ModSecurity
ModSecurity は、オープンソースのWebアプリケーションファイアウォール (WAF) です。Apache HTTP Server のモジュールとして動作します。
読み方
- ModSecurity
- もど せきゅりてぃ
目次
概要
ModSecurity は、オープンソースのWebアプリケーションファイアウォール (WAF) です。Apache HTTP Server のモジュールとして動作します。
リクエストヘッダやパラメータ、表示するコンテンツなどから攻撃や脆弱性を検知します。セキュリティフィルタが提供され、Luaで独自のフィルタを作成できます。
TrustWave社がGPLv2 とコマーシャルライセンスのデュアルライセンスで提供しています。
OWASP は、GPLv2で ModSecurity のルール(シグネチャ)を提供しています。
インストール
FreeBSDにインストールする場合
ports コレクションからインストールする場合
cd /usr/ports/www/mod_security sudo make install clean
pkgコマンドでインストールする場合
sudo pkg install mod_security
portmasterコマンドでインストールする場合
sudo portmaster -y -d /usr/ports/www/mod_security
portinstallコマンドでインストールする場合
sudo portinstall /usr/ports/www/mod_security
CentOSにインストールする場合
sudo yum -y install mod_security
Ubuntu/Debianにインストールする場合
apt-get コマンドでインストールする場合です。
sudo apt-get install libapache2-mod-security
インストールされたファイル
FreeBSD の場合。
% pkg_info -L ap22-mod_security-2.6.6_1 Information for ap22-mod_security-2.6.6_1: Files: /usr/local/etc/modsecurity.conf-example /usr/local/libexec/apache22/mod_security2.so /usr/local/bin/rules-updater.pl /usr/local/lib/mod_security2.so /usr/local/share/licenses/ap22-mod_security-2.6.6_1/catalog.mk /usr/local/share/licenses/ap22-mod_security-2.6.6_1/LICENSE /usr/local/share/licenses/ap22-mod_security-2.6.6_1/AL2 /usr/local/share/doc/mod_security2/doc/Reference_Manual.html /usr/local/share/doc/mod_security2/doc/Reference_Manual_files/index.css /usr/local/share/doc/mod_security2/doc/Reference_Manual_files/commonPrint.css /usr/local/share/doc/mod_security2/doc/Reference_Manual_files/index.php /usr/local/share/doc/mod_security2/doc/Reference_Manual_files/poweredby_mediawiki_88x31.png /usr/local/share/doc/mod_security2/doc/Reference_Manual_files/600px-Apache_request_cycle-modsecurity.jpg /usr/local/share/doc/mod_security2/doc/Reference_Manual_files/ajax.js /usr/local/share/doc/mod_security2/doc/Reference_Manual_files/wikibits.js /usr/local/share/doc/mod_security2/doc/Reference_Manual_files/index_004.css /usr/local/share/doc/mod_security2/doc/Reference_Manual_files/index_002.css /usr/local/share/doc/mod_security2/doc/Reference_Manual_files/index_003.css
設定
sudo cp /usr/local/etc/modsecurity.conf-example /usr/local/etc/apache24/Includes/modsecurity.conf
ルールのダウンロード
ルールの配置
sudo mkdir /usr/local/etc/apache24/Includes/modsecurity-crs sudo cp ./modsecurity_crs_10_setup.conf.example /usr/local/etc/apache24/Includes/modsecurity/modsecurity_crs_10_setup.conf sudo cp -r base_rules /usr/local/etc/apache24/Includes/modsecurity-crs/
設定
LoadModule security2_module libexec/apache24/mod_security2.so LoadModule unique_id_module libexec/apache24/mod_unique_id.so <IfModule security2_module> Include /usr/local/etc/apache24/Includes/modsecurity-crs/*.conf Include /usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/*.conf </IfModule>
使い方
ModSecurity は、攻撃の検出モード(ディテクションモード) と 実際に攻撃をブロックするモードがあります。
検出モードの設定は、以下の通りです。
SecRuleEngine DetectionOnly
実際に攻撃と判定したアクセスをブロックする場合は、以下の設定をします。 Apache は、HTTPステータスコード 403 を返します。
SecRuleEngine on
検証
ディテクションモードとブロックモード
ディテクションモード (SecRuleEngine Detectiononly) の場合は、ブロックせずに動作します。
% curl -I "http://localhost/?union+select" HTTP/1.1 200 OK Date: Sat, 26 Oct 2013 05:00:29 GMT Server: Apache/2.4.6 (FreeBSD) PHP/5.4.19 Last-Modified: Mon, 11 Jun 2007 18:53:14 GMT ETag: "2d-432a5e4a73a80" Accept-Ranges: bytes Content-Length: 45 Content-Type: text/html
ブロックモードでは、HTTPステータスコード 403 が返されます。
% curl -I "http://localhost/?union+select" HTTP/1.1 403 Forbidden Date: Sat, 26 Oct 2013 05:01:26 GMT Server: Apache/2.4.6 (FreeBSD) PHP/5.4.19 Content-Type: text/html; charset=iso-8859-1
XSS
XSS のリクエストを送信するテストです。
curl 'http://localhost/<script>alert(0)</script>'
Apache のエラーログに出力された警告です。
