABdDeHoAAAAE"] [Sat Oct 26 13:35:59.086782 2013] [:error] [pid
5955] [client 127.0.0.1] ModSecurity: Warning. Pattern match "(?i:<script.*?>)"
at REQUEST_FILENAME. [file
"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf"]
[line "757"] [id "973331"] [rev "2.2.5"] [msg "IE XSS Filters - Attack
Detected"] [data "<script>"] [hostname "localhost"] [uri
"/<script>alert(0)</script>"] [unique_id "UmtGr8CoAMoAABdDeHoAAAAE"] [Sat Oct
26 13:35:59.087833 2013] [:error] [pid 5955] [client 127.0.0.1] ModSecurity:
Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file
"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.conf"]
[line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound
Score: 40, SQLi=5, XSS=35): IE XSS Filters - Attack Detected"] [hostname
"localhost"] [uri "/<script>alert(0)</script>"] [unique_id
"UmtGr8CoAMoAABdDeHoAAAAE"]

XSS の攻撃であると認識されました。

Inbound Anomaly Score Exceeded (Total Inbound Score: 40, SQLi=5, XSS=35): IE XSS Filters - Attack Detected

SQL Injection

SQL Injection を試すときによくありそうなリクエストを送信するテストです。

curl "http://localhost/?id=' or 1=1"

Apache のエラーログに出力された警告です。

[Sat Oct 26 13:46:34.340644 2013] [:error] [pid 5954] [client 127.0.0.1]
ModSecurity: Warning. Match of "rx
^(?:(?:[a-z]{3,10}\\\\s+(?:\\\\w{3,7}?://[\\\\w\\\\-\\\\./]*(?::\\\\d+)?)?/[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?|connect
(?:\\\\d{1,3}\\\\.){3}\\\\d{1,3}\\\\.?(?::\\\\d+)?|options
\\\\*)\\\\s+[\\\\w\\\\./]+|get /[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?)$"
against "REQUEST_LINE" required. [file
"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_20_protocol_violations.conf"]
[line "37"] [id "960911"] [rev "2.2.5"] [msg "Invalid HTTP Request Line"] [data
"GET /?id=' or 1=1 HTTP/1.1"] [severity "WARNING"] [tag
"https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-960911"] [tag
"http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1"] [tag
"RULE_MATURITY/8"] [tag "RULE_ACCURACY/8"] [hostname "localhost"] [uri "/"]
[unique_id "UmtJKsCoAMoAABdCwPkAAAAD"] [Sat Oct 26 13:46:34.341882 2013]
[:error] [pid 5954] [client 127.0.0.1] ModSecurity: Warning. Match of "within
%{tx.allowed_http_versions}" against "REQUEST_PROTOCOL" required. [file
%"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_30_http_policy.conf"]
%[line "78"] [id "960034"] [msg "HTTP protocol version is not allowed by
%policy"] [data "or 1=1 HTTP/1.1"] [severity "CRITICAL"] [tag
%"POLICY/PROTOCOL_NOT_ALLOWED"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A6"]
%[tag "PCI/6.5.10"] [hostname "localhost"] [uri "/"] [unique_id
%"UmtJKsCoAMoAABdCwPkAAAAD"] [Sat Oct 26 13:46:34.342780 2013] [:error] [pid
%5954] [client 127.0.0.1] ModSecurity: Warning. Pattern match
%"(^[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+|[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+$)"
%at ARGS:id. [file
%"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
%[line "64"] [id "981318"] [rev "2.2.5"] [msg "SQL Injection Attack: Common
%Injection Testing Detected"] [data "'"] [severity "CRITICAL"] [tag
%"WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"]
%[tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "localhost"] [uri
%"/"] [unique_id "UmtJKsCoAMoAABdCwPkAAAAD"] [Sat Oct 26 13:46:34.343310 2013]
%[:error] [pid 5954] [client 127.0.0.1] ModSecurity: Warning. Pattern match
%"(?i:(?:[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\s*?
(x?or|div|like|between|and)\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]?\\\\d)|
(?:\\\\\\\\x(?:23|27|3d))|(?:^.?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]$)|(?:
(?:^[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\\\\\]*?(?:[\\\\
%..." at ARGS:id. [file
%"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
%[line "249"] [id "981242"] [msg "Detects classic SQL injection probings 1/2"]
%[data "'"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"] [hostname
%"localhost"] [uri "/"] [unique_id "UmtJKsCoAMoAABdCwPkAAAAD"] [Sat Oct 26
%13:46:34.346968 2013] [:error] [pid 5954] [client 127.0.0.1] ModSecurity:
%Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file
%"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.conf"]
%[line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound
%Score: 15, SQLi=6, XSS=): 981242-Detects classic SQL injection probings 1/2"]
%[hostname "localhost"] [uri "/index.html"] [unique_id
%"UmtJKsCoAMoAABdCwPkAAAAD"]

SQL Injection と判定されています。

Inbound Anomaly Score Exceeded (Total Inbound Score: 15, SQLi=6, XSS=): 981242-Detects classic SQL injection probings 1/2

エラー

ModSecurity requires mod_unique_id to be installed

ModSecurity は、 mod_unique_id.so が必要です。

ModSecurity: ModSecurity requires mod_unique_id to be installed

Apache の設定ファイルで mod_unique_id.so を LoadModule します。

LoadModule unique_id_module libexec/apache24/mod_unique_id.so

ログファイル

SecAuditLog でログファイルを指定します。

SecAuditLog /var/log/modsec_audit.log

FreeBSD では、/var/log/modsec_audit.log がデフォルトです。

関連項目




スポンサーリンク