[Sat Oct 26 13:35:59.082899 2013] [:error] [pid 5955] [client 127.0.0.1] ModSecurity: Warning. Pattern match "(?i:([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*)? ([\\\\d\\\\w]+)([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*)? (?:=|<=>|r?like|sounds\\\\s+like|regexp) ([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*)?\\\\2| ([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\ ..." at REQUEST_FILENAME. [file "/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "77"] [id "950901"] [rev "2.2.5"] [msg "SQL Injection Attack"] [data "script>alert"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "localhost"] [uri "/<script>alert(0)</script>"] [unique_id "UmtGr8CoAMoAABdDeHoAAAAE"] [Sat Oct 26 13:35:59.083765 2013] [:error] [pid 5955] [client 127.0.0.1] ModSecurity: Warning. Pattern match "\\\\balert\\\\b\\\\W*?\\\\(" at REQUEST_FILENAME. [file "/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf"] [line "148"] [id "958052"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS) Attack"] [data "alert("] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "localhost"] [uri "/<script>alert(0)</script>"] [unique_id "UmtGr8CoAMoAABdDeHoAAAAE"] [Sat Oct 26 13:35:59.084020 2013] [:error] [pid 5955] [client 127.0.0.1] ModSecurity: Warning. Pattern match "\\\\< ?script\\\\b" at REQUEST_FILENAME. [file "/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf"] [line "196"] [id "958051"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS) Attack"] [data "<script"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "localhost"] [uri "/<script>alert(0)</script>"] [unique_id "UmtGr8CoAMoAABdDeHoAAAAE"] [Sat Oct 26 13:35:59.085223 2013] [:error] [pid 5955] [client 127.0.0.1] ModSecurity: Warning. Pattern match "\\\\balert\\\\b\\\\W*?\\\\(" at REQUEST_URI. [file "/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf"] [line "393"] [id "958120"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS) Attack"] [data "alert("] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "localhost"] [uri "/<script>alert(0)</script>"] [unique_id "UmtGr8CoAMoAABdDeHoAAAAE"] [Sat Oct 26 13:35:59.086008 2013] [:error] [pid 5955] [client 127.0.0.1] ModSecurity: Warning. Pattern match "\\\\< ?script\\\\b" at REQUEST_URI. [file "/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf"] [line "457"] [id "958119"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS) Attack"] [data "<script"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "localhost"] [uri "/<script>alert(0)</script>"] [unique_id "UmtGr8CoAMoAABdDeHoAAAAE"] [Sat Oct 26 13:35:59.086399 2013] [:error] [pid 5955] [client 127.0.0.1] ModSecurity: Warning. Pattern match "<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big| blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup| comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|h..." at REQUEST_FILENAME. [file "/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf"] [line "556"] [id "973300"] [rev "2.2.5"] [msg "Possible XSS Attack Detected - HTML Tag Handler"] [data "<script>"] [hostname "localhost"] [uri "/<script>alert(0)</script>"] [unique_id "UmtGr8CoAMoAABdDeHoAAAAE"] [Sat Oct 26 13:35:59.086563 2013] [:error] [pid 5955] [client 127.0.0.1] ModSecurity: Warning. Pattern match "(fromcharcode|alert|eval)\\\\s*\\\\(" at REQUEST_FILENAME. [file "/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf"] [line "646"] [id "973307"] [rev "2.2.5"] [msg "XSS Attack Detected"] [data "alert("] [hostname "localhost"] [uri "/<script>alert(0)</script>"] [unique_id "UmtGr8CoAMoAABdDeHoAAAAE"] [Sat Oct 26 13:35:59.086782 2013] [:error] [pid 5955] [client 127.0.0.1] ModSecurity: Warning. Pattern match "(?i:<script.*?>)" at REQUEST_FILENAME. [file "/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf"] [line "757"] [id "973331"] [rev "2.2.5"] [msg "IE XSS Filters - Attack Detected"] [data "<script>"] [hostname "localhost"] [uri "/<script>alert(0)</script>"] [unique_id "UmtGr8CoAMoAABdDeHoAAAAE"] [Sat Oct 26 13:35:59.087833 2013] [:error] [pid 5955] [client 127.0.0.1] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 40, SQLi=5, XSS=35): IE XSS Filters - Attack Detected"] [hostname "localhost"] [uri "/<script>alert(0)</script>"] [unique_id "UmtGr8CoAMoAABdDeHoAAAAE"]
XSS の攻撃であると認識されました。
Inbound Anomaly Score Exceeded (Total Inbound Score: 40, SQLi=5, XSS=35): IE XSS Filters - Attack Detected
SQL Injection
SQL Injection を試すときによくありそうなリクエストを送信するテストです。
curl "http://localhost/?id=' or 1=1"
Apache のエラーログに出力された警告です。
[Sat Oct 26 13:46:34.340644 2013] [:error] [pid 5954] [client 127.0.0.1] ModSecurity: Warning. Match of "rx ^(?:(?:[a-z]{3,10}\\\\s+(?:\\\\w{3,7}?://[\\\\w\\\\-\\\\./]*(?::\\\\d+)?)?/[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?|connect (?:\\\\d{1,3}\\\\.){3}\\\\d{1,3}\\\\.?(?::\\\\d+)?|options \\\\*)\\\\s+[\\\\w\\\\./]+|get /[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?)$" against "REQUEST_LINE" required. [file "/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "37"] [id "960911"] [rev "2.2.5"] [msg "Invalid HTTP Request Line"] [data "GET /?id=' or 1=1 HTTP/1.1"] [severity "WARNING"] [tag "https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-960911"] [tag "http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1"] [tag "RULE_MATURITY/8"] [tag "RULE_ACCURACY/8"] [hostname "localhost"] [uri "/"] [unique_id "UmtJKsCoAMoAABdCwPkAAAAD"] [Sat Oct 26 13:46:34.341882 2013] [:error] [pid 5954] [client 127.0.0.1] ModSecurity: Warning. Match of "within %{tx.allowed_http_versions}" against "REQUEST_PROTOCOL" required. [file %"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_30_http_policy.conf"] %[line "78"] [id "960034"] [msg "HTTP protocol version is not allowed by %policy"] [data "or 1=1 HTTP/1.1"] [severity "CRITICAL"] [tag %"POLICY/PROTOCOL_NOT_ALLOWED"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A6"] %[tag "PCI/6.5.10"] [hostname "localhost"] [uri "/"] [unique_id %"UmtJKsCoAMoAABdCwPkAAAAD"] [Sat Oct 26 13:46:34.342780 2013] [:error] [pid %5954] [client 127.0.0.1] ModSecurity: Warning. Pattern match %"(^[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+|[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+$)" %at ARGS:id. [file %"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] %[line "64"] [id "981318"] [rev "2.2.5"] [msg "SQL Injection Attack: Common %Injection Testing Detected"] [data "'"] [severity "CRITICAL"] [tag %"WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] %[tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "localhost"] [uri %"/"] [unique_id "UmtJKsCoAMoAABdCwPkAAAAD"] [Sat Oct 26 13:46:34.343310 2013] %[:error] [pid 5954] [client 127.0.0.1] ModSecurity: Warning. Pattern match %"(?i:(?:[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\s*? (x?or|div|like|between|and)\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]?\\\\d)| (?:\\\\\\\\x(?:23|27|3d))|(?:^.?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]$)|(?: (?:^[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\\\\\]*?(?:[\\\\ %..." at ARGS:id. [file %"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] %[line "249"] [id "981242"] [msg "Detects classic SQL injection probings 1/2"] %[data "'"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"] [hostname %"localhost"] [uri "/"] [unique_id "UmtJKsCoAMoAABdCwPkAAAAD"] [Sat Oct 26 %13:46:34.346968 2013] [:error] [pid 5954] [client 127.0.0.1] ModSecurity: %Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file %"/usr/local/etc/apache24/Includes/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.conf"] %[line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound %Score: 15, SQLi=6, XSS=): 981242-Detects classic SQL injection probings 1/2"] %[hostname "localhost"] [uri "/index.html"] [unique_id %"UmtJKsCoAMoAABdCwPkAAAAD"]
SQL Injection と判定されています。
Inbound Anomaly Score Exceeded (Total Inbound Score: 15, SQLi=6, XSS=): 981242-Detects classic SQL injection probings 1/2
エラー
ModSecurity requires mod_unique_id to be installed
ModSecurity は、 mod_unique_id.so が必要です。
ModSecurity: ModSecurity requires mod_unique_id to be installed
Apache の設定ファイルで mod_unique_id.so を LoadModule します。
LoadModule unique_id_module libexec/apache24/mod_unique_id.so
ログファイル
SecAuditLog でログファイルを指定します。
SecAuditLog /var/log/modsec_audit.log
FreeBSD では、/var/log/modsec_audit.log がデフォルトです。
関連項目
- OWASP ModSecurity Core Rule Set
- rules-updater.pl
- Webアプリケーションファイアウォール
- http://www.modsecurity.org/
- https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
- iLogScanner
ツイート